"The SBA will be required to conduct an annual assessment of IT equipment and cybersecurity capabilities, and provide Congress a detailed account of any cyber security risk," said Rep. Young Kim (R-CA) who co-sponsored the bill.
"For more than 25 years, the SBA office has listed IT Security as one of the most serious management and performance challenges facing the agencies," said Rep. Nydia M. Velazquez (D-NY), who spoke in support of the bill. "These vulnerabilities were exposed during the rollout of the SBA Covid-19 programs. The unprecedented demand for the programs inundated legacy systems leading to crashes, portals operating slowly, and a data breach of applicants."
"A glitch in an idle application system led to an exposure of personal information of over 8,000 applicants with no public announcement of the data breach until weeks later," said Rep. Jason Crow (D-Colorado).
Rep Velazquez noted that, "We want a system in place before the next cybersecurity breach."
If the bill ends up being signed into law, the SBA administrator will be required to let both small businesses and Congress know of a cyber attack within 30 days.
"Cyber threats are the biggest threats to our economy, small businesses, and way of life," Rep. Crow continued. "This bill would ensure that we are doing everything we can to protect the millions of small businesses that the SBA serves and prepare them for 21st Century Threats."