Cyber Risks

Growing geopolitical conflicts have raised security concerns around cyberattacks and exposed existing vulnerabilities in the nation’s cybersecurity regime, heightening the necessity to build robust domestic cyber defense systems for commercial facilities.

Additionally, Congress and federal agencies have mandated or proposed many new cyber incident reporting requirements for critical infrastructure and public corporations.


The Roundtable continues to help strengthen information sharing about cyber threats and cyber defense capabilities between public and private entities through the work of our Homeland Security Task Force (HSTF) and the Real Estate Information Sharing Agency (RE-ISAC).

Separately, The Roundtable and its industry partners have engaged the Securities and Exchange Commission (SEC) about new rules that will require public companies to disclose more information about cybersecurity-related incidents, risk management, strategy, and governance. The rules were finalized in August 2023 by an SEC vote of 3-2. A joint comment letter by The Real Estate Roundtable and Nareit that criticized aspects of the SEC proposal was cited nearly a dozen times in the final agency rule. (SEC fact sheet | Roundtable-Nareit comment letter, May 9, 2022)


Our HSTF continues its work with the Real Estate Information Sharing Agency (RE-ISAC) and public officials to strengthen the security and resilience the commercial facilities sector in response to cyber risks.

Regarding the SEC’s new, finalized cyber incident reporting rules, The Roundtable and Nareit expressed a number of concerns in a May 2022 letter about proposed rigid incident reporting deadlines and granular requirements, which the industry organizations stated could unintentionally exacerbate cybersecurity risks for issuers while imposing unjustified burdens.

  • Responding to these concerns, the SEC stated in its final rule in August 2023 that it is “… providing for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General, who may take into consideration other Federal or other law enforcement agencies’ finding.”
  • The SEC also responded to industry concerns by stating it had “streamlined” its requirements on cyber-attack disclosures to focus more on the potential effects, rather than the details of the incident itself. (Wall Street Journal, July 26 | PillsburyLaw and GreenbergTaurig)
  • The agency states in its final rule, “To that end, to balance investors’ needs with the concerns raised by commenters …The final rules will require the registrant to describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
  • The final SEC rule is effective September 5, according to a notice in the Federal Register. All registered public companies, other than smaller reporting companies, must begin complying by Dec. 18, 2023.

For more information and recent updates, reference our resources below or search using the bar at the top of the page.

RER's Homeland Security Task Force (HSTF)
Real Estate Information Sharing and Analysis Center (RE-ISAC)
Cyber Risks
Physical Risks