NAA and NMHC Respond to SEC’s Proposed Cybersecurity Risk Management and Disclosure Rule

May 20, 2022 |

Updated May 20, 2022

2 minutes

As federal policymakers sharpen their focus on cybersecurity, NAA and NMHC are working to ensure the apartment industry’s business operations are understood and accounted for in any proposed rules or legislation. 

According to U.S. intelligence, there has been significant increase in malicious cyber activity connected to Russia since Russia invaded Ukraine in February. These cyber-attacks are directed at organizations both in and beyond the region. As apartment companies bolster their cyber defenses, policymakers are looking at measures to mitigate threat and encourage information sharing.

And as Washington zeroes in on this critical topic, NAA and NMHC remain engaged so the multifamily industry’s business operations are understood and reflected in any proposed rules or legislation. As such, we took recent action on a newly proposed SEC rule.

What This Means

In an effort to bolster cybersecurity and to ensure that investors receive comparable material information regarding companies' cyber risk management and incidents, the Securities and Exchange Commission (SEC) issued a Proposed Rule related to Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. 

Access the proposed rule.

Access the SEC proposed rule fact sheet.

Why This Is Critical for Our Industry

Because most public apartment firms will be required to comply, the proposed rule could have a significant impact on the multifamily industry.

Rather than implementing a necessary, flexible standard that addresses data security and incident notification, the proposed rule misses the mark. As a result, apartment firms will still be left having to comply with the current patchwork of state laws and federal agency rulemakings.

Our Take

To instruct the SEC on the final rule, NAA and NMHC submitted comments aimed at addressing the overly burdensome regulations on the apartment industry that unintentionally expose our members to substantially greater cybersecurity risks. 

The SEC’s Proposed Rule requires companies to assume unnecessary, but significant, legal and cybersecurity risks. Specifically, the letter highlights these concerns within the proposed rule:

  • Detailed reporting requirements concerning a company's cybersecurity risk management policies and procedures. 
  • Overly burdensome reporting requirements at the time of an incident and in subsequent quarterly and annual reports. 
  • Disclosure requirement of a "material cybersecurity incident" before the threat actor has been fully neutralized can create additional vulnerabilities and legal risks for a company.
  • Lack of clear direction regarding how a company should evaluate the cybersecurity practices of third-party service providers.
  • The absence of a comprehensive safe harbor provision, which is necessary to encourage disclosure and best efforts to meet compliance

Access our comment letter on the SEC’s website.