[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4985 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  2d Session
                                S. 4985

 To amend the Cybersecurity Information Sharing Act of 2015 to include 
    voluntary information sharing of cyber threat indicators among 
           cryptocurrency companies, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 28, 2022

 Mrs. Blackburn (for herself and Ms. Lummis) introduced the following 
 bill; which was read twice and referred to the Committee on Banking, 
                       Housing, and Urban Affairs

_______________________________________________________________________

                                 A BILL


 
 To amend the Cybersecurity Information Sharing Act of 2015 to include 
    voluntary information sharing of cyber threat indicators among 
           cryptocurrency companies, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cryptocurrency Cybersecurity 
Information Sharing Act''.

SEC. 2. SHARING OF CYBER THREAT INDICATORS BY COVERED COMPANIES.

    (a) In General.--The Cybersecurity Information Sharing Act of 2015 
(6 U.S.C. 1501 et seq.) is amended--
            (1) in section 102(15)(A) (6 U.S.C. 1501(15)(A)) by 
        inserting ``covered company (as defined in section 110),'' 
        after ``cooperative,'';
            (2) by redesignating sections 110 and 111 (6 U.S.C. 1509, 
        1510) as sections 111 and 112, respectively; and
            (3) by inserting after section 109 (6 U.S.C. 1508) the 
        following:

``SEC. 110. SHARING OF CYBER THREAT INDICATORS BY COVERED COMPANIES.

    ``(a) Definitions.--In this section:
            ``(1) Covered company.--
                    ``(A) In general.--Subject to subparagraph (B), the 
                term `covered company' means an entity--
                            ``(i) that is--
                                    ``(I) engaged in the business of 
                                validating distributed ledger 
                                technology transactions;
                                    ``(II) engaged in the business of 
                                developing digital assets or the 
                                corresponding protocols for use of 
                                digital assets by other persons;
                                    ``(III) an association of entities 
                                that manage digital assets or 
                                distributed ledger technologies; or
                                    ``(IV) a commercial general 
                                liability insurance provider or 
                                property insurance provider offering 
                                products designed to mitigate losses 
                                from a variety of cyber incidents, 
                                including--
                                            ``(aa) data breaches;
                                            ``(bb) ransomware attacks;
                                            ``(cc) business 
                                        interruption; and
                                            ``(dd) network damage; and
                            ``(ii) that shares or receives information 
                        under this section.
                    ``(B) Money services businesses and financial 
                institutions.--For purposes of paragraphs (1), (2), and 
                (3) of subsection (b), the term `covered company' 
                includes an entity that is a money services business, 
                or that otherwise is a financial institution, as 
                defined in section 5312 of title 31, United States 
                Code, for purposes of digital asset activity engaged in 
                by the entity.
            ``(2) Digital asset.--The term `digital asset' means a 
        natively electronic asset that--
                    ``(A) confers economic, proprietary, or access 
                rights or powers; and
                    ``(B) is recorded using cryptographically secured 
                distributed ledger technology, or any similar analogue.
            ``(3) Distributed ledger technology.--The term `distributed 
        ledger technology' means technology that enables the operation 
        and use of a ledger that--
                    ``(A) is shared across a set of distributed nodes 
                that participate in a network and store a complete or 
                partial replica of the ledger;
                    ``(B) is synchronized between the nodes;
                    ``(C) has data appended to the ledger by following 
                the specified consensus mechanism of the ledger;
                    ``(D) may be accessible to anyone or restricted to 
                a subset of participants; and
                    ``(E) may require participants to have 
                authorization to perform certain actions or require no 
                authorization.
    ``(b) Voluntary Information Sharing Among Covered Companies.--
            ``(1) In general.--Subject to paragraphs (2), (3), and (4), 
        a covered company may, under the protection of the safe harbor 
        from liability described in subsection (d), transmit, receive, 
        or otherwise share information with any other covered company 
        regarding individuals, entities, organizations, and countries 
        for purposes of identifying and, as appropriate, reporting 
        activities that the covered company suspects may involve 
        possible cyber threat indicators.
            ``(2) Information sharing between covered companies.--
                    ``(A) Notice requirement.--
                            ``(i) In general.--A covered company that 
                        intends to share information as described in 
                        paragraph (1) shall submit a notice of intent 
                        to the Financial Crimes Enforcement Network and 
                        the Cybersecurity and Infrastructure Security 
                        Agency, which shall contain, at a minimum, a 
                        list of each other company the covered company 
                        intends to share information with.
                            ``(ii) Effective period.--Each notice 
                        provided under clause (i) shall be effective 
                        for the 1-year period beginning on the date of 
                        the notice.
                            ``(iii) Additional notices.--Upon 
                        expiration of the 1-year period described in 
                        subclause (ii), a covered company shall submit 
                        an additional notice of intent at the beginning 
                        of each year during which the covered company 
                        intends to share information as described in 
                        paragraph (1).
                            ``(iv) List of covered companies that have 
                        submitted notice.--The Financial Crimes 
                        Enforcement Network shall periodically make 
                        available a list of covered companies that have 
                        submitted a notice under this subparagraph.
                    ``(B) Verification requirement.--Prior to sharing 
                information as described in paragraph (1), a covered 
                company shall take reasonable steps to verify that the 
                company with which the covered company intends to share 
                information is listed in a notice required under 
                subparagraph (A).
            ``(3) Protection and use of information by covered 
        companies.--
                    ``(A) Purpose.--Information received by a covered 
                company under this section may not be used for any 
                purpose other than--
                            ``(i) identifying and, as appropriate, 
                        reporting on cyber threat indicators; or
                            ``(ii) assisting the covered company in 
                        complying with any requirement of this title.
                    ``(B) Procedures for protection of information.--
                Each covered company that engages in the sharing of 
                information under this section shall maintain adequate 
                procedures to protect the security and confidentiality 
                of the information in accordance with the policies and 
                guidelines established under subsection (c).
            ``(4) Reporting requirements for covered companies.--
                    ``(A) Cybersecurity threat information.--A covered 
                company that identifies cybersecurity threat 
                information requiring immediate attention, such as 
                suspected terrorist activity, shall, as soon as 
                practicable but not later than 36 hours after 
                identifying the information--
                            ``(i) notify an appropriate law enforcement 
                        authority and the Cybersecurity and 
                        Infrastructure Security Agency Incident 
                        Reporting System; and
                            ``(ii) comply with any other Federal 
                        requirements for reporting suspicious activity.
                    ``(B) Suspicious activity.--
                            ``(i) Voluntary reporting to federal 
                        agencies.--A covered company may voluntarily 
                        report suspicious activity to the Financial 
                        Crimes Enforcement Network and the 
                        Cybersecurity and Infrastructure Security 
                        Agency under this section.
                            ``(ii) Rule of construction.--Nothing in 
                        this subparagraph shall be construed to--
                                    ``(I) modify the requirements for 
                                reporting suspicious activity if a 
                                covered company is subject to such 
                                regulations; or
                                    ``(II) create new suspicious 
                                activity reporting requirements for a 
                                covered company that is not currently 
                                subject to such a regulation.
                    ``(C) Exemption from disclosure.--Information 
                shared under this paragraph shall be exempt from 
                disclosure under any provision of State, Tribal, or 
                local freedom of information law, open government law, 
                open meetings law, open records law, sunshine law, or 
                similar law requiring disclosure of information or 
                records, in accordance with section 104(d)(4)(B).
    ``(c) Information Sharing Between Covered Companies and the Federal 
Government.--
            ``(1) Policies and procedures.--
                    ``(A) In general.--Not later than 180 days after 
                the date of enactment of the Cryptocurrency 
                Cybersecurity Information Sharing Act, the Director of 
                the Financial Crimes Enforcement Network and the 
                Director of the Cybersecurity and Infrastructure 
                Security Agency shall, in consultation with the 
                National Cyber Director and the heads of the 
                appropriate Federal entities, jointly develop and make 
                publicly available policies and procedures relating to 
                the receipt by the Federal Government of cyber threat 
                indicators shared by covered companies.
                    ``(B) Considerations.--In developing the policies 
                and procedures required under subparagraph (A), the 
                Director of the Financial Crimes Enforcement Network 
                and the Director of the Cybersecurity and 
                Infrastructure Security Agency shall take into account 
                the requirements described in subsections (a)(3) and 
                (b)(3) of section 105.
                    ``(C) Compliance with similar procedures.--In the 
                case of a covered company that is required to comply 
                with section 501 of the Gramm-Leach-Bliley Act (15 
                U.S.C. 6801) and the Payment Card Industry Data 
                Security Standard, and applicable regulations issued 
                thereunder, the covered company shall be considered to 
                be acting in compliance with the requirements developed 
                under this subsection if the covered company applies 
                the procedures required under such section 501 to 
                information shared under this section.
            ``(2) Guidelines.--
                    ``(A) In general.--Not later than 60 days after the 
                date of enactment of the Cryptocurrency Cybersecurity 
                Information Sharing Act, the Director of the Financial 
                Crimes Enforcement Network and the Director of the 
                Cybersecurity and Infrastructure Security Agency shall 
                jointly develop and make publicly available guidance--
                            ``(i) to assist covered companies and 
                        promote sharing of cyber threat indicators with 
                        Federal entities under this section; and
                            ``(ii) relating to adequate procedures to 
                        protect the security and confidentiality of 
                        information shared under this section, as 
                        required under subsection (b)(3)(B).
                    ``(B) Contents.--The guidelines required under 
                subparagraph (A) shall include guidance relating to the 
                following:
                            ``(i) Identification of types of 
                        information that would qualify as a cyber 
                        threat indicator under this title and that 
                        would be unlikely to include information that--
                                    ``(I) is not directly related to a 
                                cybersecurity threat; and
                                    ``(II) is personal information of a 
                                specific individual or information that 
                                identifies a specific individual.
                            ``(ii) Identification of types of 
                        information protected under otherwise 
                        applicable privacy laws that are unlikely to be 
                        directly related to a cybersecurity threat.
                            ``(iii) Such other matters as the Director 
                        of the Financial Crimes Enforcement Network and 
                        the Director of the Cybersecurity and 
                        Infrastructure Security Agency consider 
                        appropriate for entities sharing cyber threat 
                        indicators with Federal entities under this 
                        title.
            ``(3) Compliance with the paperwork reduction act.--In 
        establishing requirements under this subsection, the Secretary 
        shall ensure that the requirements comply with chapter 35 of 
        title 44, United States Code (commonly known as the ``Paperwork 
        Reduction Act'').
    ``(d) Safe Harbor From Certain Liability.--The liability 
protections in section 106 shall not apply to a covered company to the 
extent the company fails to comply with paragraphs (2), (3), and (4) of 
subsection (b).
    ``(e) Exemption From Disclosure.--In accordance with paragraphs (3) 
and (8) of section 502(e) of the Gramm-Leach-Bliley Act (15 U.S.C. 
6802), if a covered company voluntarily shares information pursuant to 
this section, the covered company shall not be required to provide any 
affected consumer the notice required under section 503 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6803).''.
    (b) Conforming Amendment.--The table of contents in section 1(b) of 
division N of the Consolidated Appropriations Act, 2016 (Public Law 
114-113; 129 Stat. 2935) is amended by striking the items relating to 
sections 110 and 111 and inserting the following:

``Sec. 110. Sharing of cyber threat indicators by covered companies.
``Sec. 111. Exception to limitation on authority of Secretary of 
                            Defense to disseminate certain information.
``Sec. 112. Effective period.''.
                                 <all>