Pub. 11 2020 Issue 4

www.wvbankers.org 14 West Virginia Banker Ransomware — Additional Risks for Banks By Mark Mangano, Jackson Kelly PLLC B anks are exposed to ransomware risks that extend be- yond cyberattacks on their systems. Banks participat- ing in ransomware payments by victims may expose the bank to penalties for violations of Financial Crimes Enforce- ment Network (FinCEN) and Office of Foreign Assets Control (OFAC) regulations. On Oct. 1, 2020, the United States Treas- ury, through FinCEN and OFAC, issued advisories related to the risks and obligations of those dealing with ransom demands. 1 The advisories apply to a variety of businesses and victims impacted by a ransomware event. This article focuses on considerations for depository institutions (Banks). FinCEN defines ransomware as a form of malicious software (malware) designed to block access to a computer system or data, often by encrypting data or programs on information technology (IT) systems to extort ransom payments from vic- tims in exchange for decrypting the information and restoring victims’ access to their systems or data. In some cases, in addition to the attack, the perpetrators threaten to publish sensitive files belonging to the victims, which can be indi- viduals or business entities (including financial institutions). The consequences of a ransomware attack can be severe and far-reaching — with losses of sensitive, proprietary, and critical information or loss of business functionality. The challenges of dealing with ransomware payments are not confined to large banks. It is increasingly likely that communi- ty Banks will be called upon to deal with requests to facilitate ransom payment. According to the Federal Bureau of Inves- tigation, reported ransomware cases and losses are rapidly increasing. Also, cyber-actors are launching ransomware attacks against increasingly diverse targets. Payment of ransom often involves transferring money through a chain of entities. Ransoms are generally paid in convertible virtual currency (CVC) such as Bitcoin. The payment may be initiated by the victim or a cyber insurance company, or other representatives of the victim. Money is transferred from a