CM December 2023

More documents

Recommendations

Info

INFORMATION SECURITY AUTHOR – Andrew Northage Financial sanctions prohibit making funds or economic resources available to an individual or entity subject to an asset freeze; that includes making a ransomware payment. Breaching financial sanctions is a serious criminal offence. It can carry a custodial sentence and the imposition of a monetary penalty of up to £1m or 50 percent of the value of the breach. Other enforcement options open to HM Treasury’s Office of Financial Sanctions Implementation (OFSI) include issuing a warning, referring regulated entities to their professional body or regulator and publishing information pertaining to the breach. Earlier this year (2023), OFSI published Ransomware and Sanctions: Guidance on Ransomwre and Financial Sanctions. The guidance applies not only to victims and potential victims of ransomware attacks. It also applies to those who engage with victims to facilitate or process ransomware payments, for example financial institutions or cryptoasset businesses. OFSI and the National Crime Agency (NCA) say that, if the mitigating steps outlined in the guidance are followed, they will be more likely to resolve a breach case involving a ransomware payment through means other than a monetary penalty or criminal investigation. Advice and consequences Commercial, operational, financial and reputational consequences of responding inadequately to a ransomware attack, or of breaching the regulations or another sanctions regime, can be devastating. So, what should organisations do? There are a number of steps. Become cyber resilient Taking proactive cyber resilience measures is key. This means adopting and fostering a security culture which includes cyber security governance; the identification and protection of key assets; putting in place fit-for-purpose IT capabilities and business continuity plans; and having a comprehensive understanding of data storage and security. The NCSC’s CEO said in NCSC Annual Review 2022 that ransomware remains the most acute threat that businesses and organisations in the UK face. Implementing the NCSC’s advice and guidance drastically reduces the risk of a successful ransomware attack. OFSI guidance lists links to various tools and resources available, including the recently updated Cyber Security Toolkit for Boards. OFSI guidance sets out some basic practical steps for organisations to follow if they do fall victim to a ransomware attack. This includes disconnecting Organisations need to implement clear cyber security and internal sanctions policies with supporting guidance and compliance manuals tailored to the business and the level of risk it faces. any infected device from all network connections and attempting to restore from back-ups, which may result in there being no need to consider a payment. Run sanctions due diligence Organisations should routinely consider whether sanctions might affect their transactions, contracts, products or policies. They should also put in place appropriate due diligence measures to manage any identified or anticipated risks of breaching financial sanctions. The probability and potential impact of sanctions risk will be specific to individual businesses, even within the financial services sector. But as an initial step, organisations should think about how the business is organised, where it is located, where it trades and the nationality of employees, shareholders and directors. Obvious questions to consider are: Where are goods or services coming from or going to, who are they from or who is receiving them? Who is transporting them, how and via what routes? Where have products Brave | Curious | Resilient / www.cicm.com / December 2023 / PAGE 22
INFORMATION SECURITY been sourced? What currency is being dealt in? Are there parts of the business that are more exposed than others? Know your suppliers and customers Organisations should know who they are doing business with, directly and indirectly. Screening parties against restricted lists is central to a sanctions compliance programme and risk mitigation. Similarly, organisations should screen information in their possession and that which is publicly available while applying greater due diligence when dealing with high-risk parties and jurisdictions. Organisations should also register to receive online alerts. Designated persons It should be remembered that asset freezes apply to entities that are directly or indirectly owned or controlled by a sanctioned individual or organisation – known as a ‘designated person’. Those entities may not appear on the official sanctions lists in their own right. This makes it important to identify and screen all parties to transactions, not just the direct counterparty. Organisations shouldn’t assume that one-time screening is enough. Internal risk management Organisations need to implement clear cyber security and internal sanctions policies with supporting guidance and compliance manuals tailored to the business and the level of risk it faces. This also means ensuring that staff understand the standards expected of them and that these are reflected in the conduct of senior management. Staff should be providing with regular training while policies need to be integrated with the organisation’s wider financial crime compliance programme. Allied to this is ongoing monitoring with appropriate systems in place for monitoring cyber security risk and financial sanctions, as well as good recordkeeping. Having in place appropriate record-keeping procedures that document the organisation’s cyber resilience and sanctions reviewing, reporting, decisionmaking, due diligence and mitigation measures, will go some way to reducing risk. Cooperation with law enforcement Where an organisation suspects a ransomware payment has been made to a designated person or entity subject to an asset freeze, it must report the matter to OFSI as soon as practicable. Reporting to the relevant organisations through the portal, and a prompt and complete voluntary disclosure of a breach to OFSI, will be mitigating factors on assessment. OFSI assesses each case on its own merits, taking into account both mitigating and aggravating factors. Aggravating factors include regulated professionals not complying with regulatory standards; and repeated, persistent or extended breaches. OFSI will also consider if there was engagement with law enforcement both during and after an attack, and whether all relevant information (including technical details, information on the ransom payment and accompanying instructions) was provided. OFSI says it’s very unlikely that the NCA will start an investigation into a victim or third-party facilitator that has proactively engaged with the relevant bodies. Report ransomware incidents Lastly, organisations that have been subject to a ransomware attack must use the Government’s Where to Report a Cyber Incident portal on gov.uk as soon as possible. This portal directs users to the relevant authority to which to report the incident. It should be remembered that the organisation may also be required to report to the ICO if a breach of the UK GDPR or Data Protection Act 2018 has occurred. Summary It’s very clear that the threat of ransomware from malevolent actors is not going to reduce anytime soon. It’s just as apparent that while paying a ransom isn’t illegal, the authorities have made it clear that doing so could lead a payee into the realms of illegality. Proper advanced planning combined with good advice is essential if organisations want to both reduce this risk of a successful attack and regulatory action being taken against them. Andrew Northage is a regulatory and compliance partner at Walker Morris. Brave | Curious | Resilient / www.cicm.com / December 2023 / PAGE 23
Page 1 and 2: CREDIT MANAGEMENT CM DECEMBER 2023
Page 3 and 4: SEAN FEAST FCICM MANAGING EDITOR Ed
Page 5 and 6: 28 THE SCORES ARE IN CICM GOVERNANC
Page 7 and 8: NEWS ROUNDUP Seven million adults f
Page 9 and 10: NEWS ROUNDUP “It’s encouraging
Page 11 and 12: Screen your clients against 1,100 w
Page 13 and 14: Whatever the next 12 months has in
Page 15: “We are proud to be the first BNP
Page 18 and 19: Thursday 1st February 2024 Royal La
Page 20 and 21: INFORMATION SECURITY Held to ransom
Page 24 and 25: ECO WARRIOR Invoice Finance can sup
Page 26 and 27: CONSUMER CREDIT SCHOOL’S OUT Coll
Page 28 and 29: CONSUMER CREDIT The scores are in A
Page 30 and 31: CONSUMER CREDIT AUTHOR - Emma Steel
Page 32 and 33: Towering above the competition At W
Page 34 and 35: COUNTRY FOCUS South Korea is a dest
Page 36 and 37: COUNTRY FOCUS AUTHOR - Adam Bernste
Page 38 and 39: International Trade Monthly round-u
Page 40 and 41: INSOLVENCY Downward Spiral Are the
Page 42 and 43: CICM TRAINING Training courses that
Page 44 and 45: Introducing our CORPORATE PARTNERS
Page 46 and 47: Introducing our CORPORATE PARTNERS
Page 48 and 49: STATISTICS Data supplied by the Cre
Page 50 and 51: LOOKING FOR YOUR NEXT CAREER MOVE?
Page 52 and 53: HR MATTERS Love action Blowing the
Page 54 and 55: NEW AND UPGRADED MEMBERS Do you kno
Page 56 and 57: Cr£ditWho? CICM Directory of Servi
Page 58 and 59: Cr£ditWho? CICM Directory of Servi
Page 60: Brave | Curious | Resilient / www.c

CM December 2023

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?