In the first piece of this two-part series, Mitch Parker, CISO at Indiana University Health, broke down the key takeaways from the Department of Treasury’s guidance on the sanctions risks associated with ransomware payments. Here, he discusses the risks involved in paying ransomware, and what organizations can do to protect themselves.
The guidance released last month by the Department of the Treasury encourages companies to establish a risk-based compliance program to mitigate exposure to sanctions-related violations. This wording did not indicate that banks or other financial institutions are already required to do so by federal law. In addition, the FinCEN guidance does not account for cybersecurity or the potential for account compromise. It puts the onus on the banks themselves for establishing good security procedures, including detection of whether sanctioned entities are conducting financial transactions on behalf of others.
The Federal Financial Institutions Examinations Council (FFIEC), the agency that sets the security standards for financial institutions in the US, considers single-factor authentication to be inadequate, as cryptocurrency exchanges do not normally follow their guidance or recommendations. There is a current lawsuit in US Federal Court against AT&T alleging that it did not protect a cryptocurrency user against a SIM Swapping attack that led to the loss of millions in assets. SMS text messaging was being used as a second authentication factor.
In addition, the high variety of methods by which hackers can bypass controls makes it difficult for banks to detect. However, other banks with stronger programs have compensating controls. For example, North Korea, according to Wired, was able to compromise the Central Bank of Bangladesh. The suspicious actions were detected by the New York Federal Reserve Bank’s analysts, and many of those transactions were reversed. Many of the cryptocurrency exchanges operate outside of this realm of protection.
Due to collaboration between ransomware gangs, lack of controls at cryptocurrency exchanges, and high variety of security involved in the use of it, there is no way to provide conclusive assurance that the ransomware payment you send is not benefitting a sanctioned entity in some way. In the October 3 guidance, according to the International Emergency Economic Powers Act (IEEPA), and the Trading with the Enemy Act (TWEA), US persons are prohibited in general from engaging in direct or indirect actions with sanctioned parties. This includes third-party transactions by non-US parties that cause a US person to violate these sanctions. The converse, in which US parties facilitate the direct actions of non-US persons due to sanctions regulations, can also be sanctioned.
The advisory did not mention the maximum civil penalties per violation of TWEA or IEEPA. According to Baker McKenzie, the 2020 adjusted ones are $90,743 for TWEA, and the greater of $307,922 or twice the amount of the underlying transaction for IEEPA. This means that paying for ransomware can lead to penalty costs that are twice the cost of the ransom payment, plus the costs your organization will incur for rebuilding the network. This changes the cost/benefit analysis significantly. Omission of these from the advisory understated the severity of the penalties. In addition, according to Jones Day, even if you have Cyber Insurance, your policy may not cover these, as this is a punitive penalty.
According to the advisory, if you’re a victim of a ransomware attack, you should immediately contact law enforcement, OFAC, and the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection. If your organization still decides to make a payment to enable business, cooperation and honesty will be mitigating factors in reducing the penalties. This may make the difference for ensuring your company’s survival. The old practice that some have recommended of not reporting to law enforcement may now have catastrophic consequences. This is a major change.
As a defensive measure, your contracting process now needs to have several components to protect your organization and demonstrate that you are taking appropriate actions. First, your contracts need to have language that indicate you check against OFAC sanctions lists, and that your vendors are required to as well. There also needs to be language to indicate that your organization will promptly report potential OFAC, IEEPA, or TWEA violations to appropriate authorities. Your third-party vendor risk process also needs to indicate whether business is being conducted outside the USA and have appropriate controls to ensure that data stays within US borders. Finally, if your organization decides to accept cryptocurrency as payment, speak with your bank about options they will accept that meet FinCEN requirements. If your bank does not know, speak with one of the numerous law firms that have cryptocurrency practices.
The Department of the Treasury guidance was nothing new; it was a restatement of previous guidance. The way in which it was worded did not provide effective advices for businesses on what to do, or what the real penalties can be. It did not give background on why this was restated, especially given recent developments with cryptocurrency exchanges and lack of security. Finally, it did not communicate the severity of the potential penalties, and the fact that non-cooperation with the authorities can cause business-ending penalties. Hopefully this article provided the necessary insights and guidance your organization can use to protect themselves.