Rising Ransomware Attacks Trigger Key Compliance Issues
November 19, 2020 at 9:32 am 1 comment
The increasing scope and cost of ransomware attacks means that credit unions should be updating both their BSA and OFAC policies, as well as their cybersecurity infrastructure. It also raises additional considerations as you decide how best to protect your members in the event that your credit union is attacked.
On October 1st, OFAC and FinCen issued complimentary statements explaining how ransomware attacks trigger OFAC obligations. In a nutshell, your OFAC framework should assess the likelihood that a member could use your credit union to facilitate a ransomware payment. The accompanying FinCen guidance also underscores reporting requirements that are triggered by a financial institution’s involvement with a ransomware transaction.
If you’re thinking that this increased ransomware scrutiny raises more questions than answers, you won’t get an argument from me. Increasingly sophisticated cyber criminals are using ransomware attacks to extort a wide range of institutions, from universities – which they threaten with exposing personal student information – to hospitals, who are threatened with losing access to vital medical records, to banks and credit unions. Whether or not to pay the ransom is an extremely tough call, with strong arguments on either side. Now, this guidance is suggesting that once your member has made this tough decision, your credit union should investigate whether or not the blackmailer is on an OFAC list and inform your member that they can’t use you to facilitate payment. How’s that for customer service?
And what happens if your credit union is the victim of a ransomware attack? I’m assuming that many of your credit unions have insurance coverage for precisely this type of problem. If you don’t you should analyze whether or not you should. As an excellent article in Law360 (subscription required) by Walter Andrews, Andrea DeField and William Sowers of Hunton Andrews Kurth LLP explains, the statements by OFAC raise the same type of issues for insurance companies deciding whether or not to reimburse you as the victim that your financial institution has when considering a member under ransomware attack. This means that you would be wise to discuss this issue with your insurance company so you have an idea of the financial exposure your credit union is facing should this happen to you.
Entry filed under: Regulatory, technology. Tags: BSA, FinCEN, OFAC, ransomware.
1.
What’s Old is New Again – BSA Takes Center Stage | new york's state of mind | February 3, 2021 at 9:26 am
[…] either facilitate a ransomware payment, or be victimized by a ransomware attack. As I explained in this blog from the fall, OFAC is reminding third parties like insurance companies, banks and credit unions […]