[Senate Report 114-423] [From the U.S. Government Publishing Office] Calendar No. 511 114th Congress } { Report SENATE 2d Session } { 114-423 ====================================================================== SMALL BUSINESS CYBER SECURITY IMPROVEMENTS ACT OF 2016 _______ December 20, 2016.--Ordered to be printed Filed, under authority of the order of the Senate of December 10 (legislative day, December 9), 2016 _______ Mr. Vitter, from the Committee on Small Business and Entrepreneurship, submitted the following R E P O R T [To accompany S. 3024] The Committee on Small Business and Entrepreneurship, to which was referred the bill (S. 3024) to improve cybersecurity for small businesses, having considered the same, reports favorably thereon without amendment and recommends that the bill do pass. I. INTRODUCTION S. 3024 was introduced by Senator Vitter, with co- sponsorship from Senator Peters and Senator Coons, on June 9, 2016. The Small Business Cyber Security Improvements Act of 2016 amends the Small Business Act to authorize the Small Business Administration (SBA), working with the Department of Homeland Security (DHS), to help Small Business Development Centers (SBDCs) develop cybersecurity strategies for small businesses. During the markup of the bill, the bill was approved unanimously by roll call vote, with Senator Ernst opposing the legislation and all other senators supporting it. II. HISTORY (PURPOSE & NEED FOR LEGISLATION) By one estimate, three out of every five cyberattacks now target a small business. With America's 28 million small businesses comprising up to 54 percent of annual U.S. sales, the frequency of such attacks and the high costs they create for small businesses could have ripple effects throughout the economy. Unfortunately, small businesses are often not prepared to prevent cyberattacks or easily recover from the damages. A recent report by Internet security firm McAfee found that 90% of small- to medium-sized businesses do not protect customer information through advanced data protection. According to a report by Verizon Enterprise, a shocking 71 percent of cyber- attacks occur in businesses with less than 100 employees. To curb these risks, existing support structures and services must be adequately modernized and updated to provide greater cybersecurity assistance to small businesses. III. HEARINGS & ROUNDTABLES In the 114th Congress, the House of Representatives held two hearings on this topic. On July 6, 2016, the House Committee on Small Business held a hearing entitled ``Foreign Cyber Threats: Small Business, Big Target.'' The committee heard testimony from representatives of the Homeland and National Law Program, Nisos Group, Wiley Rein LLP, and Ex Nihilo. The hearing examined the potential cyber opportunities that can be utilized by small businesses, the vulnerabilities faced by small business that rely on the Internet, and opportunities to help small businesses protect themselves. On June 15, 2016, the House Subcommittee on Cybersecurity, Infrastructure Protections, and Security Technologies held a hearing entitled ``Oversight of the Cybersecurity Act of 2015.'' The committee heard testimony from the U.S. Chamber of Commerce, the United States Telecom Association, Soltra, and CA Technologies. The hearing examined industry perspectives and the recommended path forward for the Department of Homeland Security (DHS) in its implementation of the Cybersecurity Information Sharing Act of 2015 (CISA). The Committee also examined the progress made by DHS in the implementation of CISA and discussed how well the Department works with its information-sharing partners in industry. Additionally, the Committee considered the possibilities for future growth and improvement in the DHS cyber-mission. IV. DESCRIPTION OF BILL This bill updates the Small Business Act to authorize Small Business Development Centers (SBDC) to offer cybersecurity support to small businesses in accordance with an SBDC Cyber Strategy, which is to be developed jointly by the Department of Homeland Security and the Small Business Administration in consultation with SBDCs. SBDCs have been on the ground helping small businesses for more than 30 years and this bill will provide them with the resources, tools, and guidance they need to better meet the 21st century needs of small businesses. V. COMMITTEE VOTE In compliance with rule XXVI(7)(b) of the Standing Rules of the Senate, the following vote was recorded on June 8, 2016. A motion to adopt S. 3024, a bill to improve cybersecurity for small business, was approved by roll call vote, with Senator Ernst opposing the legislation and all other senators supporting it. VI. COST ESTIMATE In compliance with rule XXVI(11)(a)(1) of the Standing Rules of the Senate, the Committee estimates the cost of the legislation will be equal to the amounts discussed in the following letter from the Congressional Budget Office: July 8, 2016. Hon. David Vitter, Chairman, Committee on Small Business and Entrepreneurship, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 3024, the Small Business Cyber Security Improvements Act of 2016. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Stephen Rabent. Sincerely, Keith Hall. Enclosure. S. 3024--Small Business Cyber Security Improvements Act of 2016 S. 3024 would direct the Small Business Administration (SBA) and Department of Homeland Security (DHS) to develop a strategy and methods for small business development centers (SBDC) to provide cyber security counseling, awareness, assistance, and training to their clients. It also would direct SBDC's to provide small businesses with access to cyber security specialists to develop security infrastructure, increase awareness, and improve training programs. S. 3024 would require the Government Accountability Office (GAO) to conduct a study on current federal programs aimed at assisting small businesses with enhancing cyber security. Finally, S. 3024 would authorize DHS, and other federal agencies, to provide information about cyber security risk to small businesses. Based on information from the SBA and DHS about the resources needed to complete those tasks, CBO estimates that implementing S. 3024 would cost $1 million over the 2017-2021 period, mostly to complete the strategy and develop the report; such spending would be subject to the availability of appropriated funds. Based on the cost of similar studies, CBO estimates that requiring GAO to complete a report would cost less than $500,000. Enacting S. 3024 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting S. 3024 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2027. S. 3024 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would not affect the budgets of state, local, or tribal governments. On July 7, 2016, CBO transmitted a cost estimate for H.R. 5064, the Improving Small Business Cyber Security Act of 2016, as ordered reported by the House Committee on Homeland Security on June 8, 2016. The two pieces of legislation are similar and CBO's estimates of the budgetary effects are the same. The CBO staff contacts for this estimate are Stephen Rabent and William Ma. The estimate was approved by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. VII. EVALUATION OF REGULATORY IMPACT In compliance with rule XXVI(11)(b) of the Standing Rules of the Senate, it is the opinion of the Committee that no significant additional regulatory impact will be incurred in carrying out the provisions of this legislation. There will be no additional impact on the personal privacy of companies or individuals who utilize the services provided. VIII. SECTION-BY-SECTION ANALYSIS Section 1--Short title This section provides the title of this Act (``Small Business Cyber Security Improvements Act of 2016''). Section 2--Role of Small Business Development Centers in cyber security and preparedness This section directs Small Business Development Centers (SBDCs) to provide access to business analysts who can refer small business concerns to available experts and assistance as described in the Small Business Cyber Security Improvement Acts of 2016. This section also outlines, to the extent practicable, SBDCs will provide access to external cybersecurity specialists to counsel, assist, and inform small business concerns as outlined in the Small Business Cyber Security Improvements Act of 2016. Section 3--Additional cyber security assistance for Small Business Development Centers This section allows the Department of Homeland Security (DHS), and any other Federal agency, in coordination with DHS to provide assistance to SBDCs by disseminating cybersecurity risk information and other homeland security information to help small businesses develop and/or enhance their cybersecurity infrastructure, cyber threat awareness, and cyber training programs for employees. Section 4--GAO study on small business cyber support services and Small Business Development Center cyber strategy This section defines key terms: ``Administrator'' means the Administrator of the Small Business Administration, ``Association'' means America's Small Business Development Center (ASBDC) Association, and ``Secretary'' means the Secretary of Homeland Security. This section also directs the Comptroller General to report on the cybersecurity resources of federal agencies that can assist with the overall mission of this legislation, including developing cybersecurity infrastructure, awareness, and training. The report will include accounting and description of all programs, projects, and activities of federal agencies that provide assistance to small businesses in developing or enhancing cyber security infrastructure, cyber threat awareness, or cyber training programs for employees. The report also includes an assessment of how widely used the resources are by small businesses and a review of whether or not these resources are duplicative of other programs or structured in a manner that makes the resources accessible to small businesses. The Comptroller General will submit a report of findings and determinations to Congress, the Administrator, and the Secretary. [all]