Cybersecurity

House passes bills to shore up small business cybersecurity

The House on Tuesday approved two bills to strengthen the cybersecurity of small businesses, which have faced escalating threats during the COVID-19 pandemic. 

The Small Business Administration (SBA) Cyber Awareness Act would require the SBA to issue a report on its cybersecurity capabilities and notify Congress in the event of a cybersecurity breach potentially compromising sensitive information.

The legislation, sponsored by Reps. Jason Crow (D-Colo.) and Young Kim (R-Calif.), was previously approved by the House in 2019 but failed to be signed into law during the last Congress. It was unanimously passed Tuesday by a vote of 423-0. 

In advocating passage of the bill, Crow on Tuesday pointed to an incident earlier this year that exposed the information of 8,000 individuals applying for the SBA’s Economic Injury Disaster Loan program.

“Cyberattacks are one of the biggest threats to our economy and small businesses and way of life,” Crow said on the House floor prior to the vote. “This bill would ensure we are doing everything we can to protect the millions of small businesses that the SBA serves and prepare them for 21st century threats.”

The House also passed, by a vote of 409-14, the Small Business Development Center Cyber Training Act, sponsored primarily by House Homeland Security Committee cyber subcommittee ranking member Andrew Garbarino (R-N.Y.). 

The bill would establish a cybersecurity counseling certification program to help existing Small Business Development Centers better assist businesses with cybersecurity needs. 

“Cyberattacks are on the rise and small businesses are increasingly vulnerable,” Garbarino said on the House floor Tuesday. “Nearly 50 percent of cyberattacks are directed at small businesses, which can result in devastating financial, intellectual property, and reputational loss.”

“Small businesses are targeted because they often lack the resources or technical knowledge needed to implement and maintain cybersecurity defenses,” he added. “This bill combats this by helping Small Business Development Centers become better equipped to assist small businesses with their cybersecurity and cyber strategy needs.”

The House took action on the bills near the end of a year that has seen a spike in cyber threats against small businesses, particularly as more were forced to move business online during the COVID-19 pandemic. 

The ransomware attack on IT company Kaseya in July impacted up to 1,500 companies, many of them small businesses, and experts have warned that smaller organizations are much more likely to be put out of business by a cyberattack than a larger company with more resources. 

The Senate has also taken action to help secure small businesses, with a group of senators earlier this year introducing legislation to require credit bureaus to notify small businesses of data breaches within 30 days.