Press Releases

McHenry Introduces Bill to Protect America’s Critical Financial Infrastructure from Ransomware Attacks

Washington, November 10, 2021 -

The top Republican on the House Financial Services Committee, Patrick McHenry (NC-10), introduced the Ransomware and Financial Stability Act. By deterring hackers and setting commonsense guardrails for financial institutions to respond to ransomware attacks, this legislation will protect the critical financial infrastructure that makes daily economic activity possible.
“Ransomware payments in the U.S. have totaled more than $1 billion since 2020,” said Republican Leader McHenry. “Most notably, this past May, a Russian ransomware attack forced Colonial Pipeline to shut down oil supplies to the eastern United States before the company paid hackers. As disruptive as this hack was, it pales in comparison to what would happen if America’s critical financial infrastructure were to be taken offline. That’s why I’m introducing the Ransomware and Financial Stability Act of 2021. This bill will help deter, deny, and track down hackers who threaten the financial institutions that make day-to-day economic activity possible. The legislation will also provide long overdue clarity for financial institutions that look to Congress for rules of the road as ransomware hacks intensify. I look forward to working with my colleagues and Treasury Secretary Yellen to protect our financial system from the 21st century threats they face.”
Background on the Ransomware and Financial Stability Act of 2021:
Focuses the Government’s Deterrence Efforts on Critical Financial Infrastructure
  • Limits the bill’s scope to Financial Market Utilities, large securities exchanges, and certain technology service providers essential for banks’ core processing services.
Gives These Critical Institutions a Roadmap When Attacked
  • Requires covered entities to notify the Treasury Department before making a ransomware payment.
  • Deters hackers by prohibiting large ransomware payments in excess of $100,000 unless law enforcement provides a Ransomware Payment Authorization or the President determines a waiver is in the U.S. national interest.
Provides Legal Clarity When Responding to Attacks
  • Ensures confidentiality of information when covered institutions notify authorities of a ransomware attack.
  • Gives clarity to financial institutions, including ransomware payment processors, by creating a safe harbor when they assess a cybersecurity attack or comply with a Ransomware Payment Authorization.

Print version of this document