Congress Approves Law for Cybersecurity Guidance

By Harry J. Lew

At a loss about how to best protect your business against cyber breaches? Then help is on the way. On October 11, 2017, the U.S. House of Representatives approved a law that would provide guidance to small businesses, including insurance agencies and financial-services consulting firms, on how to safeguard their companies against cyber attacks. The House bill came on the hills of a similar Senate bill that passed on September 28, 2017.

How does the NIST Small Business Cybersecurity Act work? It requires a branch of the Department of Commerce—the National Institute of Standards and Technology (NIST) —to produce voluntary guidance for small businesses concerned with keeping their data safe against hacking and other causes of data breaches. Rather than impose additional regulations, the act delivers best practices that company can voluntarily implement, based on their needs and resources.

According to the bill’s language, small businesses represent 54 percent of U.S. business revenues and 55 percent of its jobs. Not surprisingly, attacks on small- to medium-sized businesses account for a large share of total U.S cyber attacks. Even worse, once a small firm is hacked, 60 percent will fail within six months.

Daniel Webster, (R-Fla.), a small business owner himself, said that small firms “are more susceptible to attacks because of the limited cybersecurity resources and tools available to them to plan for such an event. In describing his bill, Webster said it would provide a framework to “protect business owners, their employees, and their customer base, all while contributing to the economy.”

Although Webster’s bill passed the House, action is pending in the Senate, which received the proposed law and referred it to the Committee on Commerce, Science, and Transportation. A similar bill, the Main Street Cybersecurity Act (S. 770) passed the Senate, but has yet to be referred to a House Committee for review.

Over the past several years, businesses of all sizes have become targets of cyber attacks. As a result, there has been increased pressure on Congress for assistance, which resulted in the NIST Framework for Improving Critical Infrastructure Cybersecurity. After its release in February 2014, critics charged it was designed primarily for large firms, since smaller ones lack the resources and skills needed for risk-based analysis. The current House and Senate bills are designed to remediate that gap. However, since no one knows what will emerge from Congressional deliberations, reading the prior framework included in Small Business Information Security: The Fundamentals is still a useful exercise.