New bill before Congress aims to standardize ransomware reporting requirements

On November 10, Patrick McHenry, the senior Republican on the House Financial Services Committee, introduced the Ransomware and Financial Stability Act. 

The bill aims to establish “rules of the road” for financial institutions hit by ransomware attacks. Those include requirements to report such attacks to the Treasury’s Financial Crimes Enforcement Network, as well as exemptions from regulatory enforcement as long as they made good-faith efforts to provide such reports.

The bill also would require financial institutions making ransomware payouts greater than $100,000 to get special authorization from the Treasury. On the flipside, it requires the Treasury to keep information on those ransomware attacks confidential.

As often comes up in policy conversations on ransomware, many firms would rather pay ransoms quietly as a cost of business than deal with the public relations fallout of having been hit by a ransomware attack.  

In some ways, the provisions in McHenry’s bill resemble financial institutions’ requirements under the Bank Secrecy Act, which mandates reporting of suspicious activity to FinCEN.

The bill also appears to have no co-sponsors and no Senate version. A member of McHenry’s staff had not responded to a request for confirmation.

But despite a wave of congressional interest in ransomware over 2021, all legislative attention has been on the infrastructure bill and the Build Back Better Act. Both of those bills have faced extensive delays, though the former passed Congress at the end of last week. 

FinCEN already keeps data on reported ransomware payments gathered in its suspicious activity reports. Just last month, the agency published its data for 2020 and the first half of 2021, revealing a rise in both ransomware payment activity and reporting by financial institutions.