Cybersecurity – The Real Estate Roundtable

SEC Issues Final Cybersecurity Disclosure Rules for Public Companies

Posted on August 5, 2023October 27, 2023 by Trey Jackson

The Securities and Exchange Commission (SEC) finalized new rules last week by a vote of 3-2 that will require public companies to disclose more information about cybersecurity-related incidents, risk management, strategy, and governance. A joint comment letter by The Real Estate Roundtable and Nareit about the SEC proposal was cited nearly a dozen times in the final rule. (SEC fact sheet | Roundtable-Nareit comment letter, May 9, 2022)

Industry Objections

The Roundtable and Nareit expressed a number of concerns in their May 2022 letter about the proposed rule’s rigid incident reporting deadlines and granular requirements, which the industry organizations stated may unintentionally exacerbate cybersecurity risks for issuers while imposing unjustified burdens. (Roundtable Weekly, May 13, 2022)
Under the new rules, registered companies must report cyber-attacks by filing an 8-K form with the SEC within four business days, which The Roundtable and Nareit objected to in their joint letter.
Responding to these concerns, the SEC stated in its final rule that it is “… providing for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General, who may take into consideration other Federal or other law enforcement agencies’ finding.” (Pensions and Investments, July 26)
The SEC also responded to industry concerns by stating it had “streamlined” its requirements on cyber-attack disclosures to focus more on the potential effects, rather than the details of the incident itself. (Wall Street Journal, July 26 | PillsburyLaw and GreenbergTaurig)
The agency states in its final rule, “To that end, to balance investors’ needs with the concerns raised by commenters …The final rules will require the registrant to describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
SEC Chairman Gary Gensler emphasized that the final rule does not require disclosure of non-material information related to incidents—unlike the original proposal issued in March 2022. (SEC news release, July 26, 2023 and Roundtable Weekly, March 18, 2022)

New Disclosures Required

Public real estate companies will also be required to disclose the board of directors’ oversight of cybersecurity threats, identify any board committee (or subcommittee) responsible for cybersecurity oversight, and the processes by which the board or (sub) committee is informed about these risks.
The final SEC rule will become effective on September 5, according to a notice today in the Federal Register. All registered public companies, other than smaller reporting companies, must begin complying by Dec. 18, 2023.

The Roundtable’s Homeland Security Task Force will remain engaged with government officials and private sector partners on industry best practices to detect, protect, and respond to a variety of key threats, including cyber-attacks.

# # #

Senate Bill Introduced to Require Federal Guidance on Cybersecurity Insurance

Posted on February 25, 2023October 27, 2023 by Trey Jackson

Federal guidance on cyber insurance policies is the focus of a new bipartisan Senate bill introduced on Feb. 21 that aims to protect businesses and consumers against cyberattacks. (PoliticoPro, Feb. 21)

Cyber Issues

The Insure Cybersecurity Act will direct the National Telecommunications and Information Administration (NTIA) to mitigate digital risk by developing recommendations for issuers, agents, brokers, and customers to improve communication over cybersecurity insurance coverage levels.
Co-sponsored by Sens. John Hickenlooper (D-CO) and Shelley Moore Capito (R-WV), the bill also directs a NTIA task force to develop policy recommendations relating to ransomware or ransom payments, and the “terminology used in policies to include or exclude losses” due to cyber terrorism or acts of war.
Hickenlooper is the new chair of the Commerce Committee’s Subcommittee on Consumer Protection, Product Safety, and Data Security.
A 2021 Government Accountability Office report found that ambiguity in policy language can result in misunderstandings and litigation between issuers and policyholders—and underestimations of coverage needed to protect against cyber risks.

The Roundtable’s Homeland Security Task Force continues working with the Real Estate Information Sharing and Analysis Center (RE-ISAC), federal officials, and real estate companies about threats to the business cyber environment with the aim of mitigating cyber intrusions.

# # #

Fed Reports U.S. Financial Stability Risks Include Inflation, Asset Valuation Pressures, and Cyber Attacks

Posted on November 12, 2022October 27, 2023 by Trey Jackson

The Federal Reserve in Washington, DC

Near-term risks to the U.S. economy and financial system include inflation, asset valuation pressures and cyber attacks, according to the Federal Reserve’s semiannual Financial Stability Report released this month. (Wall Street Journal, Nov. 4)

Stability Threats

“Higher-than-expected interest rates could lead to increased volatility in financial markets, stresses to market liquidity, and declines in asset prices, including prices of both commercial and residential real estate properties,” the central bank states in its report.
The report warns that such effects could cause losses at a range of financial intermediaries, reducing their access to capital and raising their funding costs—and pose adverse consequences for asset prices, credit availability, and the economy.
Federal Reserve Vice Chair Lael Brainard stated the American financial system has held up through the turbulent developments of the past year. She said, “Household and business indebtedness has remained generally stable, and on aggregate households and businesses have maintained the ability to cover debt servicing, despite rising interest rates.”

Cybersecurity Concerns

Respondents to the central bank’s survey on stability threats also noted continuing concerns about the Russian invasion of Ukraine, high oil prices and a potential conflict between China and Taiwan. Cyber attacks pose an additional risk that “could come as retaliation for sanctions imposed on Russia,” according to the Fed’s report.

The Roundtable’s Homeland Security Task Force will hold a conference call on Monday, November 28 that will focus on a new Cyber Risk Summary briefing on Commercial Facilities—includes Commercial Real Estate—from the Cybersecurity and Infrastructure Security Agency (CISA). [To register, contact Andy Jabbour of the Real Estate Information and Sharing Network (RE-ISAC)]
U.S. financial institutions processed approximately $1.2 billion in ransomware-related payments last year, a nearly 200 percent increase compared to 2020, according to the Treasury Department’s Financial Crimes Enforcement Network. (FinCEN report, Nov. 1)

Cybersecurity issues and CRE will be discussed during the next HSTF meeting on Jan. 25, 2023—held in conjunction with The Roundtable’s State of the Industry meeting. (Roundtable Weekly, Oct. 7)

# # #

Treasury and CISA Seek Comments on Potential National Cyber Insurance Program

Posted on October 7, 2022October 27, 2023 by Trey Jackson

As cyberattacks pose an increasing threat to the real estate industry and the U.S. economy, the government is seeking input from policyholders, critical infrastructure owners, and operators on a potential federal response for catastrophic cyber incidents, including whether a national cyber reinsurance program is warranted. (Treasury Department Notice, Sept. 29 and NextGov, Sept. 28)

Response to Catastrophic Cyber Attacks

The Treasury Department’s Federal Insurance Office (FIO) and the Cybersecurity and Infrastructure Security Agency (CISA) are seeking comments by Nov. 14 on the structure and scope of a federal response. (FIO request for comments and Inside Cybersecurity, Sept. 12)
The FIO-CISA request for comments follows a June Government Accountability Office (GAO) recommendation that the federal government assess the need for a potential insurance backstop for cyberattacks. (GAO, Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks, June 21)
Cyber insurance is a growing market, with approximately $4 billion in direct premiums written in 2020. (FIO’s Effectiveness of the Terrorism Risk Insurance Program, June 2022)
Lloyd’s of London announced in August that it is set to introduce cyber insurance exclusions for coverage on “catastrophic” state-backed attacks from 2023. (Lloyd’s Market Bulletin, Aug. 16 and Industrial Cyber, Aug. 18)

Terrorism & Cybersecurity

The Roundtable and its partners in the Coalition to Insure Against Terrorism (CIAT) have raised concerns about the need for effective insurance products to help manage the risks of catastrophic cyberattacks. (CIAT comment letter on the 2022 Report on the Effectiveness of the Terrorism Risk Insurance, May 16)
Insurers and the federal government’s Terrorism Risk Insurance Program (TRIP) may not cover the expanding range of such losses. For example, TRIP may only cover cyberattacks if they can be considered “terrorism” under its defined program criteria. (Roundtable Weekly, June 24)

Separately, CISA is requesting input on the implementation of cyber incident reporting requirements (due Nov. 14). CISA is also hosting a series of public listening sessions in cities throughout the nation as an additional means of gathering stakeholder responses on definitions for the proposed rules, the form and content of reports, enforcement procedures, and information protection policies. (Federal Register and Notice of Public Listening Sessions, Sept. 12)

Cybersecurity has long been a focus of The Roundtable’s Homeland Security Task Force (HSTF) and the Real Estate Information Sharing and Analysis Center. Cybersecurity issues and CRE will be discussed during the next HSTF meeting on Jan. 25, 2023—held in conjunction with The Roundtable’s State of the Industry meeting. (Roundtable Meeting Calendar)

# # #

GAO Recommends Government Assessment of Federal Backstop for Catastrophic Cyberattacks

Posted on June 24, 2022October 27, 2023 by Trey Jackson

The US Government Accountability Office (GAO) recommended in a June 21 report that the federal government should assess the need for a potential insurance backstop for cyberattacks on critical infrastructure. (GAO summary “Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks”)

Growing Cyber Threats

With the growing proliferation of cyberattacks, the challenge of mitigating and managing this expanding risk poses an increasing challenge to the U.S. economy and real estate.
Insurers and the government’s terrorism risk insurance program originally established under the Terrorism Risk Insurance Act (TRIA) may not be able to cover the expanding range of such losses. For example, TRIA may only cover cyberattacks if they can be considered “terrorism” under its defined program criteria.
TRIA was reauthorized in 2019 and extended for seven years through 2027. The legislation included a request for a study on evolving cyber terrorism risks. (Coalition to Insure Against Terrorism)
The Roundtable has raised concerns about the need for policyholders to have access to effective insurance products to help manage the risks of catastrophic cyberattacks—particularly in the context of TRIA-backed coverage for cyber terrorism attacks. (See May 16, 2022 joint comment letter on “2022 Report on the Effectiveness of the Terrorism Risk Insurance Program”)
This month’s GAO report acknowledges that although some cyber incident costs are covered in part by the private cyber insurance market, growing cyber threats have created uncertainty in this evolving market.
The report also notes that cyber incidents can spill over from the initial target to economically linked firms, thereby magnifying damage and threats to the overall economy. “Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks,” the report adds. (See report summary)

Federal Insurance Backstop

Federal agencies “have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” the report states.
GAO states a government study that addresses a federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.
The report concludes that the Department of the Treasury’s Federal Insurance Office (FIO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) should jointly assess the cyberattack risks that warrant a federal insurance response, and inform Congress of the results of their assessment.

The Roundtable’s Homeland Security Task Force discussed the issue of cybersecurity and a potential federal backstop during its June 17 meeting, held in conjunction with The Roundtable’s 2022 Annual Meeting. (Roundtable Weekly, June 17)

# # #

Roundtable and Nareit Raise Concerns to SEC About Proposed Cybersecurity Rules; SEC Climate Proposal Stokes GOP Criticism

Posted on May 13, 2022October 27, 2023 by Trey Jackson

The Real Estate Roundtable and Nareit raised concerns to the Securities and Exchange Commission (SEC) about their proposed rules related to cybersecurity risk management, strategy, governance, and incident disclosure. (Comment Letter, May 9)

Industry Concerns

The letter states that The Roundtable and Nareit generally support the SEC’s efforts to ensure that investors receive accurate and comparable material information regarding company cyber risk management and incidents. (SEC News Release | Proposed Rule | Fact Sheet)

However, the two industry groups expressed a number of concerns arising from the detailed, granular reporting that would be required by the SEC proposal and its rigid incident reporting deadlines, which may unintentionally exacerbate cybersecurity risks for issuers and impose unjustified burdens. Those concerns include:

It is vital to harmonize SEC reporting requirements with other federal and state cyber incident reporting requirements.

The Commission’s proposed 72-hour reporting window should incorporate flexibility for a reporting delay to accommodate other law enforcement and other contingencies.

Registrants should not be required to report detailed descriptions of their internal cybersecurity gameplans, which could compromise them in any number of ways.

The prescriptive requirements for disclosing risk management, strategy, and governance regarding cybersecurity risk are burdensome and unjustified.

The letter also raises concerns about the highly prescriptive nature of the requirements set forth in the Proposal and the “one size fits all” presumption that the prescriptive requirements will be appropriate for all industry sectors.

SEC Climate Disclosure Proposal

A separate SEC proposal on climate disclosure rules has drawn the ire of House Republicans, who have criticized the proposal and called for a hearing with the full commission. (E&E News, May 10)

In a May 4 letter to SEC Chair Gary Gensler, a group of House Republicans led by Oversight and Reform ranking member James Comer (R-KY) stated, “The Climate Disclosure Rule would represent the largest expansion of SEC authority without a clear legislative mandate from Congress.”

The SEC on May 9 issued an extension of the public comment period on the proposed rule until June 17.

A regulatory push on multiple fronts by the Securities and Exchange Commission (SEC) prompted The Real Estate Roundtable and 24 other national business organizations to submit comments to Gensler about the need for more time to assemble meaningful stakeholder analysis as part of the rulemaking process. (Coalition letter, April 5 and Roundtable Weekly, April 8)

The proposed SEC climate disclosure rule has no immediate effect. If it is finalized, the action could have a significant impact on the real estate industry, requiring all SEC registered companies to report on climate-related risks through annual 10-Ks and additional filings. (SEC News Release | Proposed Rule | Fact Sheet, March 22)

# # #

Roundtable Convenes Town Hall on Ukraine With Alexander Vindman; Biden Administration Warns About Russian Cyberattacks

Posted on March 25, 2022October 27, 2023 by Trey Jackson

Lieutenant Colonel (Ret.) Alexander Vindman, Senior Advisor of VetVoice Foundation, today discussed the conflict in Ukraine during a Real Estate Roundtable virtual town hall. In recent years, Vindman served on the White House’s National Security Council as the Director for Eastern Europe, the Caucasus, and Russia. (Watch video discussion)

Focus on Ukraine

Vindman and Roundtable President and CEO Jeffrey DeBoer addressed Ukraine in the context of Democracy vs. Authoritarianism, the spillover effects of the war, and the need for a future international reconstruction effort.
“It’s a geopolitical earthquake that has unfolded over the past year, culminating in a war between the largest country in the world and the largest country in Europe,” Vindman stated.
In addition to the devastating human and physical destruction, the war’s spillover effects include interruptions to the supply of crucial commodities such as neon and titanium, and food supplies for the Middle East and Africa.
“The longer this war continues, the greater the chance of spillover,” Vindman said, citing the Russian attack on a Ukrainian nuclear power plant, and the potential use of cyberwarfare and chemical weapons.
He added the war’s eventual outcome will be a significant setback to Authoritarianism – and that the West should keep a door open for a reconciliation with Russia after Putin is gone.
Vindman and DeBoer also discussed the need for an enormous reconstruction effort, which Vindman said could amount to $100 billion international fund that could take the form of a public-private partnership. (Watch video discussion)
Roundtable members can support Ukraine against the Russian invasion via the VetVoice Foundation.

U.S. Support

Since the invasion of Ukraine began, over 450 U.S. companies have announced their withdrawal from Russia, shutting down 25% of Russia’s gross domestic product (GDP), according to Professor Jeffrey Sonnenfeld at the Yale Chief Executive Leadership Institute. Sonnenfeld’s research team maintains a list of companies that have either withdrawn from Russia completely, suspended or scaled back operations, or delayed investments. (Fortune, March 16)
Many American Hotel & Lodging Association members, including Hilton and Marriott International, recently announced donations for humanitarian aid; the closure of their corporate offices in Moscow; and a suspension all future hotel development and investment in Russia. (TravelPulse, March 21 and Roundtable Weekly, March 18)

White House CyberSecurity Warning

President Joe Biden alerted U.S. business leaders on March 21 that “based on evolving intelligence, Russia may be planning a cyberattack against us.” Biden added, “[I]t’s a patriotic obligation for you to invest as much as you can in making sure … you have built up your technological capacity to deal … with cyberattacks.” (Remarks by President Biden | White House Statement | Fact Sheet: Act Now to Protect Against Potential Cyberattacks, March 21)
The growing concern about a possible Russian cyberattack response over U.S. sanctions also led White House Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger, above, to clarify that although “there is no certainty” of an attack, Biden’s warning was intended to focus attention on “critical infrastructure.” (White House Press Briefing video | BGov and Axios, March 21)

The Real Estate Roundtable’s Homeland Security Task Force and the Real Estate Information Sharing and Analysis Center (RE-ISAC) continue to work with its members, key law enforcement and intelligence agencies to help manage and mitigate cyber and physical threats to the commercial facilities sector. (Information on joining the RE-ISAC and Roundtable Weekly, March 4)

# # #

SEC Proposes 4-day Cybersecurity Reporting Requirements for Public Companies; Roundtable’s HSTF Plans Security Threat Briefings

Posted on March 19, 2022October 27, 2023 by Trey Jackson

The Securities and Exchange Commission (SEC) on March 9 issued a proposed rule that would require publicly traded companies to disclose a cybersecurity incident within four days of determining a breach is “material,” or important to the average investor. (BGov, March 11 and SEC News Release | Proposed Rule | Fact Sheet)

Proposed SEC Requirements

SEC Chair Gary Gensler, above, said, “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” (Bloomberg, March 9)
An SEC spokesperson noted that the crisis in Ukraine gave these proposals “special relevance.” (CNBC, March 9 and see story below on The Roundtable’s upcoming March 25 discussion on the Ukraine conflict)
The proposed SEC amendments would include requirements around reporting material cybersecurity incidents – and providing periodic updates for previously reported cybersecurity incidents. (Wall Street Journal, March 9)
The proposal also would require periodic reporting related to:
- a registrant’s policies and procedures to identify and manage cybersecurity risks;
- the registrant’s board of directors’ oversight of cybersecurity risk; and
- management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.

The Real Estate Roundtable is planning to provide comments on the SEC proposal in advance of the May 9, 2022 submission deadline and looks forward to Roundtable members’ input. The proposed four-day reporting timeframe for companies to provide cyber disclosures may not provide enough time for companies to discover the full extent of an incident. (BGov, March 11)

Cybersecurity Threats

An Audit Analytics report released last year showed the number of cybersecurity intrusions reported by public companies increased from 28 breaches in 2011 to 117 in 2020.
The average cost of a corporate data breach was $4.24 million in 2021, according to an annual IBM Security report.

Separately, the $1.5 trillion omnibus bill spending bill enacted on March 11 included the Cyber Incident Reporting for Critical Infrastructure Act. The legislation establishes a narrower 72-hour window for critical infrastructure owners and operators to disclose a cyberattack to the Cybersecurity and Infrastructure Security Agency (CISA). Certain businesses are also required to report any ransom payments to the federal government within 24 hours, among other changes. (Brownstein Hyatt Farber Schreck, March 14)

The Real Estate Roundtable’s Homeland Security Task Force (HSTF) is coordinating briefings on the following security threats through the Real Estate Information Sharing and Analysis Center (RE-ISAC):
- April: DHS Sector Outreach and Programs (Active Shooter, and other soft target resources for the Commercial Facilities Sector)
- May: DHS Fusion Center overview
- June: US Secret Service cybercrime
- August: The Protective Security Advisor Program
- September: FBI cybersecurity/cybercrimeNovember: The InfraGard program

Roundtable members interested in participating can contact Andy Jabbour of the RE-ISAC.

# # #

Russian Aggression Raises Cybersecurity Concerns for CRE

Posted on March 5, 2022October 27, 2023 by Trey Jackson

Russian aggression against Ukraine has included cyberattacks that could potentially spillover to U.S. networks that serve commercial real estate. (GlobeSt, March 2)

Spillover or Direct Threats

Since the imposition of American sanctions, direct Russian retaliation to U.S. networks could include malware, supply chain disruption and cyberattacks on critical infrastructure. (The Hill, March 3)
Senate Intelligence Committee Chairman Mark Warner (D-VA) recently told Axios that Russian cyber weapons inside Ukraine could spread to NATO member states. In 2017, Russia’s NotPetya malware was unleashed in Ukraine, causing billions of dollars in damage to companies worldwide. (Axios, Feb. 23)
“If you’re suddenly having 190,000 troops attack Ukraine, chances are that the cyberattack will not be a single piece of malware,” Warner told Axios. “The chances of that staying within the Ukrainian geographic border is quite small. It could spread to America, could spread to the U.K., but the more likely effect will be spreading to adjacent geographic territory [such as] Poland.” (Axios, Feb. 23)
GlobeSt on March 2 addressed potential cyber threats to CRE. “The largest vulnerabilities for real estate companies are systems such as HVAC, elevators, lighting, metering, parking, and physical access control,” according to Tom Shircliff of Intelligent Buildings.
Homeland Security Today also reported in January about a cyberattack on a German engineering firm’s building automation system that locked the owners out of the system and rendered three-quarters of several hundred devices in the building nonoperational.

CRE’s Response

The CRE industry has responded to emerging cyber threats through the Real Estate Information Sharing and Analysis Center (RE-ISAC) – a public-private information sharing partnership organized and managed by The Real Estate Roundtable since 2003.
The RE-ISAC sends a Daily Report to members to raise awareness on cyber threats and other concerns affecting the U.S. commercial facilities sector, while sharing guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and other agencies. See CISA’s online resources on Russian cyber threats.

The RE-ISAC has also worked with InfraGard National Capital Region (InfraGardNCR) to establish the Commercial Facilities Cyber Working Group (CCWG), a virtual effort to share cyber threat intelligence. The group shares threat reports, ransomware victim examples, and other information on a regular basis.
RE-ISAC Managing Director Andy Jabbour interviewed James Whalen, Boston Properties’ SVP, Chief Information & Technology Officer on the steps commercial real estate companies are takings to meet cybersecurity threats. (Gate 15, March 23, 2021 and Blended Threats: Holding Buildings Hostage)

FBI Recommendations

This week, the FBI recommended organizations take the following steps:

Review recent cybersecurity advisories, such as the Department of Homeland Security’s recent “Shields Up” warning that urged “all organizations – regardless of size – adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.” (TechCrunch, March 2)
Know your networks; especially if you have even a tangential relationship with Russia and surrounding countries.
Know your Cyber Incident Response plan. If you don’t have one, you should. Make sure the FBI and info sharing are embedded in that plan. Lower your thresholds for reporting.
Report mis, dis, mal information, a tried-and-true tactic of the Russian government, including on your social media.
In the event of a compromise, call the FBI.

The Real Estate Roundtable’s Homeland Security Task Force continues to work with key law enforcement, intelligence agencies and the RE-ISAC on protective measures that businesses can take to create infrastructure resistant to physical damage and cyber breaches. (Information on joining the RE-ISAC)

# # #

Roundtable and Business Coalition Weigh In on Legislation Requiring Ransomware Attack Reports

Posted on October 8, 2021October 27, 2023 by Trey Jackson

CyberSecurity graphic

Bipartisan legislation that would require private sector companies to report ransomware attacks to federal authorities was advanced this week by the Senate Homeland Security and Governmental Affairs Committee. A broad, 37-member coalition that includes The Real Estate Roundtable on Oct. 4 provided detailed suggestions to Senate and House congressional committees about provisions that should be included in any bill that would impose a compulsory cyber incident notification program on the business community. (Cybersecurity coalition letter and Committee mark-up)

Why It Matters

The Cyber Incident Reporting Act (S. 2875) – sponsored by Committee Chairman Gary Peters (D-MI) and Ranking Member Rob Portman (R-OH) – would require certain owners and operators of critical infrastructure operators to report hacks within 72 hours and ransom payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Organizations failing to do so would potentially banned from doing business with the federal government. (The Hill, Set. 28 and PoliticoPro, Oct. 5)
The committee also approved the Federal Information Security Modernization Act of 2021 (S. 2902), which would require agencies and contractors to report on cyberattacks.
The congressional bills aim to update the Federal Information Security Modernization Act, signed into law in 2014. Sen. Portman noted two reports on issued by the Homeland Security Committee since 2019 that found massive cybersecurity shortcomings at several federal agencies.
The Senate Homeland Security Committee’s leadership may seek to merge their legislation may with a bill (S. 2010) from the Senate Intelligence Committee. Sen. Peters said he may also seek to include S. 2875 in House-passed defense policy legislation (H.R. 4350), which also includes language requiring cyber incidents. (BGov and PoliticoPro, Oct. 5)

Private Sector Concerns

Senate Homeland Security and Governmental Affairs Committee

The business coalition’s Oct. 4 letter to the Senate Committees on Intelligence, Homeland Security and Government Affairs and the House Committee on Home recommended several provisions that should be central to a mandatory reporting regime, including:
- Establish a prompt reporting timeline of not less than 72 hours. Legislation should reflect an appropriate, flexible standard for notifying government about significant cyber incidents.
- Attach reporting to confirmed cyber incidents. Businesses need clarity in reporting requirements, which should be targeted to well-defined and confirmed cyber incidents.
- Confine reports to significant and relevant incidents .A list should be limited in reach—particularly excluding small businesses using existing federal rules—and risk based.
- The business industry comments recommended that federal cybersecurity reporting legislation should also include robust liability protections; consistent federal reporting requirements; restrictive government use of reported data; and guarantee substantial input from industry to protect the rulemaking process.

Identifying Critical Infrastructure

In the House, a separate bill that would identify systemically important infrastructure was introduced Oct. 5 by Homeland Security Committee Ranking Member John Katko (R-NY), Rep. Abigail Spanberger (D-VA) and Rep. Andrew Garbarino (R-NY). (Katko one-pager on the bill)
The bill would authorize CISA to prioritize infrastructure operators considered so crucial to the U.S. economy, public health and national security that a disruption to their operations due to a cyberattack would be considered debilitating. (Katko news release, Oct. 5)

The Roundtable’s Homeland Security Task Force continues to work with key law enforcement and intelligence agencies and the Real Estate Information Sharing and Analysis Center (RE-ISAC) on protective measures that businesses can take to create infrastructure resistant to physical damage and cyber breaches.

# # #