What OFAC’s Ransomware Advisory Means for US Companies
Ransomware payments — and their reimbursement under insurance policies — remain a controversial topic because of their potential for moral hazard and the possibility that such payments will fund criminal, terrorist, and/or state sponsored cyber actors.
On October 1, 2020, the US Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that addresses this issue. The advisory reiterates the prohibition against US businesses and persons conducting business or paying funds to any person on the “Specially Designated Nationals and Blocked Persons” list. US companies can be sanctioned for violation of OFAC’s rule even if they do not personally execute a transaction or know that a payment is being made to a prohibited organisation or person.
The OFAC advisory does not change any applicable laws, regulations, or guidance in relation to ransom payments. But it does serve as a reminder — to US companies, ransom payment facilitators, and cyber insurers — that a regulatory framework on ransomware already exists and applies in these circumstances.
In our client advisory, Marsh lays out what US businesses need to know about the OFAC advisory and the importance of completing an OFAC review before payment of ransom demands.
We also offer recommendations for re-assessing ransom incident response plans, mitigating ransomware risk, and ways that Marsh can help you prepare for, respond to, and recover from ransomware and cyber extortion attacks.