H.R. 5064, Improving Small Business Cyber Security Act, as amended

H.R. 5064

Improving Small Business Cyber Security Act, as amended

Date
September 21, 2016 (114th Congress, 2nd Session)

Staff Contact
Communications

Floor Situation

On­­­­ Wednesday, September 21, 2016, the House will consider H.R. 5064, Improving Small Business Cyber Security Act, as amended, under suspension of the rules. H.R. 5064 was introduced on April 26, 2016, by Rep. Richard Hanna (R-NY) and was referred to the Committee Small Business, in addition to the Committee on Homeland Security. The Committee on Homeland Security ordered the bill reported, as amended, by voice vote on June 8, 2016.

Bill Summary

H.R. 5064 improves small business cybersecurity by leveraging existing Federal programs, as well as the expertise of nearly 1,000 Small Business Development Centers (SBDCs) around the country, to streamline cyber support for small businesses. In particular, the bill amends both the Small Business Act and the Homeland Security Act of 2002 to allow the Department of Homeland Security (DHS), and any other Federal department or agency coordinating with DHS, to provide information on cybersecurity risks and other cyber-related assistance to SBDCs as they help small businesses develop or enhance cybersecurity infrastructure, threat awareness, and training programs. The Small Business Administration (SBA) and DHS are required to jointly develop a strategy that provides guidance to SBDCs on how they can leverage existing Federal resources to provide better access to much-need cyber support services.

Additionally, the bill requires the Government Accountability Office (GAO) to review current cybersecurity programs at the Federal level aimed at providing assistance to small businesses. H.R. 5064 would also authorize DHS, and other federal agencies, to provide information about cyber security risk to small businesses.

Background

Recently, there has been an increase in the number of cyber-attacks executed against small and medium-sized businesses in the United States. Information technology is a necessity for small businesses as it equips them with the necessary tools to be competitive in the global economy. Unfortunately, small businesses are becoming increasingly targeted by cyber criminals. According to a report by Verizon Enterprise, 71 percent of cyber attacks occurred in businesses with fewer than 100 employees.[1] Moreover, even a simple cyber attack can destroy a small business. According to a 2014 survey, the average cost of a cyber attack on a small business was $32,020.56[2], and some statistics show that nearly 60 percent of small businesses will close within six months after a cyber attack.[3]

A recent survey found that 81 percent of small businesses are concerned about a cyber attack, but only 63 percent have basic cybersecurity measures in place. The problem is a cybersecurity education gap; small businesses may not be able to get the information they need to properly assess and mitigate the costs of protecting their companies. It is also difficult for small businesses to bridge the gap due to the high costs of hiring specialized employees or cybersecurity experts.

Small Business Development Centers (SBDCs) can help bridge the gap. SBDCs are non-federal resource partners that operate in a cooperative agreement with the Small Business Administration. The SBDC program is the largest small businesses assistance program in terms of facilities and outreach – there are nearly 1,000 SBDCs around the country. The assistance offered by SBDCs is provided at no or low cost to small businesses and enables aspiring entrepreneurs and existing businesses to take advantage of skills and expertise from partner agencies and institutions.

According to the bill’s sponsor, “Small Business Development Centers have been on the ground helping small businesses for more than 30 years. They have a presence in every congressional district and nearly every community. This bill provides them with the tools, resources, and expert guidance they need to tap into already existing cyber resources in order to better meet the 21st century needs of small businesses.”[4]

——————
[1] See http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf
[2] See http://www.nsba.biz/wp-content/uploads/2016/02/Year-End-Economic-Report-2015.pdf
[3] See http://www.businessinsider.com/the-challenges-in-defending-against-malware-2011-9
[4] See Rep. Hanna’s Press Release.

Cost

Based on information from the SBA and DHS, the Congressional Budget Office (CBO) estimates that implementing H.R. 5064 would cost $1 million over the 2017-2021 period, mostly to complete the strategy and prepare the report; such spending would be subject to the availability of appropriated funds. Based on the cost of similar studies, CBO estimates that the required GAO report would cost less than $500,000. Enacting H.R. 5064 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply.

Additional Information

For questions or further information please contact John Wilson with the House Republican Policy Committee by email or at 6-1811.