Sponsors (3)
The bill strengthens federal coordination, oversight, and information-sharing to improve ransomware response — benefiting institutions, investigators, and consumers — but may raise compliance costs, reduce immediate public transparency for sensitive details, and divert resources toward reporting and rulemaking.
Financial institutions and their customers will get faster, better‑coordinated ransomware incident reporting and response, reducing downtime and disruption to consumers and the financial system.
State and federal investigators and prosecutors will receive more timely and useful information to investigate and prosecute ransomware incidents if reporting gaps are identified and fixed.
Congress (and through an unclassified report the public) will gain greater oversight and accountability of federal ransomware response efforts via a required unclassified report and briefing.
Financial institutions may face increased reporting expectations or new regulatory requirements, raising compliance costs that could be passed on to customers or taxpayers.
The Treasury may place much of the report’s sensitive material into a classified annex, delaying public access to incident details and reducing immediate transparency for the public.
Preparing the report and any subsequent rulemaking could divert Treasury and industry resources away from active incident response and mitigation in the near term.
Based on analysis of 2 sections of legislative text.
Requires Treasury to report to Congress within one year on coordination, reporting practices, and recommendations to improve ransomware response for financial institutions, with a briefing within 15 months.
Requires the Secretary of the Treasury to deliver to specified congressional committees, within one year of enactment, an unclassified report (with an optional classified annex) assessing public-private and interagency coordination in responding to and preventing ransomware attacks on financial institutions. The report must analyze the usefulness of information reported by financial institutions, compare reporting requirements to practical utility, identify reasons institutions delay or withhold reporting, recommend policy or legislative changes to improve partnerships and speed response, and include feedback from cybersecurity and ransomware response entities; the Secretary must brief the committees on findings within 15 months. One section only establishes a short title and does not create new programs or funding.
Introduced January 28, 2025 by Zach Nunn · Last progress January 28, 2025