HR 4915 Introduced – SBA Cybersecurity Loans

Earlier this year Rep Schneider introduced HR 4915, the Small Business Cybersecurity Enhancement Act. The bill would establish a cybersecurity loan guarantee program in the Small Business Administration (SBA).

Definitions

The bill adds a new §49 to the Small Business Act. A key definition in the new §49(a) is the term ‘cybersecurity technology and services’. It defines the purpose of that term as being limited to computer hardware, software, and related technology that “supports the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation” {new §49(a)(1)(A)(i)(I)}.

The definition specifically includes {new §49(a)(1)(A)}:

• An insurance product available for purchase by an eligible small business that provides coverage for losses caused by a cyber attack on such business;

• Services related to the installation of computer hardware, software, and related technology described under clause (i); or

• Training on security principles for employees of an eligible small business.

Loan Guarantees

The bill provides for the SBA providing loan guarantees of up to 90% of loans used to {new §49(b)(1)}:

• Acquire cybersecurity technology and services for use in the business operations of the eligible small business; and

• To defray the costs associated with the installation or use of such cybersecurity technology and services.

The maximum amount of any single loan guarantee is $50,000 and the total amount of principal guaranteed by the SBA in a single year is $500 million. The authority provided in this bill to make such loans is limited to a period of just five years while individual loan guarantees may be for a period of up to seven years.

Moving Forward

Scott and one of his cosponsors {Rep Crow (D,CO)} are both members of the House Small Business Committee to which this bill was assigned for consideration. This means that there is a good chance that this bill may be considered in Committee. I see nothing in the language of the bill that would cause any serious opposition. I suspect that it would receive bipartisan support both in Committee and on the floor of the House if it were considered.

Commentary

The key definition in this bill is IT restrictive. It would not allow for loans to be made for cybersecurity protections for operational technology like building maintenance systems or access control and would certainly not cover industrial control system security measures. I am not sure that that was the intention, but it certainly results from the definition.

Changing the definition would be much easier if someone had made the changes that I had proposed to 6 USC 659. If those changes had been made, we could reference them in changing the definition of ‘cybersecurity technology and services’ in this bill. With that not being done we will have to add a couple of definitions to this bill:

(4) the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(5) the term "information system" has the meaning given that term in section 3502(8) of title 44;

(6) the term "cybersecurity risk"-

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(4) the term "cybersecurity incident" means an occurrence that actually or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

Then I would go back and modify the portion of the existing language in §49(a)(a)(A)(i):

(i) computer hardware, software, and related technology that—

(I) supports the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation reduces the cybersecurity risk to an information system or control system; or

(II) provides for the recovery from, or mitigates the damage from, a cybersecurity incident; and

(II III) is purchased by an eligible small business;

• • • [Renumbering as appropriate]