A proposed House bill would require financial institutions to notify the Treasury Department before making a ransomware payment, as well as prohibit payments of more than $100,000 without prior approval of law enforcement. The Ransomware and Financial Stability Act seeks to establish “commonsense guiderails” for financial institutions when responding to ransomware attacks, according to House Financial Services Committee Chairman Patrick McHenry (R-N.C.) and Rep. Brittany Pettersen (D-Colo.), the bill’s sponsors.
The bill focuses on financial market utilities, large securities exchanges and certain technology service providers essential for banks’ core processing services, according to a summary of the legislation. Financial institutions making a ransomware payment of more than $100,000 must first acquire a ransomware payment authorization from law enforcement, or the president could waive the requirement if the payment is determined to be in the national interest. The bill also would exempt from public disclosure most information or documents reported to law enforcement from financial institutions regarding a ransomware incident, although there are exceptions, such as requests for information by certain members of Congress.