Government Fines If You Pay Ransomware Ransom

Updated 09/01/2021

Cybersecurity | Backup and Disaster Recovery

What would you do if your computers, servers, files, and data were encrypted and your last viable backups were also encrypted (it happens) or otherwise unusable? You may be tempted to pay the bad guys to get your business back up and running.

While this is tempting, it may be even more costly to do so. On October 1st, 2020, the US Treasury Department's Office of Foreign Assets Control (OFAC) released an advisory stating, "companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” Those that ignore the sanctions without special permission from Treasury can face fines up to $20 million.

As stated above, the advisory is meant not only for the victim of a ransomware attack but also for those negotiating on behalf of the victim. Some cyber insurance firms refuse to take on clients who have been hit by certain ransomware strains because of strict regulations. However, organizations that work quickly to notify law enforcement and complete a timely report of the incident may be given certain leniency when assessing if a fine is to be issued.

Companies at risk of becoming a target of ransomware can rest a little easier if they actively protect their data. OFAC will consider the situation on a case-by-case basis based on an organization's current security standing. "Reasonable" security standards, an effective Incident Response Plan, and an up-to-date Cybersecurity Risk Assessment will go a long way to alleviate extra hardship from regulatory bodies.

"Reasonable" security standards are guidelines that are generally accepted as an industry standard and that show an organization has exercised its duty of care to others. Ultimately, this means every organization's criteria will be different, hence the need for a risk assessment to identify where the company's data resides and where it is most vulnerable.

Following an Incident Response Plan will show regulatory bodies, such as OFAC, that the business is doing all it can to be transparent about the incident and to handle it in the best way possible. Cooperation with law enforcement will come into play when deciding if the organization is at any fault.