Client alert: Potential sanctions risks for facilitating ransomware

An Advisory on Potential Sanctions Risks for Facilitating Ransomware was issued by the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) on October 1, 2020. It details why ransomware payments to sanctioned persons or jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the U.S. and why, therefore, facilitating ransomware payments to such persons or jurisdictions may violate OFAC regulations and possibly subject an organization to OFAC civil penalties based on strict liability.

It is important to note that cyber policies have also routinely included some form of an OFAC advisory notice over the years, specifying that any payment made by an insurer must be done in full compliance with all economic or trade sanctions including but not limited to OFAC.

How could this impact you?

Should you be in a situation where your organization has received a ransomware extortion demand and you are considering paying it to regain control of your network and data, there are a number of steps you should take before making any such payment:

• Notify us so that we can properly and timely report the event to your cyber insurer(s), and any other insurers with potentially applicable coverage for responding to such events. Your cyber policy in particular likely requires the consent of the insurer before making any payment, and as such, their participation prior to making a payment will enhance the likelihood that you recover from them once you submit the claim for reimbursement. Your insurer will also likely recommend the engagement of forensics expertise to assess the impact to your systems and the source of the attack. They will also likely recommend the assistance of a third-party payment facilitator to assess whether such a payment is prohibited by economic sanctions, and barring any restrictions, to facilitate the payment.
• Engage your own compliance team. Just as the payment facilitator and the insurer will want assurances that any payments made will not put them at risk of violating sanctions, you will similarly want assurances before you authorize any payments directly. Challenges in this regard may include current knowledge of applicable sanctions, the identification and attribution of the specific bad actor(s) in question, and their location on SDN or similar lists. The dedicated experience of your compliance department or counsel will be instrumental in facing these challenges.

Despite the intense pressure to immediately pay a ransom demand, paying such ransoms without first consulting the experts as outlined above may result in greater loss, including OFAC penalties and a denial of coverage under your applicable policies.

Willis Towers Watson can assist in further assessing and improving your readiness for any ransomware demands.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.

Author

---

Jason D. Krauss

FINEX NA Cyber Thought & Product Coverage Leader

email Email phone +1 212 915 8374

---