Real Estate Coalition Raises Concerns Over Cyber Reporting Requirements

A coalition of national real estate associations submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA) expressing concerns over a new proposed rule: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements. As currently drafted, the rule imposes overly burdensome requirements and requires companies to assume unnecessary but significant legal and cybersecurity risks. (Letter)

Cyber Incident Reporting Rule

  • Under the current proposal, companies would be required to report significant cyber incidents to the Department of Homeland Security or CISA within 72 hours as well as any ransomware payments within 24 hours.
  • Given the ever-expanding cyber-threat landscape, the rental housing and real estate industry has prioritized defense against vulnerabilities.
  • The industry has undertaken efforts to mitigate cybersecurity risks, implement policies to prevent and mitigate such risks and encourage investments in bolstering cyber defenses to protect data.

  • The letter noted, “We support a unified but flexible regulatory framework for data security and incident notification, and believe it is important to have a balanced approach to providing consumers with meaningful information about material cybersecurity risks and incidents, while also not imposing overly burdensome regulations on the real estate/rental housing industry or unintentionally exposing our members to substantially greater cybersecurity risks.”

Industry Concerns and Recommendations

  • Overly burdensome requirements: CISA should revise the definition of “covered cyber incident” to a higher threshold for reporting to prevent unnecessary administrative load.
  • Disproportionate compliance costs: the estimated compliance cost of over $1.4 billion is seen as disproportionate to the benefits. These funds could be better spent on actual cybersecurity measures rather than on reporting.
  • Reporting deadlines are unclear and increase the risk of attack: the proposed rule’s 72-hour reporting requirement and 24-hour ransom payment reporting deadline could hinder effective incident response and increase vulnerability to additional attacks.
  • The proposed rule adds another reporting requirement to an already cluttered landscape. CISA should harmonize its reporting requirements to reduce compliance burdens.

The Real Estate Roundtable’s Homeland Security Task Force and RE-ISAC will continue to be resources and assist CISA in the development of clear, effective, and secure cyber incident reporting rules.

Roundtable Policy Advisory Committees Drill Into Sustainability and Security Issues at 2024 SOI Meeting

The Roundtable’s Sustainability Policy Advisory Committee (SPAC) meeting at the 2024 State of the Industry meeting

National policies and agency actions related to climate, environmental, and energy issues were among the many topics on The Roundtable’s Sustainability Policy Advisory Committee (SPAC) agenda at the SOI meeting. Additionally, The Roundtable’s Homeland Security Task Force (HSTF) and Risk Management Working Group (RMWG) met to discuss evolving security threats impacting CRE.

Special Roundtable SPAC workshop on EPA’s ENERGY STAR Portfolio Manager benchmarking tool.
  • SPAC members also attended a special session with EPA staff where Roundtable members provided detailed industry feedback about the first major enhancements in a decade that are under consideration for EPA’s ENERGY STAR Portfolio Manager benchmarking tool.
The Roundtable’s Homeland Security Task Force (HSTF) and Risk Management Working Group (RMWG)
  • The Roundtable’s HSTF and RMWG joint meeting on Jan. 24 addressed China’s espionage efforts impacting American corporations; the emerging use of Artificial Intelligence as a new risk vector; and the current dynamic in pricing and coverage in commercial insurance markets. (HSTF & RMWG joint agenda | Roundtable 2024 Homeland Security Priorities)

Next on The Roundtable’s 2024 meeting calendar is the Spring Meeting on April 15-16. This upcoming meeting is restricted to Roundtable-level members only

#  #  #

2023 Annual Report – Sustained Strength, Sustained Solutions

View Full Report – 2023 Annual Report – Sustained Strength, Sustained Solutions

    Senate Bill Introduced to Require Federal Guidance on Cybersecurity Insurance

    Cybersecurity graphic - image

    Federal guidance on cyber insurance policies is the focus of a new bipartisan Senate bill introduced on Feb. 21 that aims to protect businesses and consumers against cyberattacks. (PoliticoPro, Feb. 21)

    Cyber Issues

    • The Insure Cybersecurity Act will direct the National Telecommunications and Information Administration (NTIA) to mitigate digital risk by developing recommendations for issuers, agents, brokers, and customers to improve communication over cybersecurity insurance coverage levels.
    • Co-sponsored by Sens. John Hickenlooper (D-CO) and Shelley Moore Capito (R-WV), the bill also directs a NTIA task force to develop policy recommendations relating to ransomware or ransom payments, and the “terminology used in policies to include or exclude losses” due to cyber terrorism or acts of war.
    • Hickenlooper is the new chair of the Commerce Committee’s Subcommittee on Consumer Protection, Product Safety, and Data Security.
    • 2021 Government Accountability Office report found that ambiguity in policy language can result in misunderstandings and litigation between issuers and policyholders—and underestimations of coverage needed to protect against cyber risks.

    The Roundtable’s Homeland Security Task Force continues working with the Real Estate Information Sharing and Analysis Center (RE-ISAC), federal officials, and real estate companies about threats to the business cyber environment with the aim of mitigating cyber intrusions.

    #  #  #

    Treasury Issues Alert on Potential Russian Attempts to Evade Sanctions Through U.S. CRE Investments

    The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) warned financial institutions this week about how Russian elites and their proxies may attempt to evade sanctions by exploiting vulnerabilities in the U.S. commercial real estate market. (FinCEN Alert | Bloomberg and Wall Street Journal, Jan. 25) 

    Russian Exploitation 

    • Treasury has imposed wide-ranging sanctions on certain Russian elites, their proxies, and others who have provided support for Russia’s brutal war against Ukraine. (Treasury’s Sanctions List Updates)
       
    • FinCEN Acting Director Himamauli Das said, “Today we are identifying red flags and typologies in commercial real estate transactions that financial institutions can use to remain vigilant in monitoring, detecting, and reporting suspicious activity that may be indicative of sanctions evasion by sanctioned Russia elites, oligarchs and their proxies.” (Treasury news release, Jan. 25)
       
    • FinCEN’s 11-page alert warns that sanctioned Russian elites and their proxies may pose as CRE investors seeking to evade sanctions by using shell companies, trusts, and pooled investment vehicles, including offshore funds, in order to avoid customer due diligence obligations and beneficial ownership protocols established by financial institutions.
    • The alert also reminds financial institutions involved in loan syndication—including banks, life insurers, and other types of companies regulated by the Bank Secrecy Act—that Section 314(b) of the USA PATRIOT Act provides a safe harbor that offers protections from liability for financial institutions who share information with one another on suspected money laundering or terrorist activities.
       
    • Questions or comments regarding the alert should be sent to the FinCEN Regulatory Support Section at frc@fincen.gov

    The Treasury Department issued a final rule last Sept. that will require millions of companies to report information about their “beneficial owners”—persons who own at least 25% of a company or exert significant authority over it—to FinCEN. (Roundtable Weekly, Sept. 30, 2022 | Final Treasury Rule | Fact Sheet | Wall Street Journal and Bloomberg Law, Sept. 29) 

    #  #  # 

    Federal Officials, Roundtable Focus on Potential Election-Related Threats

    CISA Presentation to HSTF Oct 2022 start

    This week, U.S. security officials released information on their efforts to secure the nation’s election infrastructure and protect American voters from intimidation, discrimination or threats of violence related to the Nov. 8 midterm elections. The potential for political violence, cyberattacks and mitigation strategies were also among the topics of discussion during yesterday’s Real Estate Roundtable Homeland Security Task Force (HSTF) virtual meeting. (Presentation to HSTF | Justice Department bulletin and Politico, Oct. 24)

    Election Security

    CISA Presentation Slide to HSTF Oct 2022

    • As election sites and offices are hardening formerly soft targets, hiring security guards, and installing bulletproof and bomb-resistant glass, the HSTF meeting featured a discussion with Mohamed Telab—Deputy Regional Director (DRD) for the Cybersecurity and Infrastructure Security Agency’s (CISA) Region II—on federal resources available for securing elections. (Axios, Oct. 9 and CISA website)
    • Earlier this month, CISA Director Jen Easterly said, “At this time, we are not aware of any specific or credible threats to compromise or disrupt election infrastructure” although the current threat environment is “more complex than it has ever been.” (Politico, Oct. 24 and Reuters, Oct. 17)
    • The FBI previously issued a public service announcement on Oct. 12 warning about election crimes and the Department of Homeland Security announced in June that “calls for violence by domestic violent extremists” against election workers, candidates and democratic institutions will likely rise closer to the midterms. (CNBC, Oct. 27)

    Local Tactics

    Mail Ballot Drop Box

    • Domestic disinformation campaigns and homegrown threats to poll workers are emerging as the more significant concerns ahead of midterm elections than foreign interference. Extremists are reportedly focusing their efforts locally, monitoring neighborhood ballot boxes and signing up as poll workers. (Axios, Oct. 26)

    The Roundtable’s HSTF and the Real Estate Information Sharing and Analysis Center (RE-ISAC) work closely with federal officials on potential cyber and physical threats to CRE. Roundtable members interested in participating in the HSTF or RE-ISAC can contact Roundtable Senior Vice President Chip Rodgers or call 202-639-8400.

    #  #  # 

    National Counterterrorism Center Offers Private Sector a Preview of New Platform to Protect Against Threats

    ActKnowledge logo

    The National Counterterrorism Center (NCTC) on Sept 28 will preview its new aCTknowledge platform, designed to deliver timely situational awareness notifications covering terrorist events that may impact local communities.

    How to Participate

    • CRE participants can join the preview here:
    • Wednesday, September 28 from 1:00–2:00 pm (ET)
    • Zoom link
      • Meeting ID: 833 6363 8044 
      • Passcode: 591990
    • The aCTknowledge platform will provide significant tactics, techniques, and procedures to support homeland security, law enforcement, and community first responder efforts aimed at protecting against terrorist threats. Additionally, NCTC’s aCTknowledge will offer reference guides to aid in rapid response and deployment, helping with private sector efforts. (See fact sheet about the new platform)

    Roundtable Efforts

    REISAC logo

    • The Roundtable—through our Homeland Security Task Force (HSTF) and partnership with the Real Estate Information Sharing and Analysis Center (RE-ISAC)—remains focused on increased cross-agency information sharing and cooperation with key law enforcement and intelligence agencies that benefit the industry.
    • The RE-ISAC sends a daily report to members to share actionable information on a variety of potential cyber and physical threats. Additionally, The Roundtable’s HSTF works closely with federal, state, and local law enforcement, intelligence agency partners, and the RE-ISAC on risk mitigation measures that CRE businesses may consider to help protect critical infrastructure.

    See The Roundtable’s 2022 Annual Report’s Homeland Security section.

    #  #  # 

    2022 Annual Report – Building a More Resilient and Dynamic Future

    View Full Report – 2022 Annual Report – Building a More Resilient and Dynamic Future

    DHS Warns of Increased Extremist Threats Through November Midterm Elections

    DHS Bulletin June 7, 2022

    The Department of Homeland Security (DHS) issued a National Terrorism Advisory System Bulletin this week, warning of a “heightened threat environment” affecting targets that encompass U.S. critical infrastructure, public gatherings, faith-based institutions, schools, racial, ethnic, and religious minorities, government facilities and personnel, the media, and perceived ideological opponents. (DHS Bulletin, June 7) 

    CRE & Security Threats 

    Cathy Lanier

    Gun Violence

    CEOs for Gun Safety

    • Three real estate CEOs who have served on The Roundtable’s Board of Directors joined 225 other national business leaders in a joint letter to the Senate yesterday, urging “bold urgent action” to address gun violence. (CBS News, June 10)
    • Roundtable members Owen Thomas (CEO & Director, Boston Properties/BXP), Scott Rechler, (Chairman and CEO, RXR) and William Rudin (Co-Chairman & CEO, Rudin Management Company) are signatories on the joint letter.
    • The letter states, “Taken together, the gun violence epidemic represents a public health crisis that continues to devastate communities—especially Black and Brown communities—and harm our national economy.” (CNBC, June 10) 

    • Roundtable President and CEO Jeffrey DeBoer issued a May 27 statement on gun violence in America, calling on Democrats and Republicans “… to pass common sense legislation to remove weapons of war from America’s cities and communities.” 

    The Roundtable’s 2022 Roundtable Policy Agenda states, “As a critical part of the nation’s infrastructure, real estate continues to face an array of threats from natural catastrophes, international and domestic terrorism, criminal activity, cyber-attacks, and border security. To address such threats, The Roundtable continues to help build a more secure and resilient industry against both physical and cyber threats.” 

    #  #  # 

    Roundtable Convenes Town Hall on Ukraine With Alexander Vindman; Biden Administration Warns About Russian Cyberattacks

    Lieutenant Colonel (Ret.) Alexander Vindman, Senior Advisor of VetVoice Foundation, today discussed the conflict in Ukraine during a Real Estate Roundtable virtual town hall. In recent years, Vindman served on the White House’s National Security Council as the Director for Eastern Europe, the Caucasus, and Russia. (Watch video discussion)

    Focus on Ukraine

    • Vindman and Roundtable President and CEO Jeffrey DeBoer addressed Ukraine in the context of Democracy vs. Authoritarianism, the spillover effects of the war, and the need for a future international reconstruction effort.
    • “It’s a geopolitical earthquake that has unfolded over the past year, culminating in a war between the largest country in the world and the largest country in Europe,” Vindman stated.
    • In addition to the devastating human and physical destruction, the war’s spillover effects include interruptions to the supply of crucial commodities such as neon and titanium, and food supplies for the Middle East and Africa.
    • “The longer this war continues, the greater the chance of spillover,” Vindman said, citing the Russian attack on a Ukrainian nuclear power plant, and the potential use of cyberwarfare and chemical weapons.
    • He added the war’s eventual outcome will be a significant setback to Authoritarianism – and that the West should keep a door open for a reconciliation with Russia after Putin is gone.
    • Vindman and DeBoer also discussed the need for an enormous reconstruction effort, which Vindman said could amount to $100 billion international fund that could take the form of a public-private partnership. (Watch video discussion)
    • Roundtable members can support Ukraine against the Russian invasion via the VetVoice Foundation.

    U.S. Support

    Zelensky before U.S. Congress
    • Since the invasion of Ukraine began, over 450 U.S. companies have announced their withdrawal from Russia, shutting down 25% of Russia’s gross domestic product (GDP), according to Professor Jeffrey Sonnenfeld at the Yale Chief Executive Leadership Institute. Sonnenfeld’s research team maintains a list of companies that have either withdrawn from Russia completely, suspended or scaled back operations, or delayed investments. (Fortune, March 16)
    • Many American Hotel & Lodging Association members, including Hilton and Marriott International, recently announced donations for humanitarian aid; the closure of their corporate offices in Moscow; and a suspension all future hotel development and investment in Russia. (TravelPulse, March 21 and Roundtable Weekly, March 18) 

    White House CyberSecurity Warning 

    WhiteHouse cyber warning
    • President Joe Biden alerted U.S. business leaders on March 21 that “based on evolving intelligence, Russia may be planning a cyberattack against us.” Biden added, “[I]t’s a patriotic obligation for you to invest as much as you can in making sure … you have built up your technological capacity to deal … with cyberattacks.” (Remarks by President Biden | White House Statement | Fact Sheet: Act Now to Protect Against Potential Cyberattacks, March 21)
    • The growing concern about a possible Russian cyberattack response over U.S. sanctions also led White House Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger, above, to clarify that although “there is no certainty” of an attack, Biden’s warning was intended to focus attention on “critical infrastructure.” (White House Press Briefing video | BGov and Axios, March 21)

    The Real Estate Roundtable’s Homeland Security Task Force and the Real Estate Information Sharing and Analysis Center (RE-ISAC) continue to work with its members, key law enforcement and intelligence agencies to help manage and mitigate cyber and physical threats to the commercial facilities sector. (Information on joining the RE-ISAC and Roundtable Weekly, March 4) 

    #  #   #