John Smith spoke to the Cybersecurity Law Report about the Office of Foreign Asset Controls’ (OFAC) advisory warning organizations throughout the ransomware payment chain that they will face national security law violations if they pay off attackers tied to sanctioned regions or entities.
According to John, OFAC’s enforcement has zeroed in on lack of management commitment, “A compliance team must have cover from the top to run the sanctions program, so that in debates between the business side and compliance, management must hear compliance and not simply overrule it.”
A series of bank “wire-stripping” cases since 2009 drove companies to strengthen sanctions compliance programs, John noted. “Compliance decision-makers were given direct lines to CEOs, management, and sometimes the boards, so businesses that went forward with any risky decisions did so with eyes wide open.”
Read the full article (subscription required).