Do You Know Who You’re Paying? (You Better)

It’s Thursday afternoon at an international company and key operational systems are starting to fail. Within a day, it becomes clear that the company has fallen victim to a ransomware attack that cannot be handled by internal resources alone. In addition to compromising the computer system, the threat actor has stolen copies of sensitive data that it is threatening to leak on a dark web marketplace. The company executes its pre-breach plan by calling its designated breach counsel to set the incident response team in motion, which includes retaining a computer forensic firm to mitigate the spread of the malware, beginning the restoration of the computer network, and identifying the root cause of the incident. With a 72-hour deadline to pay the ransom demand looming, the company is faced with a decision: pay the ransom to get the encryption keys and prevent the leaking of its data, or risk losing control over its own data.

Unfortunately, this scenario has become all too familiar to many companies and their insurers. An increase in ransomware attacks worldwide, coupled with an increased focus on sanctions, has left even the most prepared companies questioning whether or not they should pay a ransom and whether doing so will violate sanctions. This issue has also sparked a debate among insurance carriers over whether covering reimbursement of ransom payments is a necessary risk management tool and what the scope of coverage provided should be.

Recent advisories issued by the Office of Foreign Assets Control (OFAC)—the Treasury Department’s principal U.S. sanctions regulator—and other regulatory entities have shed a spotlight on this issue. In essence, the OFAC advisory explains that no matter how extensive a company’s efforts are to determine the identity of the threat actor and where it is located, if a company is caught paying a sanctioned person, or a person in an embargoed jurisdiction, it could face potential liability under U.S. sanctions.

Businesses need to understand that U.S. law enforcement and regulators do not like the idea of payments being made to threat actors because those threat actors are criminals, and such payments are thus accompanied by a heightened risk of violating sanctions.

Far-Reaching Sanctions

Multinational companies and their insurance carriers are left wondering how it is that U.S. sanctions can be violated by ransom payments made outside of the U.S. However, this is a real possibility because U.S. sanctions prohibit citizens, residents, and U.S. incorporated companies (“U.S. persons”) from involvement in transactions with sanctioned parties or sanctioned countries. U.S. sanctions also can apply to non-U.S. persons who engage in certain transactions with sanctioned parties or sanctioned countries. While U.S. sanctions generally do not prohibit non-U.S. persons from engaging in such transactions, they often target non-U.S. persons and entities involved in such transactions. If non-U.S. persons engage in such transactions, U.S. authorities can block their property as well as interests in property and deny them access to the U.S. financial system. This harsh penalty is essentially a death knell for companies that operate worldwide.

The possibility of exposure to sanctions carries over to insurers that underwrite cyber policies that provide coverage for ransomware payments. Insurers need to exercise caution when discovering that a ransom was paid to a threat actor located in an embargoed jurisdiction. If a ransom is paid that violates or is targeted by U.S. sanctions, reimbursement of such payment may give rise to a separate exposure sanction to an insurer or other party that pays such reimbursement.

A potentially problematic scenario in the insurance context is for an insurance company to find out that it is legally obligated to pay a claim under its policy, but is legally prohibited from doing so under U.S. sanctions. U.S. insurers that are prohibited by sanctions have the option to file for an OFAC license to pay the sanctioned party, although the likelihood that such a license would be granted is low. However, if the policy has an effective sanctions clause, the insurer may be relieved of the obligation to pay claims if such payment would expose that insurer to sanctions.

It’s worth noting that simply ignoring red flags never pays off. A recent analysis by Clyde & Co. concerning OFAC penalties found that almost half of the enforcement actions involved organizations that failed to heed warning signs about potential sanctions violations. Over two-thirds of the cases involved large, commercially sophisticated organizations, which suggests that such companies, despite their resources, were cutting corners on compliance. Further, in more than two-thirds of the matters, OFAC determined that there was actual knowledge or involvement of senior management in the conduct, which led to the violation. This highlights the age-old challenge that companies face in incentivizing profit-making activities while maintaining legal compliance.

Mitigating Factors in OFAC Investigations. If your client finds itself the target of an OFAC enforcement action, these three factors could help mitigate penalties.

Meaningful and demonstrable enhancements to sanctions compliance program policy and procedures in response to an event. Unless you demonstrate that you have upgraded your approach to sanctions compliance based on the event, it is hard for OFAC to accept that a company is taking the problem seriously.

Strong demonstrable steps taken by company management to reinforce cultural compliance. You need to demonstrate to OFAC that you are implementing and executing a plan to prevent another violation.

Cooperation with OFAC. Being forthright and cooperative with OFAC during an enforcement action is a crucial aspect of mitigating potential fines. Those who voluntarily disclose their violations may be able to significantly reduce the potential fine.

For repeat offenders, penalties will only go up. In those cases, companies are sometimes required to host and pay for an outside compliance monitor, which can take the form of a government regulator sitting in the repeat offender’s office.

Early preparation and awareness are key. At a minimum, insurers should assess the coverage afforded under their insurance policies, utilize language to define the risks to be insured, and implement policies and procedures to make sure policy proceeds are not used as part of a ransom payment that could violate sanctions. On the other hand, insureds must establish a quality risk-based sanctions compliance program that includes sanctions compliance training. Together, insurance industry participants can manage the risks presented by ransomware attacks while ensuring that neither the insured nor the insurer expose themselves to sanctions violations in the process.