Cyber Risks

Growing geopolitical conflicts have raised security concerns around cyberattacks and exposed existing vulnerabilities in the nation’s cybersecurity regime, heightening the necessity to build robust domestic cyber defense systems for commercial facilities.

Additionally, Congress and federal agencies have mandated or proposed many new cyber incident reporting requirements for critical infrastructure and public corporations.

Position

The Roundtable continues to help strengthen information sharing about cyber threats and cyber defense capabilities between public and private entities through the work of our Homeland Security Task Force (HSTF) and the Real Estate Information Sharing Agency (RE-ISAC).

Separately, The Roundtable and its industry partners have engaged the Securities and Exchange Commission (SEC) about new rules that will require public companies to disclose more information about cybersecurity-related incidents, risk management, strategy, and governance. The rules were finalized in August 2023 by an SEC vote of 3-2. A joint comment letter by The Real Estate Roundtable and Nareit that criticized aspects of the SEC proposal was cited nearly a dozen times in the final agency rule. (SEC fact sheet | Roundtable-Nareit comment letter, May 9, 2022)

Background

Our HSTF continues its work with the Real Estate Information Sharing Agency (RE-ISAC) and public officials to strengthen the security and resilience the commercial facilities sector in response to cyber risks.

Regarding the SEC’s new, finalized cyber incident reporting rules, The Roundtable and Nareit expressed a number of concerns in a May 2022 letter about proposed rigid incident reporting deadlines and granular requirements, which the industry organizations stated could unintentionally exacerbate cybersecurity risks for issuers while imposing unjustified burdens.

  • Responding to these concerns, the SEC stated in its final rule in August 2023 that it is “… providing for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General, who may take into consideration other Federal or other law enforcement agencies’ finding.”
  • The SEC also responded to industry concerns by stating it had “streamlined” its requirements on cyber-attack disclosures to focus more on the potential effects, rather than the details of the incident itself. (Wall Street Journal, July 26 | PillsburyLaw and GreenbergTaurig)
  • The agency states in its final rule, “To that end, to balance investors’ needs with the concerns raised by commenters …The final rules will require the registrant to describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
  • The final SEC rule is effective September 5, according to a notice in the Federal Register. All registered public companies, other than smaller reporting companies, must begin complying by Dec. 18, 2023.

For more information and recent updates, reference our resources below or search using the bar at the top of the page.

Resources
ALL RESOURCES
NEXT
LAST
Policy Comment Letter
Roundtable and Nareit Comment on SEC's Proposed Rules on Cybersecurity
May 9, 2022
Policy Comment Letter
Coalition Cyber Incident Reporting Comment Letter
October 4, 2021
MORE ISSUES
MORE ISSUES
NEXT
LAST
RER's Homeland Security Task Force (HSTF)
Real Estate Information Sharing and Analysis Center (RE-ISAC)
Cyber Risks
Physical Risks
Homeland Security
RER's Homeland Security Task Force (HSTF)

The Real Estate Roundtable's Homeland Security Task Force (HSTF) is focused on enhancing the commercial facilities sector's ability to meet its current and future security-related challenges by analyzing threats, sharing information, and fostering resilience through a broad threat matrix of physical and cyber risks.

READ MORE
Homeland Security
Real Estate Information Sharing and Analysis Center (RE-ISAC)

The Real Estate Information Sharing and Analysis Center (RE-ISAC) is a public-private partnership between the U.S. commercial facilities sector and federal homeland security officials. 

The RE-ISAC continues to be one of the most effective weapons in protecting the nation's critical infrastructure by use of its information-sharing network. 

Through this network, the RE-ISAC engages in operational efforts to coordinate activities supporting the detection, prevention, and mitigation of a full range of physical, data, and cyber threats to the nation’s critical infrastructure.

READ MORE
Homeland Security
Cyber Risks

Growing geopolitical conflicts have raised security concerns around cyberattacks and exposed existing vulnerabilities in the nation’s cybersecurity regime, heightening the necessity to build robust domestic cyber defense systems for commercial facilities.

Additionally, Congress and federal agencies have mandated or proposed many new cyber incident reporting requirements for critical infrastructure and public corporations.

READ MORE
Homeland Security
Physical Risks

Commercial real estate faces numerous threats from natural catastrophes, international and domestic terrorism, and organized retail crime. These threats cost businesses, cities, and the economy billions in losses. The Roundtable continues to help build a more secure and resilient industry through our Homeland Security Task Force (HSTF) and active role in the Real Estate Information Sharing and Analysis Center (RE-ISAC). 

Our work remains focused on tangible measures — developed through increased cross-agency information sharing and cooperation with law enforcement and intelligence agencies — that CRE can take to guard against these threats. As the nature of threats evolve, The Roundtable will remain a central advocate and conduit of information to ensure the places where our friends, family, and neighbors live, work, shop, and play are safe and secure.

READ MORE