Pub. 8 2019-2020 Issue 6

12 THE COMMUNITY BANKER QUART E R 4 2 0 2 0 Ransomware Attacks And OFAC-Related Risks To Financial Institutions BY SANDY MURPHY AND FLOYD BOONE R ansomware attacks have long been a scourge to businesses, including banks and other financial institutions. Businesses successfully targeted by ransomware attacks typically face an untenable choice: (1) restore those information technology systems us- ing backups or (2) pay the demanded ransom and possibly regain access to information technology systems. Neither option is pleasant. With respect to the first option, restoring critical systems can take weeks (or longer) and cost thousands (or millions) of dollars. Moreover, businesses must continue to serve their customers while critical systems are being restored, often without the use of these sys- tems. In a recent attack on the University of Vermont Medical Center reported by The New York Times , this meant that cancer patients had to be turned away, complex chemotherapy protocols had to be recreat- ed from memory, and staffers were forced to rely on written notes and faxes. The Vermont case took the hospital almost a month to restore its electronic health records system. But the second option provides no guarantee that victims will regain quick access to their information technology systems or avoid the time-intensive and expensive process of restoring critical systems from backups. Sometimes attackers have no intention of restoring these information systems at all. Even worse, some ransomware attackers never even seek a ransom, as was the case in the Vermont hospital example referenced above. Such attacks are probably more related to terrorism than extortion or profit. Although these are the most well-known risks stemming from ransomware attacks, there are also risks arising from attacks on the clients or customers of non-targeted entities. The criminal, regulatory, and reputational risks presented by these circumstances can be more significant than the risks encountered by these ransomware attacks’ di - rect targets. These risks were identified and described in an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” which was released by the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”) on October 1, 2020. As OFAC’s advisory noted, “[c]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institu - tions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also risk violating OFAC regulations.” In the context of banks, these risks are most likely to manifest where a depositor contacts its bank for assistance transferring funds to an attacker either directly