Amends the Consolidated Appropriations Act, 2021, to include requirements for U.S. financial institutions regarding ransomware attack deterrence.
Prohibits covered U.S. financial institutions from making ransomware payments over $100,000 without authorization and requires notification to the Financial Crimes Enforcement Network before any payment.
Establishes that the President can waive these requirements if it’s in the national interest, with appropriate notification to Congress and the institution.
Provides a safe harbor for financial institutions making authorized ransomware payments, protecting them from liability under specific financial reporting laws and from adverse supervisory actions.
Specifies that financial institutions cannot be held liable for deficiencies in ransomware attack descriptions if they made good-faith efforts to assess the attack.
Details the confidentiality of information provided to federal law enforcement agencies, with exceptions for judicial actions, congressional requests, law enforcement or intelligence purposes, statistical analyses, and with the institution’s consent.
Defines terms such as “covered U.S. financial institution,” “malicious software,” “ransomware attack,” “ransomware payment,” and “ransomware payment authorization.”
Sets the applicability of these amendments to begin 30 days after the publication of implementing rules or 1 year after the enactment of the Act, whichever is earlier.
Includes a sunset provision, repealing the Act and its amendments 10 years after the applicability date.
