Patrick McHenryChairman

Washington, April 11, 2024 -

House Financial Services Committee Chairman Patrick McHenry (R-NC) and U.S. Representative Brittany Pettersen (D-CO) today introduced the bipartisan Ransomware and Financial Stability Act. This legislation will protect the critical financial infrastructure that makes daily economic activity possible by deterring hackers and setting commonsense guide rails for financial institutions to respond to ransomware attacks.

“Ransomware attacks pose a serious threat to the stability of our financial system,” said Chairman McHenry. “The bipartisan Ransomware and Financial Stability Act will help deter, deny, and track down cyber criminals who threaten the financial infrastructure that makes everyday economic activity possible. Our legislation sets commonsense guardrails to guide how critical institutions respond to ransomware attacks—helping protect both consumers and the financial institutions they rely on. I’m proud to reintroduce this bill with Congresswoman Pettersen and continue the Committee’s work to hold bad actors accountable.”

“For years, criminals have been utilizing ransomware to scramble organization’s data and then blackmail them into paying ransoms before releasing the information. These scams can have major impacts on everything from oil with the Colonial Pipeline to state agencies like an attack in recent years on the Colorado Department of Transportation,” said Pettersen, a member of the House Financial Services Committee. “The impacts of ransomware attacks on our financial system could be devastating if we don’t intervene. I’m proud to introduce this bill alongside Chairman McHenry to deter, track, and prosecute hackers, safeguarding our economy and American consumers."

Background on the Ransomware and Financial Stability Act:

Focuses the Government’s Deterrence Efforts on Critical Financial Infrastructure

• The bill focuses on Financial Market Utilities, large securities exchanges, and certain technology service providers essential for banks’ core processing services.

Gives Critical Institutions a Roadmap When Attacked

• Requires covered entities to notify the Treasury Department before making a ransomware payment.

• Deters hackers by prohibiting large ransomware payments in excess of $100,000 unless law enforcement provides a Ransomware Payment Authorization or the President determines a waiver is in the U.S. national interest.

Provides Legal Clarity When Responding to Attacks

• Ensures reports made by institutions to authorities about ransomware attacks are kept confidential.

• Gives clarity to financial institutions, including ransomware payment processors, by creating a safe harbor when they assess a cybersecurity attack or comply with a Ransomware Payment Authorization.

###