Last month, we discussed the growth in not only the number and type of ransomware demands, but also in the dollar amount of those payments.  In the event your company is one of the unfortunate victims of such an attack, you have yet another concern.  On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory (“Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments”) calling out some of the additional risks associated with these payments.

Both the victim of an attack AND the facilitator of ransomware payments, such as the cyber insurance company or your financial institution, need to be aware of potential penalties for payments to subjects on the OFAC sanctions list.  The concern is that U.S. persons are prohibited from engaging in direct or indirect transactions with individuals or companies on OFAC’s “Specially Designated Nationals and Blocked Persons” List (SDN list).  Most insurance policies, whether cyber insurance or other types of protection such as foreign, management liability, or general liability, contain provisions such as the following:

This policy will provide coverage, or otherwise will provide any benefit, only to the extent that providing such coverage or benefit does not expose the Company or any of its affiliated or parent companies to any trade or economic sanction under any law or regulation of the United States of America or any other applicable trade or economic sanction, prohibition, or restriction.

Penalties for violators are steep!  Criminal penalties include a fine or up to $1,000,000 and/or up to 20 years in prison for each violation.  Civil penalties include a fine of up to $55,000 for each violation. If you are unlucky enough to experience a ransomware attack, it is imperative that you consult your legal counsel prior to any payment, regardless of whether the payment is made directly or whether it is through an intermediary such as your bank or insurer.