In October 2020, The United States Department of Treasury’s Office of Foreign Assets Control (OFAC) released an advisory to all companies facilitating payments for victims of ransomware attacks, including cyber insurance firms, financial institutions, and forensics and incident response firms. The advisory warns that making payments to any sanctioned entity listed on the Treasury Department’s Specially Designated Nationals and Blocked Persons (SDN) List, embargoed countries, or anyone else deemed in violation may result in civil penalties. OFAC includes enforcement guidelines and encourages companies to incorporate this added concern into risk-based compliance programs.