FBI pushing for changes to rules around Treasury sanction payments, SEC cyber incident reporting

The assistant director of the FBI’s Cyber Division said Wednesday that the agency has pressed the Treasury Department and U.S. Securities and Exchange Commission for changes to the procedures and regulations surrounding ransom payments and incident reporting for the victims of cyberattacks. 

Assistant Director Bryan Vorndran, presenting at the International Conference on Cyber Security in New York City, spoke at length about the FBI’s efforts to push for clarifications to the Treasury Department’s rules governing how to engage with sanctioned ransomware groups. 

Throughout 2020 and in September 2021, the Treasury Department’s Office of Foreign Assets Control (OFAC) threatened civil penalties against organizations that paid ransoms to sanctioned ransomware groups. Around one in six ransomware payments in 2020 were made to ransomware gangs that had some sort of connection to a U.S.-sanctioned entity.

Vorndran called the Treasury Department rules vague and said companies routinely ask the FBI for help in navigating them. 

For years, there has been confusion over which ransomware groups are officially sanctioned, particularly because so many have unknown or undisclosed ties to entities in Russia, Iran and North Korea. For example, the well-known Russian cybercriminal group Evil Corp has ties to multiple ransomware strains – some of which are known, while others are less clear, making it difficult for victims to know which ransom payments would violate OFAC rules.

“The guidance from Treasury on sanction payments is opaque. It is not clear. We have gone to Treasury and asked them to clear that up. They are comfortable with the language as is,” he said.

Vorndran explained that the FBI could be more involved in helping victims determine who exactly they are dealing with.

“One of the things the FBI can do is you can simply say 'this is who we’re looking at paying, here’s the moniker, the email address, all the selectors and the name we have. FBI, can you run that... to see if this individual, this moniker or this entity is sanctioned?' Absolutely, we are willing to do that service and we are happy to do that. That should allow you to be in a good position, should you unwittingly and unknowingly pay a sanctioned entity.”

He noted that “early engagement” with law enforcement is one thing OFAC takes into consideration when penalizing companies that deal with sanctioned entities. 

Vorndran added that, because of the rules, some victims in recent months have told the FBI that they do not want to know whether or not an entity is sanctioned before they pay a ransom to avoid culpability. 

The Treasury Department declined to comment. 

Vorndran also told the audience that he is against banning ransomware payments – something at least two U.S. states have done so far – because it “creates a third extortion.”

“We think that's a horrible idea. They’ll basically say I’m going to hold a company hostage because if they’re lying about paying a ransom they violated criminal law and that’s a third extortion,” he said.   

National security exception for SEC incident reporting rules

Vorndran also mentioned that the FBI has asked the SEC to add a “national security” exception to its proposed rule changes that would mandate companies report cybersecurity incidents within four days. 

“We’re tracking it very closely, both within the FBI and within the Department of Justice. Those discussions are being had at the most senior levels of both FBI and DOJ with the SEC about the implications on national security,” he said.

“Should there or should there not be a national security delay option in there to prevent public disclosure?”

Vorndran said FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco are in conversations with the SEC about the issue. The SEC also declined to comment. 

'Blended Threats'

In his remarks at the conference, Vorndran said he is most concerned about hackers targeting services used by entire industries, as well as the threat of cybercriminal syndicates becoming more connected globally. 

He also expressed worry about “blended threats” – something the FBI director mentioned on Tuesday – where cybercriminals and nation states work with or through each other to attack entities. 

Synthetic content – deep fakes, artificial audio and video and more – also tops the agency list of cyber concerns. One scam the FBI is identifying more often involves North Korean government workers using sites like Freelance.com for global IT work. 

“You had companies across the world, including the United States, unknowingly hiring North Korean regime members to do on-infrastructure work for their IT solutions,” he said. 

The FBI has since notified companies through its field offices about this practice. 

Clarification (July 21, 12:35pm): The headline of this story has been updated to specify that the FBI is pushing for clarifications around sanctions payments.