[Senate Report 114-423]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 511
114th Congress      }                                   {       Report
                                 SENATE
 2d Session         }                                   {      114-423

======================================================================



 
         SMALL BUSINESS CYBER SECURITY IMPROVEMENTS ACT OF 2016

                                _______
                                

               December 20, 2016.--Ordered to be printed

   Filed, under authority of the order of the Senate of December 10 
                  (legislative day, December 9), 2016

                                _______
                                

Mr. Vitter, from the Committee on Small Business and Entrepreneurship, 
                        submitted the following

                              R E P O R T

                         [To accompany S. 3024]

    The Committee on Small Business and Entrepreneurship, to 
which was referred the bill (S. 3024) to improve cybersecurity 
for small businesses, having considered the same, reports 
favorably thereon without amendment and recommends that the 
bill do pass.

                            I. INTRODUCTION

    S. 3024 was introduced by Senator Vitter, with co-
sponsorship from Senator Peters and Senator Coons, on June 9, 
2016.
    The Small Business Cyber Security Improvements Act of 2016 
amends the Small Business Act to authorize the Small Business 
Administration (SBA), working with the Department of Homeland 
Security (DHS), to help Small Business Development Centers 
(SBDCs) develop cybersecurity strategies for small businesses. 
During the markup of the bill, the bill was approved 
unanimously by roll call vote, with Senator Ernst opposing the 
legislation and all other senators supporting it.

              II. HISTORY (PURPOSE & NEED FOR LEGISLATION)

    By one estimate, three out of every five cyberattacks now 
target a small business. With America's 28 million small 
businesses comprising up to 54 percent of annual U.S. sales, 
the frequency of such attacks and the high costs they create 
for small businesses could have ripple effects throughout the 
economy. Unfortunately, small businesses are often not prepared 
to prevent cyberattacks or easily recover from the damages. A 
recent report by Internet security firm McAfee found that 90% 
of small- to medium-sized businesses do not protect customer 
information through advanced data protection. According to a 
report by Verizon Enterprise, a shocking 71 percent of cyber-
attacks occur in businesses with less than 100 employees. To 
curb these risks, existing support structures and services must 
be adequately modernized and updated to provide greater 
cybersecurity assistance to small businesses.

                      III. HEARINGS & ROUNDTABLES

    In the 114th Congress, the House of Representatives held 
two hearings on this topic. On July 6, 2016, the House 
Committee on Small Business held a hearing entitled ``Foreign 
Cyber Threats: Small Business, Big Target.'' The committee 
heard testimony from representatives of the Homeland and 
National Law Program, Nisos Group, Wiley Rein LLP, and Ex 
Nihilo. The hearing examined the potential cyber opportunities 
that can be utilized by small businesses, the vulnerabilities 
faced by small business that rely on the Internet, and 
opportunities to help small businesses protect themselves.
    On June 15, 2016, the House Subcommittee on Cybersecurity, 
Infrastructure Protections, and Security Technologies held a 
hearing entitled ``Oversight of the Cybersecurity Act of 
2015.'' The committee heard testimony from the U.S. Chamber of 
Commerce, the United States Telecom Association, Soltra, and CA 
Technologies. The hearing examined industry perspectives and 
the recommended path forward for the Department of Homeland 
Security (DHS) in its implementation of the Cybersecurity 
Information Sharing Act of 2015 (CISA). The Committee also 
examined the progress made by DHS in the implementation of CISA 
and discussed how well the Department works with its 
information-sharing partners in industry. Additionally, the 
Committee considered the possibilities for future growth and 
improvement in the DHS cyber-mission.

                        IV. DESCRIPTION OF BILL

    This bill updates the Small Business Act to authorize Small 
Business Development Centers (SBDC) to offer cybersecurity 
support to small businesses in accordance with an SBDC Cyber 
Strategy, which is to be developed jointly by the Department of 
Homeland Security and the Small Business Administration in 
consultation with SBDCs. SBDCs have been on the ground helping 
small businesses for more than 30 years and this bill will 
provide them with the resources, tools, and guidance they need 
to better meet the 21st century needs of small businesses.

                           V. COMMITTEE VOTE

    In compliance with rule XXVI(7)(b) of the Standing Rules of 
the Senate, the following vote was recorded on June 8, 2016.
    A motion to adopt S. 3024, a bill to improve cybersecurity 
for small business, was approved by roll call vote, with 
Senator Ernst opposing the legislation and all other senators 
supporting it.

                           VI. COST ESTIMATE

    In compliance with rule XXVI(11)(a)(1) of the Standing 
Rules of the Senate, the Committee estimates the cost of the 
legislation will be equal to the amounts discussed in the 
following letter from the Congressional Budget Office:

                                                      July 8, 2016.
Hon. David Vitter,
Chairman, Committee on Small Business and Entrepreneurship,
U.S. Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 3024, the Small 
Business Cyber Security Improvements Act of 2016.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Stephen 
Rabent.
            Sincerely,
                                                        Keith Hall.
    Enclosure.

S. 3024--Small Business Cyber Security Improvements Act of 2016

    S. 3024 would direct the Small Business Administration 
(SBA) and Department of Homeland Security (DHS) to develop a 
strategy and methods for small business development centers 
(SBDC) to provide cyber security counseling, awareness, 
assistance, and training to their clients. It also would direct 
SBDC's to provide small businesses with access to cyber 
security specialists to develop security infrastructure, 
increase awareness, and improve training programs. S. 3024 
would require the Government Accountability Office (GAO) to 
conduct a study on current federal programs aimed at assisting 
small businesses with enhancing cyber security. Finally, S. 
3024 would authorize DHS, and other federal agencies, to 
provide information about cyber security risk to small 
businesses.
    Based on information from the SBA and DHS about the 
resources needed to complete those tasks, CBO estimates that 
implementing S. 3024 would cost $1 million over the 2017-2021 
period, mostly to complete the strategy and develop the report; 
such spending would be subject to the availability of 
appropriated funds. Based on the cost of similar studies, CBO 
estimates that requiring GAO to complete a report would cost 
less than $500,000. Enacting S. 3024 would not affect direct 
spending or revenues; therefore, pay-as-you-go procedures do 
not apply.
    CBO estimates that enacting S. 3024 would not increase net 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2027.
    S. 3024 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would not affect the budgets of state, local, or tribal 
governments.
    On July 7, 2016, CBO transmitted a cost estimate for H.R. 
5064, the Improving Small Business Cyber Security Act of 2016, 
as ordered reported by the House Committee on Homeland Security 
on June 8, 2016. The two pieces of legislation are similar and 
CBO's estimates of the budgetary effects are the same.
    The CBO staff contacts for this estimate are Stephen Rabent 
and William Ma. The estimate was approved by H. Samuel 
Papenfuss, Deputy Assistant Director for Budget Analysis.

                  VII. EVALUATION OF REGULATORY IMPACT

    In compliance with rule XXVI(11)(b) of the Standing Rules 
of the Senate, it is the opinion of the Committee that no 
significant additional regulatory impact will be incurred in 
carrying out the provisions of this legislation. There will be 
no additional impact on the personal privacy of companies or 
individuals who utilize the services provided.

                   VIII. SECTION-BY-SECTION ANALYSIS

Section 1--Short title

    This section provides the title of this Act (``Small 
Business Cyber Security Improvements Act of 2016'').

Section 2--Role of Small Business Development Centers in cyber security 
        and preparedness

    This section directs Small Business Development Centers 
(SBDCs) to provide access to business analysts who can refer 
small business concerns to available experts and assistance as 
described in the Small Business Cyber Security Improvement Acts 
of 2016.
    This section also outlines, to the extent practicable, 
SBDCs will provide access to external cybersecurity specialists 
to counsel, assist, and inform small business concerns as 
outlined in the Small Business Cyber Security Improvements Act 
of 2016.

Section 3--Additional cyber security assistance for Small Business 
        Development Centers

    This section allows the Department of Homeland Security 
(DHS), and any other Federal agency, in coordination with DHS 
to provide assistance to SBDCs by disseminating cybersecurity 
risk information and other homeland security information to 
help small businesses develop and/or enhance their 
cybersecurity infrastructure, cyber threat awareness, and cyber 
training programs for employees.

Section 4--GAO study on small business cyber support services and Small 
        Business Development Center cyber strategy

    This section defines key terms: ``Administrator'' means the 
Administrator of the Small Business Administration, 
``Association'' means America's Small Business Development 
Center (ASBDC) Association, and ``Secretary'' means the 
Secretary of Homeland Security.
    This section also directs the Comptroller General to report 
on the cybersecurity resources of federal agencies that can 
assist with the overall mission of this legislation, including 
developing cybersecurity infrastructure, awareness, and 
training.
    The report will include accounting and description of all 
programs, projects, and activities of federal agencies that 
provide assistance to small businesses in developing or 
enhancing cyber security infrastructure, cyber threat 
awareness, or cyber training programs for employees. The report 
also includes an assessment of how widely used the resources 
are by small businesses and a review of whether or not these 
resources are duplicative of other programs or structured in a 
manner that makes the resources accessible to small businesses. 
The Comptroller General will submit a report of findings and 
determinations to Congress, the Administrator, and the 
Secretary.

                                  [all]