According to U.S. intelligence, there has been significant increase in malicious cyber activity connected to Russia since Russia invaded Ukraine in February. These cyber-attacks are directed at organizations both in and beyond the region. As apartment companies bolster their cyber defenses, policymakers are looking at measures to mitigate threat and encourage information sharing.
And as Washington zeroes in on this critical topic, NMHC remains engaged so the multifamily industry’s business operations are understood and reflected in any proposed rules or legislation. As such, NMHC took recent action on a newly proposed SEC rule.
What This Means
In an effort to bolster cybersecurity and to ensure that investors receive comparable material information regarding companies' cyber risk management and incidents, the Securities and Exchange Commission (SEC) issued a Proposed Rule related to Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
Why This Is Critical for Our Industry
Because most public apartment firms will be required to comply, the proposed rule could have a significant impact on the multifamily industry.
Rather than implementing a necessary, flexible standard that addresses data security and incident notification, the proposed rule misses the mark. As a result, apartment firms will still be left having to comply with the current patchwork of state laws and federal agency rulemakings.
To instruct the SEC on the final rule, NMHC submitted comments aimed at addressing the overly burdensome regulations on the apartment industry that unintentionally expose our members to substantially greater cybersecurity risks.
The SEC’s Proposed Rule requires companies to assume unnecessary, but significant, legal and cybersecurity risks. Specifically, the letter highlights these concerns within the proposed rule:
- Detailed reporting requirements concerning a company's cybersecurity risk management policies and procedures.
- Overly burdensome reporting requirements at the time of an incident and in subsequent quarterly and annual reports.
- Disclosure requirement of a "material cybersecurity incident" before the threat actor has been fully neutralized can create additional vulnerabilities and legal risks for a company.
- Lack of clear direction regarding how a company should evaluate the cybersecurity practices of third-party service providers.
- The absence of a comprehensive safe harbor provision, which is necessary to encourage disclosure and best efforts to meet compliance
Access our comment letter on the SEC’s website here.
NMHC Cybersecurity Resources
NMHC is the in the process of updating the NMHC cyber security resources to reflect recent developments on the legislative and regulatory front. Subscribe to NMHC Cyber Alerts to stay in the loop and receive timely information provided by Real Estate Information Security and Analysis Center (RE-ISAC) - nmhc.org/news/newsletters/cybersecurity-resources/
Access additional resources now:
- NMHC Data and Security Page
- NMHC Virtual Town Hall on Russian Cyber Threats (recording)
- CISA’s Shields Up