A coalition of national real estate associations submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA) expressing concerns over a new proposed rule: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements. As currently drafted, the rule imposes overly burdensome requirements and requires companies to assume unnecessary but significant legal and cybersecurity risks. (Letter)
Cyber Incident Reporting Rule
- Under the current proposal, companies would be required to report significant cyber incidents to the Department of Homeland Security or CISA within 72 hours as well as any ransomware payments within 24 hours.
- Given the ever-expanding cyber-threat landscape, the rental housing and real estate industry has prioritized defense against vulnerabilities.
- The industry has undertaken efforts to mitigate cybersecurity risks, implement policies to prevent and mitigate such risks and encourage investments in bolstering cyber defenses to protect data.
- The letter noted, “We support a unified but flexible regulatory framework for data security and incident notification, and believe it is important to have a balanced approach to providing consumers with meaningful information about material cybersecurity risks and incidents, while also not imposing overly burdensome regulations on the real estate/rental housing industry or unintentionally exposing our members to substantially greater cybersecurity risks.”
Industry Concerns and Recommendations
- Overly burdensome requirements: CISA should revise the definition of “covered cyber incident” to a higher threshold for reporting to prevent unnecessary administrative load.
- Disproportionate compliance costs: the estimated compliance cost of over $1.4 billion is seen as disproportionate to the benefits. These funds could be better spent on actual cybersecurity measures rather than on reporting.
- Reporting deadlines are unclear and increase the risk of attack: the proposed rule’s 72-hour reporting requirement and 24-hour ransom payment reporting deadline could hinder effective incident response and increase vulnerability to additional attacks.
- The proposed rule adds another reporting requirement to an already cluttered landscape. CISA should harmonize its reporting requirements to reduce compliance burdens.
The Real Estate Roundtable’s Homeland Security Task Force and RE-ISAC will continue to be resources and assist CISA in the development of clear, effective, and secure cyber incident reporting rules.