U.S. Rep. Patrick McHenry (R-NC) introduced legislation designed to protect critical financial infrastructure from hackers and ransomware attacks.
His bill, the Ransomware and Financial Stability Act, requires covered entities to notify the Treasury Department before making a ransomware payment. It also prohibits large ransomware payments in excess of $100,000 unless law enforcement provides a Ransomware Payment Authorization, or the President determines a waiver is in the U.S. national interest. Further, it ensures the confidentiality of information when covered institutions notify authorities of a ransomware attack. Overall, it creates a safe harbor when they assess a cybersecurity attack or comply with a Ransomware Payment Authorization.
“Ransomware payments in the U.S. have totaled more than $1 billion since 2020,” McHenry, the top Republican on the House Financial Services Committee, said. “Most notably, this past May, a Russian ransomware attack forced Colonial Pipeline to shut down oil supplies to the eastern United States before the company paid hackers. As disruptive as this hack was, it pales in comparison to what would happen if America’s critical financial infrastructure were to be taken offline. That’s why I’m introducing the Ransomware and Financial Stability Act of 2021. This bill will help deter, deny, and track down hackers who threaten the financial institutions that make day-to-day economic activity possible.”
The bill applies to Financial Market Utilities, large securities exchanges, and certain technology service providers essential for banks’ core processing services.