Real Estate Coalition Raises Concerns Over Cyber Reporting Requirements

A coalition of national real estate associations submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA) expressing concerns over a new proposed rule: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements. As currently drafted, the rule imposes overly burdensome requirements and requires companies to assume unnecessary but significant legal and cybersecurity risks. (Letter)

Cyber Incident Reporting Rule

  • Under the current proposal, companies would be required to report significant cyber incidents to the Department of Homeland Security or CISA within 72 hours as well as any ransomware payments within 24 hours.
  • Given the ever-expanding cyber-threat landscape, the rental housing and real estate industry has prioritized defense against vulnerabilities.
  • The industry has undertaken efforts to mitigate cybersecurity risks, implement policies to prevent and mitigate such risks and encourage investments in bolstering cyber defenses to protect data.

  • The letter noted, “We support a unified but flexible regulatory framework for data security and incident notification, and believe it is important to have a balanced approach to providing consumers with meaningful information about material cybersecurity risks and incidents, while also not imposing overly burdensome regulations on the real estate/rental housing industry or unintentionally exposing our members to substantially greater cybersecurity risks.”

Industry Concerns and Recommendations

  • Overly burdensome requirements: CISA should revise the definition of “covered cyber incident” to a higher threshold for reporting to prevent unnecessary administrative load.
  • Disproportionate compliance costs: the estimated compliance cost of over $1.4 billion is seen as disproportionate to the benefits. These funds could be better spent on actual cybersecurity measures rather than on reporting.
  • Reporting deadlines are unclear and increase the risk of attack: the proposed rule’s 72-hour reporting requirement and 24-hour ransom payment reporting deadline could hinder effective incident response and increase vulnerability to additional attacks.
  • The proposed rule adds another reporting requirement to an already cluttered landscape. CISA should harmonize its reporting requirements to reduce compliance burdens.

The Real Estate Roundtable’s Homeland Security Task Force and RE-ISAC will continue to be resources and assist CISA in the development of clear, effective, and secure cyber incident reporting rules.

Roundtable Policy Advisory Committees Drill Into Sustainability and Security Issues at 2024 SOI Meeting

The Roundtable’s Sustainability Policy Advisory Committee (SPAC) meeting at the 2024 State of the Industry meeting

National policies and agency actions related to climate, environmental, and energy issues were among the many topics on The Roundtable’s Sustainability Policy Advisory Committee (SPAC) agenda at the SOI meeting. Additionally, The Roundtable’s Homeland Security Task Force (HSTF) and Risk Management Working Group (RMWG) met to discuss evolving security threats impacting CRE.

Special Roundtable SPAC workshop on EPA’s ENERGY STAR Portfolio Manager benchmarking tool.
  • SPAC members also attended a special session with EPA staff where Roundtable members provided detailed industry feedback about the first major enhancements in a decade that are under consideration for EPA’s ENERGY STAR Portfolio Manager benchmarking tool.
The Roundtable’s Homeland Security Task Force (HSTF) and Risk Management Working Group (RMWG)
  • The Roundtable’s HSTF and RMWG joint meeting on Jan. 24 addressed China’s espionage efforts impacting American corporations; the emerging use of Artificial Intelligence as a new risk vector; and the current dynamic in pricing and coverage in commercial insurance markets. (HSTF & RMWG joint agenda | Roundtable 2024 Homeland Security Priorities)

Next on The Roundtable’s 2024 meeting calendar is the Spring Meeting on April 15-16. This upcoming meeting is restricted to Roundtable-level members only

#  #  #