The Federal Financial Institutions Examination Council (FFIEC) issued a joint statement on November 5th, 2018, titled “Office of Foreign Assets Control Cyber-Related Sanctions Program Risk Management,” which coincides with renewed sanctions against a targeted foreign nation. While the statement does not introduce any new regulatory requirements and is intended as information only, many ISOs may be unfamiliar with the aspects of OFAC Compliance and the implication compliance may have on IT vendor management.
What is OFAC?
While the history of US Treasury Department sanctions against foreign powers can be traced back to the War of 1812, The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury was formally created in 1950. OFAC’s modern-day mission is to administer and enforce economic and trade sanctions based on United States foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy, or economy of the United States. Thus, OFAC’s mission is to keep designated individuals and entities from doing business in the United States.
The names of individuals and entities are incorporated into OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). In April of 2015, OFAC expanded its mission to include cyber-related sanctions program against persons responsible for malicious cyber-enabled activities and further expanded by authorizing sanctions related to interfering with or undermining the election process.
Does OFAC Compliance Apply to My IT Department?
The use of products and services (directly or indirectly through a service provider) from a sanctioned entity may cause a violation of OFAC sanctions. Prohibited transactions may be broadly interpreted to include technical transactions such as downloading software or even patches/updates from a sanctioned entity. This means that if you’re not paying attention to from WHERE and from WHOM you’re getting your software and/or updates, it’s time to start.
How Does OFAC Relate to Cybersecurity?
OFAC has issued sanctions against entities responsible for malicious cyber-enabled activities, including providing material and technological support to malicious cyber actors that have targeted U.S. organizations. Some of the sanctioned entities claim that they are U.S.- based and offer services to financial institutions.
For example, OFAC imposed sanctions on two Russian individuals for engaging in malicious cyber-enabled activities. One of the identified persons is responsible for the development and use of Cryptolocker ransomware, which includes the theft of over $100 million from financial institutions and government agencies. Consequently, we are on notice for ransom requests made by those that are on the SDN List, as they have initiated ransomware attacks in the past.
Who is Responsible for OFAC Compliance?
Compliance departments have conventionally developed OFAC programs that focus on “know your customer.” Considering this latest press release and its timing, compliance officers should be adopting risk mitigation programs to better “know your vendor and your vendor’s vendor.” ISOs will be confronted with the challenge of assisting the compliance officer with identifying, assessing, and mitigating any OFAC risks associated with current or potential service providers and subservice providers.
What are the Risks?
Use of products or services from a sanctioned entity, either directly or indirectly through a service provider, may well increase OFAC compliance risk which could result in violations of law, civil money penalties, enforcement actions, and damaged reputation. The BSA term of "Bad Actors" definitely applies to individuals and companies using financial services platforms to facilitate additional criminal activity and poses enhanced risks to the financial institution’s customers and reputation.
What are the Consequences of Noncompliance?
Civil monetary penalties of up to the greater of $250,000 ($289,238 as of January 15, 2017, for violations occurring after November 2, 2015) or twice the amount of the underlying transaction may be imposed administratively against any person who violates, attempts to violate, conspires to violate, or causes a violation of any license, order, regulation or prohibition issued.
Criminal penalties of up to $1,000,000, imprisonment for up to 20 years, or both, may be imposed on any person who willfully commits, our willfully attempts to commit, or willfully conspires to commit, or aids or abets in the commission of a violation of any license, order, regulation, or prohibition issued.
Questions to Consider:
- Does your current vendor management program include an assessment of OFAC risk?
- Are new vendors with potential OFAC exposure identified during the vendor selection process?
- Does your vendor management program identify subservice providers that may potentially have OFAC exposure?
- Does your due diligence process include requesting a copy of the vendor’s OFAC program?
Written by: Shane Daniel, CPA, CISA, CIA
Senior Information Security Consultant - SBS CyberSecurity, LLC
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.