New Bill Would Require Companies to Disclose Ransomware Payments
A new proposed law would require businesses in the U.S. to disclose any ransomware payments within 48 hours of the transaction. The bicameral Ransom Disclosure Act, drafted by Sen. Elizabeth Warren and Rep. Deborah Ross, would mandate companies and organizations (but not individuals) to provide the U.S. Department of Homeland Security (“DHS”) data on ransomware payments, including the amount and type of cryptocurrency demanded, and the sum that was paid. The lawmakers say this is essential to bolster the U.S. government’s understanding of how hackers operate and the extent of the ransomware threat.
In addition to the ransom reporting requirement, the Ransom Disclosure Act would require the DHS to:
- Commission a study on the relationship between ransomware and cryptocurrency.
- Make public certain information about ransomware from the past year.
- Establish a site for individuals to voluntarily report ransom payments.
The DHS study would aim to discover how cryptocurrency plays a role in these attacks and provide cybersecurity recommendations to better protect and strengthen information systems.
According to a press release from Sen. Warren and Rep. Ross, ransomware victims paid nearly $350 million in 2020 – a more than 300 percent increase over the previous year. What’s more, the average ransom payment increased by 170 percent to $312,000.
The Ransomware Disclosure Act is not the only tactic the U.S. is employing in a bid to crack down on ransomware. Last month, the Treasury Department issued sanctions against cryptocurrency exchange Suex for its role in facilitating ransom payments after finding that over 40% of its total transactions were associated with bad activity. The Treasury also recently warned American companies that they are prohibited from paying threat actors based in countries subject to U.S. sanctions.