WASHINGTON—A new House bill would place enhanced restrictions on some financial institutions when it comes to paying ransomware groups.
The legislation, introduced by Rep. Patrick McHenry (R-NC) as an amendment to the consolidated funding bill by Congress, would require certain financial institutions to notify the federal government — specifically the director of the Financial Crimes Enforcement Network — and provide details about a ransomware attack before making a payment. It would also require special authorization to pay ransoms that are more than $100,000, SC Media reported.
The legislation would cover large security exchanges, financial market utilities designated as systemically important under the Dodd-Frank Act of 2010, and technology service providers considered “significant” by the Financial Institutions Examination Council. The secretary of the Treasury would be responsible for developing formal guidance on the type of information that must be reported as well as rules for when and how special authorizations are dispensed, SC Media explained.
McHenry, who serves as the ranking Republican on the House Financial Services Committee, cited the Colonial Pipeline ransomware attacks as an impetus for the bill’s creation, saying the long lines and gas shortages that resulted “pales in comparison to what would happen if America’s critical financial infrastructure were to be taken offline.”
‘Track Down Hackers’
“This bill will help deter, deny, and track down hackers who threaten the financial institutions that make day-to-day economic activity possible,” McHenry said in a statement. “The legislation will also provide long overdue clarity for financial institutions that look to Congress for rules of the road as ransomware hacks intensify. I look forward to working with my colleagues and Treasury Secretary Yellen to protect our financial system from the 21st century threats they face.”