Rising Ransomware Attacks Trigger Key Compliance Issues

November 19, 2020 at 9:32 am 1 comment

The increasing scope and cost of ransomware attacks means that credit unions should be updating both their BSA and OFAC policies, as well as their cybersecurity infrastructure. It also raises additional considerations as you decide how best to protect your members in the event that your credit union is attacked. 

On October 1st, OFAC and FinCen issued complimentary statements explaining how ransomware attacks trigger OFAC obligations. In a nutshell, your OFAC framework should assess the likelihood that a member could use your credit union to facilitate a ransomware payment. The accompanying FinCen guidance also underscores reporting requirements that are triggered by a financial institution’s involvement with a ransomware transaction. 

If you’re thinking that this increased ransomware scrutiny raises more questions than answers, you won’t get an argument from me. Increasingly sophisticated cyber criminals are using ransomware attacks to extort a wide range of institutions, from universities – which they threaten with exposing personal student information – to hospitals, who are threatened with losing access to vital medical records, to banks and credit unions. Whether or not to pay the ransom is an extremely tough call, with strong arguments on either side. Now, this guidance is suggesting that once your member has made this tough decision, your credit union should investigate whether or not the blackmailer is on an OFAC list and inform your member that they can’t use you to facilitate payment. How’s that for customer service?

And what happens if your credit union is the victim of a ransomware attack? I’m assuming that many of your credit unions have insurance coverage for precisely this type of problem. If you don’t you should analyze whether or not you should. As an excellent article in Law360 (subscription required) by Walter Andrews, Andrea DeField and William Sowers of Hunton Andrews Kurth LLP explains, the statements by OFAC raise the same type of issues for insurance companies deciding whether or not to reimburse you as the victim that your financial institution has when considering a member under ransomware attack. This means that you would be wise to discuss this issue with your insurance company so you have an idea of the financial exposure your credit union is facing should this happen to you.

Entry filed under: Regulatory, technology. Tags: , , , .

Three Things to Ponder During Your Credit Union Day NCUA Gives Credit Unions Greater Workout Flexibility

1 Comment Add your own

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers


%d bloggers like this: