How New Cybersecurity Reporting Rules Will Affect Multifamily
The Russia-Ukraine conflict is fueling the passage of stepped-up requirements.
Russia’s invasion of Ukraine includes both physical attacks and cyber-attacks on the Ukrainian government and critical infrastructure organizations, and may impact organizations both within and outside the region—including the multifamily industry.
The No. 1 concern for businesses in the current threat landscape is a direct ransomware attack. The secondary concern is ransomware attack on others with cascading effects (suppliers, lifelines). Other concerns include third-party attacks, Zero Day attacks, DDoS (Distributed Denial-of-Service Attack), wiper attacks, hacktivism, credential harvesting and other common attacks.
In response to these attacks, the U.S. Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation issued a rare warning warning regarding Russian state-sponsored malicious cyber activity. As part of the warning, CISA’s Shields Up webpage provides continuously updated advisories and comprehensive best practices to protect against these threats.
CISA isn’t, however, the only arm of the federal government that has taken action regarding cybersecurity in recent weeks.
Biden Focus on Cybersecurity to Impact Industry
Congress has long debated how to codify cyberthreat information sharing and reporting but the heightened cyber threat created by the Russian invasion of Ukraine has compelled them to act swiftly. As part of the recently enacted federal spending bill passed in March, President Joe Biden signed into law a measure that requires critical infrastructure sectors report to CISA within 72 hours of a substantial cyber-attack or within 24 hours of payment to a ransomware demand. Importantly, the commercial real estate sector is designated as one of these critical infrastructure sectors.
So, what exactly does this mean for the apartment industry? Specific industry implications remain unclear until the rulemaking process is complete, and NMHC plans to weigh in to ensure apartment industry operations are taken into account. As the new law reads now, however, organizations within impacted sectors will have to comply with new reporting requirements. Namely, they will be required to report “covered cyber incidents” to CISA including:
- Incidents that cause “substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes”
- Incidents that cause “disruption of business or industrial operations”
- Incidents that cause an “unauthorized access or disruption of business or industrial operations due to loss of service facilitate through, or caused by, a compromise of cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise”
It’s important to note that the law outlines that any reports made through this new channel would be exempt from any public records law and would not be used “solely” for regulatory enforcement actions unless obtained through other measures. CISA , however, can share the information with other “appropriate sector risk management agencies” and federal agencies—such as the FBI or state agencies—if they deem it necessary.
Industry to Weigh in on Compliance Provisions
Before the implementation of the law can begin, CISA must publish a Notice of Proposed Rule Making in the federal register to allow companies and advocacy organizations to weigh in. They have up to two years to do so. The rulemaking process will establish specific compliance and implementation provisions that will shed more light on potential impacts to the apartment firms.
NMHC and other industry advocacy groups will be engaged with this process to ensure that any reporting requirements for the real estate sector are reasonable, flexible and scalable—and take into account the scope of each specific threat.
Julianne Goodfellow is vice president of Government Affairs, National Multifamily Housing Council, with primary responsibility for cybersecurity, data privacy, technology, property operations and regulatory reform from both an industry and federal policy perspective. Industry stakeholders can contact Julianne Goodfellow to learn more about taking action.