MSBs and Ransomware: Staying Ahead of the Compliance Curve

Posted by Mark Greisiger

A Q&A with Winston Krone of Kivu

Ransomware is on the rise, and so, too, is the chance of having to pay a ransom to recover critical data, yet this practice remains a gray area for regulatory compliance. One way that businesses can mitigate the potential of regulatory risk is to respond to cyber extortion attacks by using vendors who have registered as a money services business (MSB), which not only demonstrates compliance with the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) but also helps law enforcement find and prosecute criminals. Last year, Kivu registered as an MSB—and was reportedly the first full-service ransomware response vendor to do so. We spoke to Global Managing Director Winston Krone about how this decision benefits Kivu and how it could help other businesses to follow suit.

What is an MSB? Why is it helpful for those IR firms paying ransomware sums to consider being registered as an MSB?

Money service businesses (MSBs) are regulated by the US Treasury and its Financial Crimes Enforcement Network (FinCEN). Registering as an MSB shows your dedication to regulatory compliance but it also helps in the fight against cybercrime. When we registered as an MSB, we demonstrated our commitment to working with law enforcement to bring bad guys to justice. As consultants, we offer full-service analysis and remediation and stress that paying a ransom is a last resort. Right now, this ecosystem is a gray area—many in the industry are paying ransomware but they need to come out of the shadows. Specifically, it is now clearly established that the payment of cryptocurrency ransoms can be defined as a money transaction and is thus covered by US banking laws and compliance requirements.

In 2018 and 2019, we saw an exponential increase in ransomware attacks, both in terms of number of attacks and size of ransoms, with the insurance industry scrambling to keep up. While ransom payments were relatively small (e.g. less than $50,000) and irregular events, the compliance issue was seen as relatively minimal, provided proper OFAC due diligence confirmed that there was no reasonable evidence that payments were going to OFAC sanctioned entities or listed terrorist groups.  However, as ransom payments increased to beyond $1 million and there was increased scrutiny into ransom payments, especially by state legislators, we determined that it was crucial that Kivu took both the legal and moral high ground. Registering as an MSB requires a business to shoulder some fairly onerous compliance obligations, including AML (“Anti-Money Laundering”) and KYC (“know your client”) procedures, conducting due diligence and rigorously vetting vendors, carefully investigating cyber extortionists, and sharing suspicious activity with the government. We saw that this was a chance to connect our obligation to fight crime and our desire to help clients caught in a ransomware situation and their insurers.

How was Kivu reviewed during the process of becoming an MSB?

We retained a leading international law firm with an expertise in cryptocurrency to review our systems, processes and due diligence procedures. We were fortunate that we’d already developed a robust due diligence process that, I firmly believe, is the gold standard for the cyber insurance industry. We also had key anti-money laundering provisions already in place. Where it forced us to go deeper was in knowing our clients and in developing procedures that minimized the risk to our clients. We now have a position solely dedicated to cryptocurrency transactional compliance as stipulated by the Bank Secrecy Act, with responsibility for filing suspicious activity reports (SARs) within 30 days of every ransomware transaction. In a SAR, the victim of the ransomware attack remains anonymous, but the information helps to identify and prosecute the bad actors.

How can this service role benefit a policyholder who has suffered a ransomware attack?

To our knowledge, there is only one other ransomware paying vendor registered as an MSB. It’s a fairly onerous procedure and requires a significant expenditure. Our view of this is that it’s about remaining compliant and if you’re using cryptocurrency as part of your business model—whether or not you originally intended to offer financial services—you should be regulated as an MSB. The size of ransoms has grown exponentially from tens of thousands to millions of dollars, so given the money involved, there is going to be regulatory and governmental scrutiny. In fact, we’ve already seen that in New York, where pending bills restrict the ability of municipalities to pay ransoms using taxpayers’ money. It’s therefore an issue with constantly changing legal risks and we are closely monitoring the situation and will continue to amend our practices to minimize regulatory risk to our clients and ourselves. However, I strongly believe that this is an area where the interests of the response vendor, the insured and the insurer are aligned, and we all benefit from focusing on regulatory compliance. Just as credible businesses and insurers wouldn’t use a disbarred attorney or turn a blind eye to corporate funds passing through unregulated offshore banks, the same applies for the processes used to make and reimburse ransomware payments. During a stressful and messy cyber incident, being able to show proper levels of regulatory compliance is a strong selling point for any cyber insurer.

Becoming an MSB gave us more credibility for the occasions when there is no alternative but to pay a cryptocurrency ransom. That credibility is key across the cryptocurrency ecosystem, for instance it also allows us to develop stronger relationships with cryptocurrency exchanges, which are themselves regulated and thus need to ensure their compliance. In practice, this now means we can pay larger ransoms (up to $10m) more quickly. And with our additional due diligence processes, it’s also less likely that an insurer will refuse reimbursement due to regulatory problems. For us, it was worth being ahead of the curve on this and I expect we will see more organizations doing it.

In summary… 

We want to thank Mr. Krone for his reflections on the ever-important risk of ransomware. This threat shows no signs of abating and as he mentioned, the extortion demands from threat actors are increasing. It’s now commonplace to see a ransom of several hundred thousand dollars up to $1 million and beyond. As customers are forced to make these bitcoin payments, it’s reasonable to expect that government enforcers are going to increasingly scrutinize the transactions. They will want to see that response vendors are compliant with existing anti-terrorist laws and other regulations, and in that context, having an MSB-registered status can only be seen as a positive feature.