Cyber Attack Victims Won't Be Allowed to Pay More Than $100K in Ransom Under New Bill

In an effort to combat the rising threat of costly ransomware attacks, a new bill has been introduced in Congress to bar certain entities affected by cyberattacks from issuing ransom payments of more than $100,000.

North Carolina Representative Patrick McHenry, the senior Republican on the House Financial Services Committee, introduced the Ransomware and Financial Stability Act last week to curb ransomware attacks and implement new guidelines for those affected by the breaches.

The bill seeks to protect critical infrastructure in the U.S. and will focus on financial market utilities, large securities exchanges, and technology service providers that are considered essential for banks' core processing services.

McHenry said in a statement that ransomware payments in the U.S. have totaled more than $1 billion over the past year, prompting the need to implement "commonsense guardrails for financial institutions to respond to ransomware attacks."

"Most notably, this past May, a Russian ransomware attack forced Colonial Pipeline to shut down oil supplies to the eastern United States before the company paid hackers. As disruptive as this hack was, it pales in comparison to what would happen if America's critical financial infrastructure were to be taken offline."

"This bill will help deter, deny, and track down hackers who threaten the financial institutions that make day-to-day economic activity possible. The legislation will also provide long-overdue clarity for financial institutions that look to Congress for rules of the road as ransomware hacks intensify," he added.

Patrick McHenry Ransomware Bill
Representative Patrick McHenry (R-NC) introduced a bill last week that would bar certain financial entities from paying over $100,000 in ransom. Here, McHenry speaks on Capitol Hill in Washington, D.C., September 30, 2021. AL DRAGO/POOL/AFP/Getty Images

The new bill would require the covered entities to notify the Treasury Department before making a ransomware payment and would bar any payments of more than $100,000 unless authorized by the government or law enforcement. That would virtually make all ransom payments outlawed without authorization, as hackers rarely demand payments below that figure, according to CoinGeek. Last year, the average ransomware transaction was $847,000.

The bill comes after an uptick in ransomware attacks in the U.S. on critical infrastructure such as the Colonial Pipeline and groups, including the meat producer JBS USA. The latter accounts for nearly a fifth of American beef production and was forced to pay hackers $11 million this year to unlock their system after an attack.

On Monday, the Department of Homeland Security also launched a new program to prioritize hiring cyber security experts as the U.S. works to address the recent rise of major hacking incidents.

Last year, the White House reported 30,819 information security incidents across the federal government in 2020, an 8 percent increase from 2019.

"As our nation continues to face an evolving threat landscape, we cannot rely only on traditional hiring tools to fill mission-critical vacancies," DHS Secretary Mayorkas said in a statement. "This new system will enable our Department to better compete for cybersecurity professionals and remain agile enough to meet the demands of our critical cybersecurity mission."