Compliance Blog

Last week, the House Committee on Homeland Security held a hearing on cybersecurity, which focused specifically on ransomware. One of the witnesses at the hearing referred to ransomware as a “mutli-billion-dollar global racket” and cited a report which stated that ransomware accounts for 27 percent of malware incidents. Another witness stated that both the average ransom paid for ransomware incidents, and the highest-paid ransom, had doubled from 2019 to 2020 – the average ransom in 2020 was more than $300,000 and the highest paid ransom was $10 million.

To review, ransomware is a form of malware that blocks access to files on a computer, usually by encrypting them, thereby preventing the user from accessing the data. Users are prompted to pay a ransom – often in cryptocurrency – to regain access to their files. Ransomware it not exactly a new threat – it has been around for some time. In fact, we’ve blogged about ransomware in the past. However, the trend of increasing incidents of ransomware, and the growing price tag of those incidents, is certainly cause for concern for all organizations in the United States, including credit unions and their members.

Let’s review some of the federal guidance on this topic:

First, NCUA has published this webpage and this FAQ, both discussing the threat of ransomware and providing methods to avoid ransomware, such as following safe internet usage practices, removing infected devices from the system, and maintaining up-to-date firewalls and anti-malware systems. Additionally, section 748.1 of the NCUA regulations may impose filing requirements on credit unions that suffer malware attacks, such as requiring the filing of a Suspicious Activity Report (SAR) or a catastrophic incident report (if the attack causes an “interruption in vital member services” that is projected to last more than two consecutive business days).

Secondly, the Financial Crimes Enforcement Network (FinCEN) has also issued some advisories and an FAQ discussing ransomware. In 2016 FinCEN issued this advisory, which discusses cyber incidents more broadly. The advisory notes that a SAR may be required if the applicable thresholds are met and provides examples of cyber incidents that would require a SAR – noting that the threshold may be met simply by calculating the value of funds put at risk by the attack, rather than requiring actual concrete losses to have occurred. Even if filing is not mandatory, FinCEN encourages credit unions to voluntarily file a SAR, as the information could be helpful to law enforcement efforts to combat cyber-related crimes. FinCEN also instructs that institutions that are subject to a large volume of cyber incidents may aggregate several similar incidents together into a cumulative SAR. The advisory recommends that credit unions share information regarding cyber incidents internally across their different units, to help coordinate strategies for preventing, detecting, and responding to such incidents. Finally, the advisory notes that credit unions may share information relating to cyber events with other financial institutions pursuant to information sharing arrangements under Section 314(b) of the USA PATRIOT Act.

FinCEN also issued this 2016 FAQ on filing SARs for cyber events, which provides a list of information that a credit union should include on a SAR, including the IP addresses involved, suspected malware filenames, email addresses linked to the suspect, affected account information, and any virtual currency accounts involved. According to the FAQ, the SAR narrative should describe the suspicious activity and may be used to report cyber-related identifiers for which there is no pre-designated SAR field. It also notes that Part II of the SAR includes checkboxes for certain cyber-related events, such as “Unauthorized Electronic Intrusion” (item 35q), “account takeover” (item 35a), and more. Credit unions should select all checkboxes that are applicable.

FinCEN issued this advisory in October 2020, which specifically focuses on ransomware. The advisory notes that credit unions that file SARs relating to ransomware should use the key term “CYBER-FIN-2020-A006” in the SAR narrative and in Field 2 (the note to FinCEN). It not only discusses how credit unions should file SARs if they are the victims of ransomware, but also provides red flags that can help a credit union identify if a member is involved in a ransomware transaction, such as statements by the member that a payment is in response to a ransomware incident, transactions involving organizations that are known to facilitate ransomware payments, or customers that inquire about purchasing convertible virtual currency (CVC) when they had previously expressed no interest or knowledge of CVC.

Finally, the Office of Foreign Asset Control (OFAC) published an advisory in October 2020, which discusses the implications that ransomware payments may have for OFAC compliance. The advisory generally discourages paying ransoms, noting that it may encourage more ransomware attacks and may have implications for national security. The OFAC advisory also discusses previous ransomware attacks that were perpetrated by foreign actors and ultimately results in OFAC sanctions or the placement of the perpetrators on the Specially Designated Nationals and Blocked Persons List (SDN list). If a ransomware attack requests the ransom be paid to someone on the SDN list, or someone located in a country covered by a comprehensive country or region embargo (such as Cuba, Iran, North Korea, and more), then the payment of the ransom will violate OFAC sanctions. While a credit union can apply for a license – which will basically grant an exception to the OFAC sanctions – the advisory states that license applications for ransomware payments will be reviewed on a case-by-case basis with a presumption of denial. The advisory instructs victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe sanctions may be implicated. While paying a ransom could violate sanctions, the advisory explains that a credit union’s OFAC compliance program and a self-initiated and timely report to law enforcement of the ransomware attack will be taken into account when determining an enforcement outcome.