On April 11, 2024, U.S. Representatives Brittany Pettersen (D-CO) and Patrick McHenry (R-NC) introduced the “Ransomware and Financial Stability Act” (the “Pettersen-McHenry Bill”), legislation aimed at combatting ransomware attacks targeting financial institutions. The Pettersen-McHenry Bill marks Washington's latest effort to bolster the financial system's resilience against increasing threats of cyber attack and malicious activity.
Throughout 2023, ransomware actors escalated their activities, focusing on high-profile institutions and essential infrastructure, such as hospitals, educational institutions, and government agencies. These incidents contributed to ransomware gangs achieving an unprecedented milestone, reportedly surpassing $1 billion in extorted cryptocurrency payments from their victims. Last year’s developments highlight the evolving nature of these cyber threats and their increasing impact on global institutions and security at large.
In a statement, Representative Petersen shared high profile examples from her home state of Colorado as evidence of the growing problem of large-scale ransomware attacks. If adopted, the Pettersen-McHenry Bill will impose certain reporting requirements on financial institutions (so defined) to the Financial Crimes Enforcement Network of ransomware attacks and any associated payments, and sets government authorization requirements for payments greater than $100,000.
The Pettersen-McHenry Bill follows various regulatory efforts to address ransomware and associated cyber risks. The SEC released its data breach notification rule last year, and the federal banking agencies (The Office of the Comptroller of the Currency, the Treasury Department, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation) released a rule in 2022 requiring banking organizations to notify their federal regulator within 36 hours of a “notification incident,” including a ransomware attack. This increasingly assertive posture toward ransomware attacks is not limited to the federal government. In November 2023, the New York State Department of Financial Services (“DFS”) amended its Part 500 cybersecurity regulations to include stricter requirements for prevention, reporting, and compliance.
Legislation Overview
The Pettersen-McHenry Bill defines “Ransomware Attack” as “the deployment of malicious software for the purpose of demanding payment in exchange for restoring critical access to, or the critical functionality of, an information and communications system or network.”
It places reporting and compliance obligations on “Covered U.S. Financial Institutions”—systemically important financial market utilities designated by the Financial Stability Oversight Council, securities exchanges, and core processing technology service providers in the Federal Financial Institutions Examination Council’s Significant Service Provider Program—requiring them to notify the Financial Crimes Enforcement Network (FinCEN) before remitting ransom payments to hackers. Additionally, the legislation requires prior approval from a law enforcement agency or the President for any ransomware payment exceeding $100,000. It also offers legal protections to Covered U.S. Financial Institutions that are victims of ransomware attacks.
Key provisions of the Pettersen-McHenry Bill include:
- Mandatory Reporting: All covered financial institutions (which includes significant financial market utilities, securities exchanges, and tech service providers) would be obligated to notify FinCEN before acquiescing to hackers' ransom demands. This report would have to include a determination that the institution is under a ransomware attack and a description of the attack and associated demand. The institution will not be held liable for deficiencies revealed in such a report as long as the institution engaged in good faith efforts to analyze the nature of the attack.
- Safe harbor provision: Information reported to FinCEN would be exempt from disclosure requirements, safeguarding sensitive data from public exposure. Moreover, covered financial institutions will not be liable for prosecution for making a ransomware payment consistent with the parameters and timing of a ransomware payment authorization.
- Approval Requirement: The approval requirement for ransom payments exceeding $100,000 is especially noteworthy. This measure aims to impose greater scrutiny and oversight over substantial ransom payments, mitigating the risk of facilitating illicit activities.
Should the Pettersen-McHenry Bill become law, covered financial institutions would be required to adapt their cybersecurity strategies and compliance practices accordingly. This could include:
- establishing procedures necessary to ensure prompt and accurate reporting of ransomware incidents to the Treasury Department or other regulator.
- for organizations facing ransom demands exceeding $100,000, preparing for heightened scrutiny and regulatory oversight of their risk management protocols and decision-making frameworks.
- taking proactive measures such as comprehensive cybersecurity policy reviews, incident response plan assessments, and employee training are essential for aligning with the proposed requirements and bolstering resilience against cyber threats.