New Ransomware Reporting Rules for US Financial Institutions: Proposed Bill Would Require Government Permission for Payments Over $100,000
Friday, November 19, 2021
The bill’s level of support is questionable, given that it appears to have no co-sponsors and no Senate version. The Biden administration has had increased interest in ransomware reporting requirements since the attacks on Colonial Pipeline and JBS occurred earlier in the year, but thus far those efforts have been directed at industries in the physical realm of critical infrastructure without much attention paid to financial institutions. New cybersecurity regulations put in place by the administration have thus far focused on the energy industry and water utilities, mandating that companies report any attacks within 24 hours in some cases.
Ilia Kolochenko, CEO and Chief Architect of ImmuniWeb, thinks the ransomware reporting bill will be a non-starter: “I think the new bill is a disservice for American companies. The more bureaucracy we implement, the more arduous and inefficient a victim’s response will be. Sometimes, an undelayed payment of a ransom can prevent critical data from being placed on a Dark Web marketplace and then be acquired by nation-state threat actors. Today, virtually all ransom demands exceed $100,000 and thus will be subject to laborious approval requirements. Worse, the new bill tackles attack consequences instead of treating the root causes of ransomware. We need more cybersecurity programs in American colleges and universities, a unified data protection law on a federal level that would cover all industries in all US states, support and free cybersecurity training to SMEs, and an immediate budget increase for cyber law enforcement units who struggle to hire talent or even to buy forensic software. Prosecuting foreign hackers from extradition-proof countries and collecting intelligence about untraceable ransom payments will be unlikely to slow down the global pandemic of ransomware.” Read Full Article
SecurityWeek: The Wild West of the Nascent Cyber Insurance Industry
eSecurityPlanet: U.S. State Department Puts $10 Million Bounty on DarkSide Ransomware Group