By Julianne Goodfellow, VP of Government Affairs
Julianne Goodfellow is Vice President, Government Affairs, with primary responsibility for data privacy, technology, property operations and regulatory reform from both an industry and federal policy perspective.
What the apartment industry needs to know:
- U.S. Government urges organizations to increase cyber vigilance due to Russian invasion of Ukraine.
- NMHC provides resources to help members understand potential implications.
- Congress enacts critical infrastructure cyber incident reporting to better protect the U.S. from future threats.
- SEC issues proposed cybersecurity rules and amendments for public companies.
Read on for a deep dive into each of these top takeaways.
U.S. Government Urges Organizations to Increase Cyber Vigilance Due to Russian Invasion of Ukraine
Russia’s invasion of Ukraine included both physical attacks and cyber-attacks on the Ukrainian government and critical infrastructure organizations, and may impact organizations both within and outside the region.
On March 15, 2022, the Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory to “warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability.” CISA provides a host of guidance and advisories directly related to the security threat to U.S. companies at cisa.gov/shields-up
Below is a snapshot of their most recent guidance:
U.S. Cybersecurity and Infrastructure Agency’s (CISA) SHIELDS UP Advisory
“Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include the U.S. homeland. Every organization—large and small—must be prepared to respond to disruptive cyber activity. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber-attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as warning to prevent other organizations and entities from falling victim to a similar attack.”
NMHC Provides Resources to Help Members Understand Potential Implications
NMHC Cyber Alerts Available to Members
NMHC members can subscribe to NMHC Cyber Alerts to stay update to date on information relevant to apartment firms. This resource is produced with information provided by the Real Estate Information Security and Analysis Center (RE-ISAC).
Click here to subscribe today.
NMHC Hosts Virtual Town Hall on Russian Cyber Threats
NMHC hosted a virtual town hall on Friday, March 11 to discuss what the Russian invasion of Ukraine means to the U.S. from a security standpoint. The event covered the scope beyond commercial real estate including critical lifelines & cascading effects, what firms should be doing now, U.S. government guidance and real estate industry coordination.
Speakers Included:
- Andy Jabbour, Managing Director and Lead Analyst for RE-ISAC and Managing Director of Gate 15
- Jennifer Lyn Walker, Director of Cyber Defense at Gate 15 for organizations of RE-ISAC and other ISACs
- Julianne Goodfellow, Vice President of Government Affairs for NMHC
The virtual event was recorded—NMHC members can watch the recording by clicking here.
To engage on NMHC’s cybersecurity efforts, please contact Julianne Goodfellow at jgoodfellow@nmhc.org.
Congress Enacts Critical Infrastructure Cyber Incident Reporting to Better Protect the U.S. from Future Threats
Congress has long debated how to codify cyber breach information sharing and reporting. The heightened cyber threat created by the Russian invasion of Ukraine compelled Congress to act swiftly. As part of the recently enacted omnibus, President Biden signed into law a measure that requires critical infrastructure to report to CISA within 72 hours of a substantial cyber attack or within 24 hours of payment to a ransomware demand.
Commercial real estate is designated as one of the 16 critical infrastructure sectors “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The impact on multifamily will be made clear through the rulemaking process. It’s important to note that the new law requires information sharing to CISA for cybersecurity related to specific threats. Any reports made through this new channel would be exempt from any public records law and would not be used for regulatory enforcement actions unless obtained through other measures.
The rulemaking process will establish the impact to apartment firms. NMHC is highly engaged with the Real Estate Information Sharing and Analysis Center, of which we are a member, and will engage during the process to ensure that that any reporting that impacts the sector takes into consideration the scope of the threat/disruption and that it is reasonable, flexible and scalable.
SEC Issues Proposed Rules and Amendments for Public Companies
On March 9, the Securities and Exchange Commission (SEC) issued proposed cybersecurity risk disclosure reporting rules for public companies. This expands upon SEC cybersecurity disclosure guidance in 2011 and 2018. The proposed rules also include new cybersecurity risk management requirements for some entities. The proposed rules are open for public comment for 30 days after it is published in the Federal Register.
Staff Resource
Related Articles
- Coalition Letter to Fannie Mae in Support of Solar Projects in Rental Housing
- Real Estate Industry Letter to HUD on Draft Notice on Solar, Cell Tower and Rooftop Leases
- NMHC-NAA Comment Letter to the Treasury Department on AI in Financial Services
- NMHC-NAA Statement for House Committee on Financial Services Hearing on AI in Financial Services and Housing
- NMHC-NAA Statement for Senate Commerce Hearing on AI & Data Privacy