Ransomware attacks have long been a scourge to businesses, including banks and other financial institutions. Businesses successfully targeted by ransomware attacks typically face an untenable choice: (1) restore those information technology systems using backups or (2) pay the demanded ransom and possibly regain access to information technology systems. Neither option is pleasant.
With respect to the first option, restoring critical systems can take weeks (or longer) and cost thousands (or millions) of dollars. Moreover, businesses must continue to serve their customers while critical systems are being restored, often without the use of these systems. In a recent attack on the University of Vermont Medical Center reported by The New York Times , this meant that cancer patients had to be turned away, complex chemotherapy protocols had to be recreated from memory, and staffers were forced to rely on written notes and faxes. The Vermont case took the hospital almost a month to restore its electronic health records system.
But the second option provides no guarantee that victims will regain quick access to their information technology systems or avoid the time-intensive and expensive process of restoring critical systems from backups. Sometimes attackers have no intention of restoring these information systems at all. Even worse, some ransomware attackers never even seek a ransom, as was the case in the Vermont hospital example referenced above. Such attacks are probably more related to terrorism than extortion or profit.
Although these are the most well-known risks stemming from ransomware attacks, there are also risks arising from attacks on the clients or customers of non-targeted entities. The criminal, regulatory, and reputational risks presented by these circumstances can be more significant than the risks encountered by these ransomware attacks’ direct targets. These risks were identified and described in an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” which was released by the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”) on October 1, 2020.
As OFAC’s advisory noted, “[c]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also risk violating OFAC regulations.” In the context of banks, these risks are most likely to manifest where a depositor contacts its bank for assistance transferring funds to an attacker either directly (e.g., an international wire transfer) or indirectly (e.g., seeking assistance in buying bitcoin or other digital currencies). Importantly, the threshold for civil penalties, including for banks and other intermediaries, is very low: “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to a U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
Although not every ransomware attack will necessarily present OFAC sanction risks, most, if not all, attacks will have a nexus to organizations, individuals, or geographic regions that have been targeted by OFAC. As noted by its recent advisory, the organizations and individuals responsible for the most notorious ransomware programs have been designated by OFAC as “malicious cyber actors.” Likewise, many ransomware attacks originate from geographic areas covered by comprehensive country or region embargoes (e.g., Iran, North Korea, the Crimea region of Ukraine). In any event, while not every ransomware attack will have a nexus to OFAC-related sanctions, many ransomware attacks will involve such a nexus, including those for which a geographic connection is not readily apparent.
To address these risks, OFAC recommends that banks and other financial institutions “implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” The vast majority of banks are already doing much of what OFAC recommends, including “account[ing] for the risk that a ransomware payment may involve an [individual on OFAC’s list of Designated Nationals and Blocked Persons List], or a comprehensively embargoed jurisdiction.” However, it is less likely that most banks have generalized programs in place to identify customers who are the victims of ransomware and other cyber attacks.
Although such programs might require some time and effort to implement, they could be invaluable in mitigating the risk of OFAC-related civil penalties. Moreover, such programs could help banks further cement their relationships with their customers by providing them valuable assistance when such assistance is most needed.
Sandy Murphy and Floyd Boone
The authors of this article have extensive experience assisting banks and other financial institutions with these issues.
Sandra M. Murphy is a partner with Bowles Rice LLP. She is the leader of the firm’s banking and financial services practice group.
Floyd Boone is a partner with Bowles Rice LLP. His practice focuses on advising financial institutions in the areas of regulatory compliance and litigation. Floyd leads the firm’s financial services litigation group and the firm’s cybersecurity and information privacy group.
Should you require more information, please feel free to contact Ms. Murphy at (304) 347-1131 or Mr. Boone at (304) 347-1733. Bowles Rice LLP is proud to serve as general counsel to the Community Bankers of West Virginia.