The Public and Private Sector Ransomware Response Coordination Act of 2025 directs the Secretary of the Treasury to submit to the appropriate congressional committees a report within one year describing how the public and private sectors coordinate in responding to ransomware attacks on financial institutions. The report will examine coordination among government agencies, interagency information sharing, and the usefulness of information reported by financial institutions for prevention, investigation, and prosecution of attacks.
It also asks whether current reporting requirements are adequate and whether there is a need for further legislation to boost public-private partnerships, speed up incident response, and improve incident reporting. The act allows the Treasury to present the main report in unclassified form, with a classified annex if needed, and requires a briefing to Congress within 15 months on the findings.
At a Glance
What It Does
Section 2 requires a Treasury-led, one-year report to Congress detailing cross-sector coordination on ransomware responses for financial institutions, including interagency cooperation, information sharing, reporting mechanics, and potential policy enhancements.
Who It Affects
Directly affects financial institutions (as defined by 31 U.S.C. 5312(a)) and cybersecurity incident response entities that serve those institutions; also involves federal agencies and congressional committees charged with oversight.
Why It Matters
Establishes a baseline for public-private coordination, clarifies information-sharing pathways, and assesses whether additional legislative steps are needed to reduce response times and strengthen resilience in the financial sector.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
This bill wants the Treasury to produce a comprehensive, stand-alone report about how the government and private sector work together when a ransomware attack hits a financial institution. The document will map who must coordinate, what information must be shared, and how quickly information travels between banks, regulators, and law enforcement.
It will also assess whether reporting requirements are working as written, and whether new laws are needed to improve collaboration and speed up responses.
The report’s scope includes how agencies coordinate with one another, how financial institutions report incidents, and how the shared information is used for prevention, investigation, or prosecution. It will explicitly analyze the usefulness of the information to government agencies and consider any gaps in access to data that could hamper timely actions.
The bill contemplates policy ideas to bolster public-private partnerships and to increase incident-report sharing while reducing response times.The act authorizes an unclassified main report, with the possibility of a classified annex, and requires a briefing to Congress within 15 months of enactment. It also provides definitions clarifying who counts as a financial institution and what counts as a cybersecurity and ransomware incident response entity, ensuring the report’s findings are grounded in precise terms.
The Five Things You Need to Know
The Treasury must submit a one-year, unclassified report to Congress on cross-sector ransomware coordination affecting financial institutions.
The report analyzes interagency coordination, information sharing, and the usefulness of reported data for preventing and investigating attacks.
A classified annex may accompany the unclassified report if needed to protect sensitive information.
Treasury must brief Congress on the findings within 15 months of enactment.
The bill defines key terms like “financial institution” and “cybersecurity and ransomware incident response entity” to ensure clarity of scope.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Report on coordination (scope and contents)
Section 2(a) requires the Secretary of the Treasury to prepare and submit to the appropriate congressional committees a comprehensive report within one year of enactment. The report describes current coordination and collaboration between the public and private sectors in responding to ransomware attacks on financial institutions. It covers interagency coordination, information sharing, accessibility of relevant information, reporting requirements, and potential policy initiatives to strengthen public-private partnerships and reduce incident response times. It also assesses the usefulness of reported information for prevention, investigation, and prosecution, and evaluates whether additional legislation is necessary.
Form of report
The report described in Section 2(a) must be submitted in unclassified form. It may include a classified annex, allowing sensitive details to be protected while preserving broad review by Congress.
Briefing to Congress
Not later than 15 months after enactment, the Secretary of the Treasury must brief the appropriate congressional committees on the findings of the report. This briefing is intended to translate the written analysis into actionable takeaways for lawmakers and agencies involved in cyber incident response.
Definitions
This section defines key terms used in the reporting requirement. It includes: (1) ‘Appropriate congressional committees’ (House Financial Services, House Intelligence, Senate Banking, Senate Intelligence), (2) ‘Cybersecurity and ransomware incident response entity’ (entities providing incident response, advisory services, or managed services that support investigation, risk management, regulatory compliance, and recovery), and (3) ‘Financial institution’ (as defined under 31 U.S.C. 5312(a)).
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Financial institutions protected under the definition (and the cybersecurity teams that defend them) benefit from clearer information-sharing pathways and a better understanding of coordination expectations during ransomware incidents.
- Cybersecurity incident response entities that provide services to financial institutions gain clearer operating guidance and a formal channel for information flow, potentially improving service delivery and outcomes.
- Congressional oversight committees (House Financial Services and Senate Banking, plus intelligence committees) receive structured data and a briefing that supports informed oversight and policy-setting.
- Treasury and federal agencies involved in cyber incident response acquire a defined mandate and timeline for evaluating cross-sector coordination, aiding interagency collaboration.
Who Bears the Cost
- Financial institutions may incur costs to ensure timely reporting and data sharing as required by the bill (and to adapt internal processes for coordination with authorities).
- Cybersecurity service providers could face increased administrative requirements to share information and participate in coordinated response efforts.
- Federal agencies tasked with coordination and analysis must allocate resources to compile the report and prepare the briefing.
- Congressional offices may incur briefing and oversight costs associated with reviewing the Treasury report and any follow-up actions.
- Private sector partners and trade associations may bear costs associated with implementing any recommended policy initiatives to bolster partnerships and information sharing.
Key Issues
The Core Tension
The central dilemma is balancing rapid, actionable information sharing with the need to protect sensitive data and maintain privacy, while ensuring the government can meaningfully coordinate across federal, state, and private actors without imposing undue burden on financial institutions.
The bill creates a strong emphasis on information sharing and cross-sector coordination, but it raises tensions between transparency and security. Requiring a detailed, cross-cutting assessment could press private institutions to disclose more incident data, potentially triggering privacy or competitive concerns.
While the main report is unclassified, the possibility of a classified annex means sensitive details could be shielded from public view, which may affect broader policy accountability. The scope limited to financial institutions and the ransomware context may leave other critical sectors out of scope, and the balance between timely reporting and thorough analysis could impose implementation challenges for smaller institutions with limited compliance capacity.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.