Congressman Patrick McHenry (R-NC) introduced the Ransomware and Financial Stability Act (HR 5936) this week which would make it illegal for financial institutions to pay ransoms over $100,000 without first getting the government’s permission.
McHenry, the top Republican on the House Financial Services Committee, introduced the bill yesterday.
He said that ransomware payments in the U.S. totaled more than $1 billion since 2020. He didn’t answer where he came up with that number.
The FBI says ransomware payments between 2014 and 2020 totaled $140 million. Not sure where the other $860 million came from.
He says that the bill will help deter, deny and track down hackers who threaten the financial institutions. I am sure that a new law will make all of those hackers in Russia and North Korea shake in their boots. I am also not clear why not paying ransoms would help track down hackers.
If the bill passes, it will mandate the following:
- Financial institutions will have to notify Treasury’s FINCEN before making a ransomware payment
- It would prohibit financial institutions from paying a ransom in excess of $100,000 with prior approval from law enforcement or the President, if he/she determines it is in the country’s national interest
The bill says that ransomware payment reports would remain confidential, something the government is great at, except that there is an exception to that in the case of the government or the courts.
Of course there are two sides to prohibiting these payments.
On the pro ban side, they it is no different than paying bribes or paying pirates.
On the anti ban side, there are those who say it is not the government’s decision and paying the ransom may be dramatically less expensive than not paying it.
RAND has suggested that banning ransom payments is similar to the U.S.’s no-concession approach to giving in to kidnapping demands, which RAND says does not work.
The FBI said that ransom payments should not be banned.
Usually the reason that companies choose to pay the ransom is that it is less expensive. Often 10x or 50x less expensive. The bill, which makes saving that money impossible, does not compensate financial institutions for the decision that the government will make for them.
The only good news is that he does not have any co-sponsors and there is no Senate version.