How New Cybersecurity Reporting Rules Will Affect Multifamily
Russia’s invasion of Ukraine includes physical attacks and cyberattacks against the Ukrainian government and critical infrastructure organizations, and can affect organizations both inside and outside the region, including the multifamily industry.
The number one concern for businesses in the current threat landscape is a direct ransomware attack. The secondary concern is the attack of ransomware on others with cascading effects (vendors, lifelines). Other concerns include third-party attacks, Zero Day attacks, DDoS (distributed denial of service attack), cleanup attacks, hacktivism, credential collection, and other common attacks.
In response to these attacks, the U.S. Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation issued a rare warning about Russian state-sponsored malicious cyber activity. As part of the warning, the CISA Shields Up website provides continuously updated alerts and complete best practices to protect against these threats.
CISA is not, however, the only arm of the federal government that has taken cybersecurity action in recent weeks.
They focus on cybersecurity to impact the industry
Congress has long debated how to codify the exchange and reporting of information about cyber threats, but the increasing cyber threat created by the Russian invasion of Ukraine has forced them to act quickly. As part of the recently passed federal spending bill in March, President Joe Biden signed a measure requiring critical infrastructure sectors to report to CISA within 72 hours of a substantial or 24-hour cyberattack. after payment of a ransomware lawsuit. It is important to note that the commercial real estate sector is designated as one of these critical infrastructure sectors.
So what exactly does this mean for the apartment industry? The specific implications of the industry are not yet clear until the standard-setting process is completed, and NMHC plans to intervene to ensure that the operations of the apartment industry are taken into account. As the new law now says, however, organizations in the affected sectors will have to meet new information requirements. That is, they must report “covered cyber incidents” to CISA, including:
- Incidents that cause “a substantial loss of confidentiality, integrity, or availability of this information system or network, or a serious impact on the security and resilience of operating systems and processes.”
- Incidents that cause “disruption of commercial or industrial operations”
- Incidents that cause unauthorized access to or disruption of business or industrial operations due to loss of service are facilitated through, or caused by, a commitment by the cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain “. commitment “
It is important to note that the law states that all reports made through this new channel would be exempt from any public records law and would not be used “solely” for regulatory enforcement actions unless obtained through other measures. CISA may, however, share the information with other “appropriate industry risk management agencies” and federal agencies, such as the FBI or state agencies, if they deem it necessary.
The industry will value compliance provisions
Prior to law enforcement, CISA must issue a Notice of Proposed Regulation to the Federal Registry to allow companies and advocacy organizations to intervene. They have up to two years to do so. The standard-setting process will establish specific compliance and implementation provisions that will shed more light on the potential impacts for apartment businesses.
NMHC and other industry advocacy groups will be involved in this process to ensure that reporting requirements for the real estate industry are reasonable, flexible, and scalable, and take into account the scope of each specific threat.
Julianne Goodfellow is Vice President of Government Affairs for the National Multifamily Housing Council, with primary responsibility for cybersecurity, data privacy, technology, real estate operations and regulatory reform from both an industry and business perspective. federal policy. Industry stakeholders can contact Julianne Goodfellow for more information on how to take action.
Read the June 2022 issue of MHN.