House Small Business Committee Passes Crow’s Bipartisan Cybersecurity Legislation

July 29, 2021
Press Release

The SBA Cyber Awareness Act Would Promote Cybersecurity at the Small Business Administration

WASHINGTON - Today, the House Small Business Committee passed the SBA Cybersecurity Act, bipartisan legislation introduced by Rep. Jason Crow (D-CO) and Young Kim (R-CA) that would strengthen the Small Business Administration’s (SBA) cybersecurity to handle and report cyber threats that affect small businesses. The SBA Cybersecurity Act will now head to the House floor for a vote. 

“Cyberattacks are one of the biggest threats to our economy and small businesses, and this bill would ensure that we are doing everything we can to protect the millions of small businesses the SBA serves,” said Rep. Jason Crow. “I’m proud the Small Business Committee voted to pass this legislation and look forward to a vote on the House floor.” 

“Rising cyberattacks are compromising small business owners’ security, hurting businesses’ ability to keep their doors open and employees on payroll, undermining our public institutions, and discouraging future entrepreneurs from establishing a small business and creating jobs,” said Congresswoman Young Kim. “We must ensure that small business owners can safely utilize the Small Business Administration’s resources. I thank Chairman Crow for working with me on the SBA Cyber Awareness Act and my Small Business Committee colleagues for prioritizing cybersecurity at the Small Business Administration. I’ll always fight for our small business owners and entrepreneurs in Congress.”  

In recent years, cyberattacks have increased and federal agencies are not immune. For more than two decades, the SBA’s Inspector General has listed IT security as one of the most serious management and performance challenges facing the SBA. 

Over the course of the COVID-19 pandemic, unprecedented demand for relief programs like the Paycheck Protection Program (PPP) and Economic Injury Disaster Loan Program (EIDL) have inundated SBA’s legacy systems, leading to backend system crashes, portals operating slowly, and a glitch that led to a data breach of applicants’ personal information. On March 25, 2020, SBA discovered a flaw in its EIDL application system that exposed the personal information of up to 8,000 individuals to other applicants. Exposed data included email addresses, citizenship status, insurance information, birth dates, phone numbers, addresses, and Social Security Numbers. SBA failed to make any public announcement about the data breach, and it wasn’t until April 13, 2020 that the agency sent paper notifications to affected individuals. 

The bill would expand cybersecurity operations at the SBA by requiring the Small Business Administration to issue a report assessing the agency’s ability to combat cyber threats within six months of passage. Specifically, the report would disclose: 

  • SBA’s cybersecurity infrastructure;
  • the SBA’s strategy to improve cybersecurity protections; 
  • any equipment used by the SBA and manufactured by a company headquartered in China; and 
  • any incident of cyber risk at the SBA and the agency’s actions to confront it. 

Finally, recognizing that a cyberattack to the agency could put the sensitive information and intellectual property of small businesses at risk, the legislation would require SBA to notify Congress of future breaches with information on those affected and how the breach occurred.

Crow first introduced the SBA Cyber Awareness Act in April of 2019. Crow is a member of the House Small Business Committee and chair of the Innovation and Workforce Development Subcommittee. In Colorado, small businesses employ 1.1 million people. The state is home to over 610,000 small businesses of which 15% are minority-owned.