Two U.S. Republican senators, Marsha Blackburn of Tennessee and Cynthia Lummis of Wyoming, have introduced a bill that, if passed by the Senate and House, could see crypto companies legally reporting and sharing with federal and state authorities and among themselves any cyber threat indicators, activities, individuals/companies, and information they may deem as a cyber-security threat to their operations. This reporting can be done for other purposes, such as insurance.
The bill, which is termed as Cryptocurrency Cyber-security Information Sharing Act, seeks to amend the Cyber-security Information Sharing Act of 2015. It proposes to include blockchain and crypto companies as “covered companies.” The bill aims to stop illegal activity by bad actors in the cryptocurrency sector, said Senator Marsha Blackburn.
“Some bad actors have used cryptocurrency as a way to hide their illegal practices and avoid accountability. The Cryptocurrency Cybersecurity Information Sharing Act will update existing regulations to address this misuse directly. It will provide a voluntary mechanism for crypto companies to report bad actors and protect cryptocurrency from dangerous practices.”
The bill also seeks to reverse any potential losses from cyber-related threats, data breaches, ransomware, business interruption, and network damage affecting crypto firms. Companies could also utilize the reports to improve their counter-active measures and engage the federal and state authorities in boosting proactive measures. It may also help with the recovery of stolen funds when hacks occur.
Cryptocurrency companies have often suffered hacks and data breaches, with research showing that crime is increasing. Over $2 billion has been lost to crypto hacks and exploits in both Q1 and Q2, and 214% more is forecasted to be lost by the end of this year, according to a report by CertiK. Most of these have been stolen by North-Korea affiliated hacking groups.
A company intending to share such information as per the proposed bill voluntarily will be required to submit a notice of intent to the Financial Crimes Enforcement Network and the Cybersecurity and Infrastructure Security Agency. The notice shall contain, at the minimum, the name of the covered company with which they intend to share information.
According to this bill, a company shall voluntarily report suspected terrorist activity or any other activity requiring immediate attention to the appropriate law enforcement agency and the Cyber-security and Infrastructure Security Agency Incident Reporting System. They will be required to comply with any federal requirements about reporting these incidences and protecting the information and the agencies with which they intend to share the reports.