On September 21, 2021, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) took two important actions to counter the growing threat of ransomware attacks and the malicious cyber actors who support them, often through the use of digital assets. First, it designated SUEX OTC, S.R.O. (SUEX), as a Specially Designated National (SDN), which marks the first time that OFAC has added a virtual currency exchange to the SDN List. Second, it issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (2021 Ransomware Advisory), which provides additional guidance to companies on how to mitigate these sanctions risks proactively.
Up to this point, OFAC has primarily addressed potential sanctions evasion involving digital assets by (1) issuing frequently asked questions on its website relating to virtual currency, (2) pursuing enforcement actions against companies that have processed digital currency transactions on behalf of sanctioned individuals, and (3) publishing digital currency addresses as identifiers on the SDN list. Here, for the first time, however, OFAC has used its authority under its cyber-related sanctions to designate a virtual currency exchange for its involvement in sanctioned activity. OFAC’s cyber-related sanctions target entities that engage in “significant malicious cyber-enabled activities,” and, according to Treasury, SUEX was designated as an SDN for providing “material support to the threat posed by criminal ransomware actors.” Specifically, Treasury’s press release highlighted that SUEX not only “facilitated transactions involving illicit proceeds from at least eight ransomware variants,” but that more than 40% of its transactions involved illicit actors. Treasury noted the difference between exchanges that are otherwise involved in lawful activity, but which cybercriminals exploit for material gain during ransomware attacks, and exchanges such as SUEX, that facilitate illicit activity on their own virtual currency exchange platform.
In conjunction with the SUEX designation, OFAC published an update to its October 2020 ransomware advisory, which we have discussed in a prior client alert. This new 2021 Ransomware Advisory both supersedes and reinforces many of the same points from the October 2020 advisory, including that any ransomware payments made to sanctioned parties may result in strict liability penalties and any license applications involving ransomware payments will be reviewed by OFAC on a case-by-case basis with a presumption of denial. The 2021 Ransomware Advisory, however, provides the following key updates with respect to the sanctions risk associated with ransomware payments:
I. OFAC highlights the proactive steps that companies can take to mitigate risks associated with facilitating ransomware payments. In addition, OFAC identifies several “mitigating factors” that it will consider should a company become the subject of a related enforcement action. Specifically, OFAC encourages financial institutions and other companies to do the following to both prevent and respond to ransomware attacks:
Implement a risk-based compliance program that addresses the sanctions risks associated with potential ransomware attacks.
In the October 2020 advisory, OFAC pointed to its 2019 guidance document, “A Framework for OFAC Compliance Commitments,” to assist companies in developing a program that contains the five essential components of an effective sanctions compliance program: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. In the 2021 Ransomware Advisory, however, OFAC goes further and encourages companies to adopt robust cybersecurity practices that are highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide. Of particular note, OFAC states that it will view the adoption or improvement of a company’s cybersecurity practices along these lines as a “significant mitigating factor” in any potential OFAC enforcement action, should one occur in connection with a ransomware attack/payment.
Cooperate with law enforcement both during and after a ransomware attack.
OFAC states that it will consider a company to have voluntarily disclosed a potential sanctions violation if, as a result of a ransomware attack, it submits a self-initiated and complete report to law enforcement or other relevant US government agency, such as CISA or the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection, as soon as possible after it discovers an attack. In addition, OFAC indicated that companies that provide timely and ongoing cooperation to law enforcement in connection with a ransomware attack, as well as other mitigating steps, are more likely to see potential sanctions violations resolved through a nonpublic response such as a No Action Letter or a Cautionary Letter.
II. The 2021 Ransomware Advisory “strongly discourages” companies from paying ransom or extortion demands. Rather, OFAC encourages companies to strengthen their “defensive and resilience measures” to guard against potential ransomware attacks. This includes adopting the cybersecurity practices that are highlighted in CISA’s September 2020 Ransomware Guide. OFAC provides examples of these types of measures, which include maintaining offline backups of data, developing incident response plans, updating antivirus software, and instituting targeted training.
The first sentence of Treasury’s press release describes the 2021 Ransomware Advisory and SUEX designation as a “whole-of-government” effort to counter ransomware, which was reflected clearly throughout the US government’s documents. From the acknowledgment of the FBI’s assistance with the SUEX designation, to OFAC’s statement that it considers a company’s reporting of ransomware attacks to law enforcement or other US government agencies to be a voluntary self-disclosure under the OFAC Enforcement Guidelines, the coordinated approach is out in the open. This level of cooperation reflects the seriousness with which the US government views the threat of ransomware to both private and governmental entities.
SUEX has been described as a “nested exchange,” which carries additional risk for parties that interact with these types of digital asset platforms. Similar to the concept of “nested accounts” in traditional banking, nested exchanges maintain accounts on major virtual currency exchanges, which provide them with greater access to liquidity while still allowing them to facilitate business for their customers (many of whom could be cybercriminals). Nested exchanges present significant compliance risk for the major virtual currency exchanges, which should pay close attention to these and other types of customers that can operate as middlemen for illicit transaction activity.
Finally, by adding a virtual currency exchange to the SDN List, OFAC has introduced a new front in its battle against ransomware and cybercriminals. Instead of playing whack-a-mole by publishing digital currency addresses as identifiers, most of which are obsolete the moment they hit the SDN List, OFAC has now targeted a company that provides direct financial assistance to perpetrators of ransomware attacks. Companies, banks, and individuals involved in the digital currency marketplace need to ensure that they are not involved in transactions with SUEX, either directly or indirectly. Engaging in transactions with SUEX or other sanctioned parties could expose otherwise lawful actors in the digital currency space to sanctions or enforcement actions by the US government.
Unmanaged cyber-risks can compromise an organization’s mission and erode its enterprise’s value. Guidehouse’s Cybersecurity Solutions enable us to aid organizations in establishing high-performing cybersecurity operations to protect critical data and services. Guidehouse has a robust cybersecurity practice that supports the key elements for data protection. Guidehouse also has cybersecurity advisors who can guide clients through complex technology, business, and enterprise risk management scenarios. We also offer cybersecurity solutions to help our clients establish and optimize their information security operations to be better prepared to address current—and future—technology risks. Such solutions include:
Guidehouse can quickly review and assess a cybersecurity program to determine whether it is sound, identify gaps or weaknesses, and conduct training. Guidehouse is also well-equipped to make an individualized assessment of an organization’s unique circumstances and offer innovative advice and solutions for responding to heightened risks.
In addition, Guidehouse can quickly review and assess your OFAC compliance program to determine whether it is sound, to identify gaps or weaknesses, or to conduct training on cryptocurrency-related anti-money laundering and sanctions compliance, including blockchain tracing and analytics.
Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.
Risk, Regulatory, & Compliance