These organizations were faced with critical decisions and, after considering their options, decided that paying the attackers to get their data unlocked was the proper course. In a statement by CNA, the commercial lines insurer noted:
CNA is not commenting on the ransom, but the company did consult and share intelligence with the FBI and OFAC regarding the cyber incident and the threat actor’s identity. CNA followed all laws, regulations and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter. Due diligence efforts concluded that the threat actor responsible for the attack is a group called Phoenix. Phoenix is not on any prohibited party list and is not a sanctioned entity.
Coastal Pipeline’s chief executive officer, Joseph Blount, testified before the Senate that he had no choice but to pay ransom, telling the senators, “I know how critical our pipeline is to the country and I put the interests of the country first.”
The Office of Foreign Assets Control
The Office of Foreign Assets Control (OFAC) is part of the U.S. Department of the Treasury. OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals. While the spotlight has shone on OFAC in the post-9/11 era, it is not new. Successor to the Office of Foreign Funds Control, which was created in 1940 during World War II, OFAC was formally organized in 1950. Today OFAC “administers a number of different sanctions programs.” U.S. Dep’t of Treasury, Office of Foreign Assets Control—Sanctions Programs and Information. OFAC also maintains a Specially Designated Nationals and Blocked Persons List, which includes state actor hackers. U.S. Dep’t of Treasury, Specially Designated Nationals and Blocked Persons List (SDN) Human Readable Lists.
The OFAC Advisory
In October 2020, OFAC issued its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The advisory notes that OFAC “has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions.” The OFAC advisory warns those considering making ransomware payments that they might be in violation of OFAC rules:
Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
OFAC Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Oct. 1, 2020) (footnotes omitted and emphasis added).
On September 21, 2021, the U.S. Department of the Treasury issued its Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The Federal Bureau of Investigation (FBI) also warns against the payment of ransomware on its Ransomware page, stating that the organization “does not support paying a ransom in response to a ransomware attack.” While that may be the government’s official position, as CNA noted in its statement, it worked with OFAC and the FBI in connection with the attack and noted that its attacker was not on the OFAC-sanctioned lists.
The New York Department of Financial Services Weighs In
OFAC is not the only regulatory agency that is warning companies to be careful before engaging in ransomware payments. Earlier this year, the New York Department of Financial Services (NYDFS) issued a circular, Insurance Circular Letter No. 2 (2021), to all authorized property and casualty insurers with best practices. In the cover letter, Superintendent Linda A. Lacewell wrote:
Ransom payments fuel the vicious cycle of ransomware, as cybercriminals use them to fund ever more frequent and sophisticated ransomware attacks. An October 2020 guidance by the Office of Foreign Assets Control (“OFAC”) stressed the national security risk posed by ransom payments, and stated that intermediaries—including insurers—can be liable for ransom payments made to sanctioned entities. Given the problem of identifying the attacker at the time of a ransomware incident, insurers and their policyholders risk violating OFAC sanctions when paying a ransom. Similarly, the FBI warns against paying a ransom because it fails to guarantee that an organization will regain access to all of its data or that its data won’t be released publicly, and also because paying a ransom emboldens criminals to target other organizations. In 2020, data extortion became a common feature of ransomware attacks, but experts have noted that in many cases even when victims paid, their data was subsequently leaked.
NYDFS, Insurance Circular Letter No. 2 (Feb. 4, 2021) (footnotes omitted and emphasis added).
Because NYDFS is the regulator for financial institutions, insurers, and other financial institutions, those regulated entities should pay attention to what the NYDFS says about ransomware.
The Dilemma the Attacked Face
The adage in cybersecurity for some time has been it is not a question of if, but when, a company will be hacked. Large law firms have been victims of ransomware attacks that crippled their businesses. Many that are attacked face a major dilemma: (i) being crippled in their ability to conduct business, with the average downtime from a ransomware attack being 21 days, while facing potential suits for failure to provide goods or services and, depending on their cyber insurance program, with no business interruption coverage potentially available; or (ii) negotiating carefully with the attackers, after making sure they are not on the OFAC sanctions list, knowing that 96% of those whose data were encrypted received their data back.
Conclusion
As the Biden administration increasingly focuses on cybersecurity and enhanced security, we can expect that the focus on ransomware payments will increase. Lawyers should advise their clients on some steps their clients can take to avoid having to make the difficult choices presented by the ransomware demand dilemma noted above. Those steps for law firms and their clients include some lessons learned from the Coastal Pipeline and other major attacks:
- Make sure you and your clients have a solid backup and data recovery program.
- Review and make sure you and your clients have cyber insurance that responds to such attacks.
- Have an incident response plan that includes third parties that you can immediately involve, including a law firm that can help protect the investigation while things are being reviewed.
- Bring law enforcement in if warranted.
- Communicate in a timely manner.
Data security and cyberattacks will continue to be front and center, including against critical infrastructure participants. Vigilance and preparation are key.