WASHINGTON - Today, Reps. Young Kim (CA-39) Jason Crow (CO-06) introduced the SBA Cyber Awareness Act, bipartisan legislation that would strengthen the Small Business Administration’s (SBA) cybersecurity to handle and report cyber threats that affect small businesses.
Reps. Kim and Crow serve as Ranking Member and Chair of the Small Business Subcommittee on Innovation, Entrepreneurship and Workforce Development.
“The unprecedented demand for COVID-19 relief programs exposed cybersecurity vulnerabilities at the SBA. We must secure our systems so our small business owners can safely utilize SBA’s resources as they work to reopen their doors and recover from the COVID-19 pandemic,” said Congresswoman Young Kim. “I’m proud to join forces with Chairman Crow to introduce the Cyber Awareness Act so the SBA prioritizes its cybersecurity and alerts Congress on potential risks or breaches. I’ll continue to do everything I can to fight for our small business owners in Congress.”
“Cyber attacks have the ability to shut down small businesses and destabilize our economy. Our small businesses are the backbone of our economy but are increasingly the target of cyber attacks and theft of small business data and intellectual property,” said Congressman Jason Crow. “With cyberattacks being one of the biggest threats to our economy and small businesses, this bill would ensure that we are doing everything we can to protect the millions of small businesses the SBA serves and prepare them for 21st century threats.”
In recent years, cyberattacks have increased and federal agencies are not immune. For more than two decades, the SBA’s Inspector General has listed IT security as one of the most serious management and performance challenges facing the SBA.
Over the course of the COVID-19 pandemic, unprecedented demand for relief programs like the Paycheck Protection Program (PPP) and Economic Injury Disaster Loan Program (EIDL) have inundated SBA’s legacy systems, leading to backend system crashes, portals operating slowly, and a glitch that led to a data breach of applicants’ personal information. On March 25, 2020, SBA discovered a flaw in its EIDL application system that exposed the personal information of up to 8,000 individuals to other applicants. Exposed data included email addresses, citizenship status, insurance information, birth dates, phone numbers, addresses, and Social Security Numbers. SBA failed to make any public announcement about the data breach, and it wasn’t until April 13, 2020 that the agency sent paper notifications to affected individuals.
The bill would expand cybersecurity operations at the SBA by requiring the Small Business Administration to issue a report assessing the agency’s ability to combat cyber threats within six months of passage. Specifically, the report would disclose:
-
SBA’s cybersecurity infrastructure;
-
the SBA’s strategy to improve cybersecurity protections;
-
any equipment used by the SBA and manufactured by a company headquartered in China; and
-
any incident of cyber risk at the SBA and the agency’s actions to confront it.
Finally, recognizing that a cyberattack to the agency could put the sensitive information and intellectual property of small businesses at risk, the legislation would require SBA to notify Congress of future breaches with information on those affected and how the breach occurred.