Regulatory Update: OFAC - A Cyber Attack Can Put You Between a Rock and a Hard Place

On October 1, 2020, the U.S. Department of Treasury’s Office of Foreign Asset Control (“OFAC”) issued an advisory1 highlighting the risk of violating OFAC sanctions for payments related to “ransomware”.  Ransomware is a type of cyber attack whereby access to computer systems or data is denied to their owner until a ransom is paid.  Though companies of all sizes can be victimized, a recent, high profile attack involved Garmin, a provider of consumer and military GPS and fitness devices.  In July 2020, malware named “WastedLocker” shut down the company’s website, customer support, and user applications, severely impacting the usefulness of Garmin devices and costing as much as 8% in its stock price.  Garmin later secured the release key from the responsible hackers (reportedly “Evil Corp”, which was on OFAC’s sanctions list), but it is suspected that Garmin paid them $10 million to do so, potentially through a ransomware negotiation firm.2 The OFAC advisory may be a direct response to this attack and alleged payment.

As the OFAC advisory makes clear, such ransom payments, whether made directly or indirectly, can violate sanctions and result in penalties based on “strict liability”— meaning there is no requirement that the person know, or have reason to know, that it is making a payment to a sanctioned person.  The advisory specifically calls out potential payment facilitators, including providers of “cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses)”.  Therefore, even when the victim may be inclined to pay the ransom and risk sanctions violations, it may be unable to get the cooperation of its bank, fund administrator, or the cyber insurance provider that is paid to cover this risk, potentially leaving the victim and its systems in limbo.

As noted in our previous STRAIT Compliance Brief3, investment advisers carry a regulatory responsibility to protect against cyber attacks, which have been the subject of a constant stream of risk alerts and guidance from the U.S. Securities and Exchange Commission (“SEC”).4 The OFAC advisory reinforces the SEC’s message that prevention may be the best medicine.


STRAIT provides a comprehensive range of compliance and regulatory services to the global financial services industry.  Our services span a wide range of ongoing and project-based offerings, including cyber security and other regulatory policy reviews, regulatory exam support, regulatory filings, and the development and execution of entire compliance programs.