House bill aims to better protect financial institutions from ransomware attacks

A bipartisan pair of House lawmakers are seeking to improve private-public coordination for financial institutions amid a surge of ransomware attacks on the sector.

The Public and Private Sector Ransomware Response Coordination Act, introduced this week by Reps. Zach Nunn, R-Iowa, and Josh Gottheimer, D-N.J., would direct the Treasury secretary to deliver a report on existing collaboration between federal agencies and private financial companies, examining how those partnerships can be improved to better protect the industry from cyberattacks.

The legislation from Nunn and Gottheimer, both members of the House Financial Services Committee, comes as global ransomware attacks jumped 67% from 2023 to 2024, according to the director of national intelligence. And according to Statista, approximately 65% of financial institutions globally reported experiencing a ransomware attack in 2024, up from 34% in 2021.

“Bad actors continue to attack the United States’ critical infrastructure costing companies not only time and money but also leaving a bad taste in the mouth of consumers,” Nunn, who previously served as the National Security Council’s director of cybersecurity policy & engagement, said in a statement. “In order to address the evolving threat landscape, we must ensure critical infrastructure has the tools necessary to combat ransomware attacks and stay ahead of emerging threats.”

Under the bill, the Treasury secretary’s report would be required to detail the current levels of public-private coordination in the financial services sector, specifically regarding cybersecurity practices and how they prevent and respond to ransomware attacks.

The report would also probe whether relevant federal agencies are receiving timely access to reports on ransomware attacks on financial institutions, analyze reporting requirements, and assess whether additional legislation is needed. The bill also asks the Treasury secretary to provide feedback and potential policy solutions.

A 2024 Sophos report found that the average ransom payment is $2 million, while victimized organizations have to pay another $2.73 million on average in recovery costs. Ransomware payments hit a milestone in 2023, exceeding $1 billion for the first time, according to Chainalysis.

“Ransomware attacks are incredibly costly — and increasingly common. These attacks pose a serious threat to both our national security and economy, and we must be prepared with a coordinated approach to prevent and effectively respond when they happen,” Gottheimer said. “Our bipartisan legislation will bring government and industry experts together to develop a game plan that can reduce these attacks.”