In a recent joint blog post, representatives from the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) reflected on why it’s so concerning when cyber attacks go unreported; and looked at some of the misconceptions about how organisations respond to them. They say they’re increasingly concerned about what happens behind the scenes of the attacks they don’t hear about, particularly the ransomware ones. In this article, Regulatory & Compliance Partner and Head of International Trade Andrew Northage looks at ransomware and sanctions – one aspect of sanctions compliance that doesn’t necessarily grab the headlines, but which is essential for all businesses to be aware of.
Guidance on ransomware and sanctions
Earlier this year, HM Treasury’s Office of Financial Sanctions Implementation (OFSI) published guidance on ransomware and sanctions, specifically financial sanctions. Financial sanctions prohibit making funds or economic resources available to an individual or entity subject to an asset freeze. That includes through a ransomware payment. Breaching financial sanctions is a serious criminal offence. It can carry a custodial sentence and/or the imposition of a monetary penalty of up to £1 million or 50% of the value of the breach.
OFSI and the National Crime Agency (NCA) say that, if the mitigating steps outlined in the guidance are followed, they will be more likely to resolve a breach case involving a ransomware payment through means other than a monetary penalty or criminal investigation. The guidance applies not only to victims/potential victims of ransomware attacks. It also applies to those who engage with victims to facilitate or process ransomware payments, for example financial institutions or cryptoasset businesses.
Ransomware and sanctions: Mitigating steps
So, what should you do? The guidance sets out the following key steps:
- Due diligence. Routinely consider whether sanctions might affect your transactions. Think about the nature of your particular business and put in place appropriate due diligence measures to manage any identified or anticipated risks of breaching financial sanctions. See our earlier briefing for details of the controls procedures you should consider. Remember that asset freezes apply to entities that are directly or indirectly owned or controlled by a sanctioned individual or organisation (a ‘designated person’). Those entities may not appear on the official sanctions lists in their own right. Also consider the need to comply with sanctions regimes in other jurisdictions.
- Reporting a ransomware incident. If you’ve been subject to a ransomware attack, use the government’s Where to Report a Cyber Incident portal as soon as possible. The portal will direct you to the relevant organisation to which to report the incident. Make sure you report the incident to particular authorities if prompted to by the portal. Remember that you may be required to report to the ICO if a breach of the UK GDPR or Data Protection Act 2018 has occurred .
- Cooperation with OFSI and law enforcement. If you suspect a ransomware payment has been made to a designated person or entity subject to an asset freeze, report it to OFSI as soon as practicable. Reporting to the relevant organisations through the portal, and a prompt and complete voluntary disclosure of a breach to OFSI, will generally be mitigating factors on assessment. OFSI will consider if there was engagement with law enforcement both during and after an attack, and whether all relevant information (including technical details, information on the ransom payment and accompanying instructions) was provided. OFSI says it’s very unlikely that the NCA will start an investigation into a victim or third-party facilitator who has proactively engaged with the relevant bodies.
OFSI assesses each case on its own merits, taking into account both mitigating and aggravating factors. Aggravating factors include regulated professionals not complying with regulatory standards; and repeated, persistent or extended breaches.
Cyber resilience is key
Taking proactive cyber resilience measures is key. The NCSC’s CEO said in the NCSC’s latest Annual Review that ransomware “remains the most acute threat that businesses and organisations in the UK face“. OFSI’s guidance explains that implementing the NCSC’s advice and guidance drastically reduces the risk of a successful ransomware attack. It lists links to the various tools and resources available, including the recently updated Cyber Security Toolkit for Boards.
OFSI’s guidance sets out some basic practical steps to follow if you do fall victim to a ransomware attack. That includes disconnecting the infected device from all network connections; and attempting to restore from back-ups, resulting in no need to consider a payment. We recommend seeking specialist advice to help navigate the particular circumstances in each case.