Iron chain fastened with a padlock on a computer keyboard showing ransomware reporting for financial institutions

New Ransomware Reporting Rules for US Financial Institutions: Proposed Bill Would Require Government Permission for Payments Over $100,000

A new ransomware reporting bill introduced to the House of Representatives proposes putting new requirements on financial institutions, some of which are likely to be controversial.

The lead item is that any payment of over $100,000 would require the victim to first obtain special permission from the US Treasury. With the average ransomware payment having ballooned to over half a million dollars, this would essentially mandate that all large enterprise companies (and likely a good number of small to medium-size businesses) get government permission before making a payment.

Ransomware reporting bill introduced in House, with no co-sponsors or Senate version

The “Ransomware and Financial Stability Act” was introduced by Republican representative Patrick McHenry, head of the House Financial Services Committee, on November 10. McHenry cited the Colonial Pipeline attack and some $1 billion in ransomware payments since 2020 as reasons for the need for new ransomware reporting rules.

The bill states that the scope of coverage is supposed to be limited to Financial Market Utilities, large securities exchanges, and “certain technology service providers.” But the minimum payment amount of $100,000 that would trigger involvement of the Treasury is well within the realm of what is commonly asked of businesses these days. The average ransomware payment amount has been greater than this since early 2020, with a particularly sharp spike in the second half of 2021 as cyber criminals have increasingly focused in on larger companies and those that cannot afford downtime.

Regardless of the amount, all financial institutions would be required to notify the Treasury prior to a payment should the ransomware reporting bill become law. Those seeking to make a payment of at least $100,000 would have to apply to the Treasury’s Financial Crimes Enforcement Network for a “Ransomware Payment Authorization” first, or petition the president for a waiver on the basis of national interests. The bill’s lone concession to these organizations is that it would keep the payment confidential.

The bill’s level of support is questionable, given that it appears to have no co-sponsors and no Senate version. The Biden administration has had increased interest in ransomware reporting requirements since the attacks on Colonial Pipeline and JBS occurred earlier in the year, but thus far those efforts have been directed at industries in the physical realm of critical infrastructure without much attention paid to financial institutions. New cybersecurity regulations put in place by the administration have thus far focused on the energy industry and water utilities, mandating that companies report any attacks within 24 hours in some cases.

Ilia Kolochenko, CEO and Chief Architect of ImmuniWeb, thinks the ransomware reporting bill will be a non-starter: “I think the new bill is a disservice for American companies. The more bureaucracy we implement, the more arduous and inefficient a victim’s response will be. Sometimes, an undelayed payment of a ransom can prevent critical data from being placed on a Dark Web marketplace and then be acquired by nation-state threat actors. Today, virtually all ransom demands exceed $100,000 and thus will be subject to laborious approval requirements. Worse, the new bill tackles attack consequences instead of treating the root causes of ransomware. We need more cybersecurity programs in American colleges and universities, a unified data protection law on a federal level that would cover all industries in all US states, support and free cybersecurity training to SMEs, and an immediate budget increase for cyber law enforcement units who struggle to hire talent or even to buy forensic software. Prosecuting foreign hackers from extradition-proof countries and collecting intelligence about untraceable ransom payments will be unlikely to slow down the global pandemic of ransomware.”

“Payment ban” debate revived by proposed terms for financial institutions

Given that it would appear to extend beyond the large financial institutions it is purportedly meant for, the ransomware reporting proposal may renew a bitter debate about whether or not to outlaw ransomware payments in the interests of starving cyber criminals out of business.

The Biden administration appeared to decide against this approach earlier this year. However, making the ability to pay contingent upon approval of a government agency is not far off from an outright federal-level ban. Some proponents fervently believe that outright bans on ransom payments are the only ultimate solution to a ransomware problem that has only gotten worse over the past two years. Others contend that it would simply cause organizations to make payments covertly and cut law enforcement out of the loop, ultimately exacerbating the issue.

The ransomware payment is far from the only cost involved in the process; companies are usually hit with an even larger long-term remediation bill in the wake of the attack. This includes digital forensics, cleanup, security improvements, and losses due to business interruption. The trend of “double extortion” is one that might be a particularly relevant factor when financial institutions choose to make a ransom payment. Ransomware gangs are increasingly exfiltrating sensitive data first, using advanced purpose-built tools designed to do so rapidly, and then threatening to release it to the public if the ransom is not paid. Financial institutions handle some of the most sensitive (and highly regulated) personal information possible, and could be on the hook for exorbitant legal costs and fines if a failure to meet the ransom demand leads to a public dump of their stolen files.

Some critics also point out that setting a firm payment limit that is known to the world will simply signal criminals to alter their approach to get around the rules. One obvious technique would be to make an initial ransom demand of under $100,000, then potentially come back to the financial institutions later asking for more in a separate payment.

As Tyler Farrar, CISO of Exabeam, observes: “I do not think that this bill will achieve the desired outcome. I could see cybercriminal groups simply adjusting their ransom demands to $99,999 to prevent organizations from having to adhere to the law. Additionally, ransoms are expected to be paid within a short timeframe or the organization experiences permanent loss of data or public exposure of data. How will the U.S. Treasury ensure bureaucracy does not delay tight timelines for payment?”