[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5936 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 5936

To include requirements relating to ransomware attack deterrence for a 
 covered U.S. financial institution in the Consolidated Appropriations 
                   Act, 2021, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            November 9, 2021

 Mr. McHenry introduced the following bill; which was referred to the 
                    Committee on Financial Services

_______________________________________________________________________

                                 A BILL


 
To include requirements relating to ransomware attack deterrence for a 
 covered U.S. financial institution in the Consolidated Appropriations 
                   Act, 2021, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Ransomware and Financial Stability 
Act of 2021''.

SEC. 2. RANSOMWARE ATTACK DETERRENCE.

    (a) In General.--Section 108 of title I of division Q of the 
Consolidated Appropriations Act, 2021 (Public Law 116-260; 135 Stat. 
2173; 12 U.S.C. 1811 note) is amended--
            (1) in the subsection heading, by striking ``report'';
            (2) by redesignating subsections (d) and (e) as subsections 
        (e) and (f), respectively;
            (3) by inserting the following after subsection (c):
    ``(d) Ransomware Attack Deterrence.--
            ``(1) Requirements.--
                    ``(A) In general.--A covered U.S. financial 
                institution subject to a ransomware attack may not make 
                a ransomware payment in response to such ransomware 
                attack--
                            ``(i) before submitting the notification 
                        described in paragraph (2); and
                            ``(ii) in an amount greater than $100,000, 
                        unless the payment is subject to a ransomware 
                        payment authorization.
                    ``(B) Rule of construction.--Nothing in this 
                subsection shall be construed to permit a ransomware 
                payment that is otherwise prohibited by law.
            ``(2) Notification described.--
                    ``(A) In general.--The notification described in 
                this paragraph shall be submitted by a covered U.S. 
                financial institution to the Director of the Financial 
                Crimes Enforcement Network and shall include--
                            ``(i) a determination by such institution 
                        that such institution is subject to a 
                        ransomware attack; and
                            ``(ii) a description of the ransomware 
                        attack and any associated ransomware payment 
                        demanded.
                    ``(B) Contents.--To ensure efficient notification 
                and resolution of a ransomware attack, the Secretary of 
                the Treasury--
                            ``(i) shall, in consultation with 
                        interested persons, issue guidance specifying 
                        information required to be included in the 
                        notification described in this paragraph; and
                            ``(ii) may not require, to be included in 
                        such notification, information that is 
                        unavailable to a covered U.S. financial 
                        institution, based on good-faith efforts of 
                        such institution to provide information.
            ``(3) Waiver.--The President may waive the requirements of 
        paragraph (2) with respect to a covered U.S. financial 
        institution if the President determines that the waiver is in 
        the national interest of the United States and notifies such 
        institution and the appropriate members of Congress of such 
        waiver.
            ``(4) Safe harbor with respect to ransomware payment 
        authorizations and good-faith determinations.--
                    ``(A) In general.--With respect to a ransomware 
                payment made under paragraph (2)(B) or a waiver issued 
                under paragraph (3)--
                            ``(i) a U.S. financial institution shall 
                        not be liable under subchapter II of chapter 53 
                        of title 31, United States Code, or chapter 2 
                        of title I of Public Law 91-508 (12 U.S.C. 1951 
                        et seq.) for making a ransomware payment 
                        consistent with the parameters and timing of a 
                        ransomware payment authorization; and
                            ``(ii) no Federal or State department or 
                        agency may take any adverse supervisory action 
                        with respect to the U.S. financial institution 
                        solely for making a ransomware payment 
                        consistent with the parameters and timing of 
                        the authorization.
                    ``(B) Good-faith efforts to assess ransomware 
                attacks.--A covered U.S. financial institution may not 
                be held liable for deficiencies in describing a 
                ransomware attack in a notification described under 
                paragraph (2) if such institution engaged in good-faith 
                efforts to determine the nature of the ransomware 
                attack.
                    ``(C) Rule of construction.--Nothing in this 
                paragraph may be construed--
                            ``(i) to prevent a Federal or State 
                        department or agency from verifying the 
                        validity of a ransomware payment authorization 
                        with the law enforcement agency submitting that 
                        authorization;
                            ``(ii) to relieve a U.S. financial 
                        institution from complying with any other 
                        provision of law, including the reporting of 
                        suspicious transactions under section 5318(g) 
                        of title 31, United States Code; or
                            ``(iii) to extend the safe harbor described 
                        in this paragraph to any actions taken by the 
                        U.S. financial institution--
                                    ``(I) before the date of issuance 
                                of ransomware payment authorization; or
                                    ``(II) after any termination date 
                                stated in the ransomware payment 
                                authorization
                    ``(D) Ransomware payment authorization termination 
                date.--Any ransomware payment authorization submitted 
                under this subsection shall include a termination date 
                after which that authorization shall no longer apply.
                    ``(E) Records.--Any Federal law enforcement agency 
                that submits to a U.S. financial institution a 
                ransomware payment authorization shall, not later than 
                2 business days after the date on which the 
                authorization is submitted to the U.S. financial 
                institution--
                            ``(i) submit to the Director of the 
                        Financial Crimes Enforcement Network a copy of 
                        the authorization; and
                            ``(ii) alert the Director as to whether the 
                        U.S. financial institution has implemented the 
                        request.
                    ``(F) Guidance.--The Secretary of the Treasury, in 
                coordination with the Attorney General, shall issue 
                guidance on the required elements of a ransomware 
                payment authorization.
            ``(5) Confidentiality of information.--
                    ``(A) In general.--Except as provided in paragraph 
                (2), any information or document provided by a U.S. 
                financial institution to a Federal law enforcement 
                agency pursuant to this subsection--
                            ``(i) shall be exempt from disclosure under 
                        section 552 of title 5, United States Code; and
                            ``(ii) may not be made publicly available.
                    ``(B) Exceptions.--Paragraph (1) shall not prohibit 
                the disclosure of the following:
                            ``(i) Information relevant to any 
                        administrative or judicial action or 
                        proceeding.
                            ``(ii) Information requested by the 
                        appropriate members of Congress or otherwise 
                        required to be submitted to Congress.
                            ``(iii) Information required for Federal 
                        law enforcement or intelligence purposes (as 
                        determined by the Attorney General), in 
                        consultation with the Director of the Financial 
                        Crimes Enforcement Network to be disclosed to a 
                        domestic governmental entity or to a 
                        governmental entity of a United States ally or 
                        partner, only to the extent necessary for such 
                        purposes, and subject to appropriate 
                        confidentiality and classification 
                        requirements.
                            ``(iv) Anonymized information required for 
                        the production of aggregate data or statistical 
                        analyses.
                            ``(v) Information that the U.S. financial 
                        institution has consented to be disclosed to 
                        third parties.
            ``(6) Definitions.--In this subsection:
                    ``(A) Covered u.s. financial institution.--The term 
                `covered U.S. financial institution' means--
                            ``(i) any financial market utility that the 
                        Financial Stability Oversight Council has 
                        designated as systemically important under 
                        section 804 of the Dodd-Frank Wall Street 
                        Reform and Consumer Protection Act;
                            ``(ii) any exchange registered under 
                        section 6 of the Securities Exchange Act of 
                        1934 that facilitates trading in any national 
                        market system security, as defined in section 
                        242.600 of title 17, Code of Federal 
                        Regulations (or any successor regulation), and 
                        which exchange during at least four of the 
                        preceding six calendar months had--
                                    ``(I) with respect to all national 
                                market system securities that are not 
                                options, 10 percent or more of the 
                                average daily dollar volume reported by 
                                applicable transaction reporting plans; 
                                or
                                    ``(II) with respect to all listed 
                                options, 15 percent or more of the 
                                average daily dollar volume reported by 
                                applicable national market system plans 
                                for reporting transactions in listed 
                                options; and
                            ``(iii) any technology service provider in 
                        the Significant Service Provider Program of the 
                        Financial Institutions Examination Council that 
                        provides core processing services that is 
                        determined by the Council to be a significant 
                        technology service provider.
                    ``(B) Malicious software.--The term `malicious 
                software' means software that, when deployed, results 
                in the loss of access to data or the loss of 
                functionality of an information and communications 
                system or network of a U.S. financial institution.
                    ``(C) Ransomware attack.--The term `ransomware 
                attack' means the deployment of malicious software for 
                the purpose of demanding payment in exchange for 
                restoring critical access to, or the critical 
                functionality of, an information and communications 
                system or network.
                    ``(D) Ransomware payment.--The term `ransomware 
                payment' means a payment made by a U.S. financial 
                institution (including a payment made through use of 
                digital currency) to, at the request of, or for the 
                benefit of a person responsible for a ransomware attack 
                in exchange for restoration of the access or 
                functionality of an information and communications 
                system or network of the institution.
                    ``(E) Ransomware payment authorization.--The term 
                `ransomware payment authorization' means, with respect 
                to a ransomware payment made by a U.S. financial 
                institution, a written notice from a Federal law 
                enforcement agency to authorize such ransomware 
                payment.'';
            (4) in subsection (f), as so redesignated, by striking 
        ``after the date of enactment of this Act'' and inserting 
        ``after the date of enactment of the Ransomware and Financial 
        Stability Act of 2021''; and
            (5) by adding at the end the following new subsection:
    ``(g) Short Title.--This section may be cited as the `Cybersecurity 
and Financial System Resilience Act'.''.
    (b) Applicability.--
            (1) In general.--The amendments made by this Act shall 
        apply to a covered U.S. financial institution (as defined in 
        subsection (d) of the Cybersecurity and Financial System 
        Resilience Act (Public Law 116-260; 135 Stat. 2173; 12 U.S.C. 
        1811 note), as added by this Act) beginning on the earlier of 
        the date that is--
                    (A) 30 days after publication in the Federal 
                Register of rules implementing this Act; or
                    (B) 1 year after the date of the enactment of this 
                Act.
    (c) Sunset.--This Act and the amendments made by this Act shall be 
repealed 10 years after the applicability date described in subsection 
(b).
                                 <all>