Senator Elizabeth Warren and Representative Deborah Ross have introduced a bill that would require companies to disclose ransomware payments.
Ransomware has become one of the biggest cybersecurity threats in recent years. Businesses and organizations of all sizes, including government agencies, have been targeted. While the FBI discourages organizations from paying a ransom, there is an understanding that sometimes it’s necessary to quickly get back up and running.
For the most part, many companies choose not disclose ransomware payments, for fear they will become an even bigger target when hackers realize they’re willing to pay. The Ransom Disclosure Act would change that, requiring full disclosure within 48 hours.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”
“Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure,” said Congresswoman Ross. “Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions. I’m proud to introduce this legislation with Senator Warren which will implement important reporting requirements, including the amount of ransom demanded and paid, and the type of currency used. The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back. The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation.”
The bill seems designed to protect organizations from backlash, as the reports will be to the Department of Homeland Security (DHS). Although DHS will be required to disclose the previous year’s reports, those reports will exclude “identifying information about the entities that paid ransoms.”