Bill Overview
Title: SBA Cyber Awareness Act
Description: This act requires the Small Business Administration (SBA) to annually report specified information related to cybersecurity awareness. Such reports must include (1) a strategy to increase the cybersecurity of the SBA's information technology (IT) infrastructure, (2) a supply chain risk management strategy that includes risk mitigation activities for IT components originating from an entity that has its principal place of business in China, and (3) any SBA cybersecurity incident that occurred during the two years prior to the initial report (including the SBA's action to respond to or remediate it).
Sponsors: Rep. Crow, Jason [D-CO-6]
Target Audience
Population: Individuals associated with small businesses potentially impacted by SBA cybersecurity measures
Estimated Size: 60000000
- The SBA is a U.S. government agency that primarily assists small businesses within the United States.
- Small businesses rely on the SBA for loans, grants, and various forms of support, making them a direct stakeholder in SBA's operations.
- Cybersecurity of the SBA's IT infrastructure may impact the data security and operational effectiveness of small businesses using SBA services.
- Small businesses constitute a significant part of the U.S. economy, contributing approximately 44% of U.S. economic activity.
- Any cybersecurity weaknesses in the SBA could potentially lead to data breaches affecting millions of small businesses and their employees.
Reasoning
- A range of individuals related to small businesses, such as owners, employees, and local community advocates, will have different perspectives on the impact of this policy.
- The financial constraints will limit the direct impact of the policy to improving cybersecurity strategies and likely not extend to providing financial help directly to businesses for their cybersecurity improvements.
- The impact on wellbeing will vary as the policy may indirectly affect confidence in using SBA services.
- While the focus is on cybersecurity, the individual perception of risk varies, which affects how much the policy changes their wellbeing.
Simulated Interviews
Small Business Owner (Houston, Texas)
Age: 45 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 8/20
Statement of Opinion:
- I believe the policy is a good step forward. Cybersecurity is critical in today's digital age, especially for tech companies like mine.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 9 | 4 |
Software Developer (San Francisco, California)
Age: 30 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 5.0 years
Commonness: 6/20
Statement of Opinion:
- It's comforting to know that there will be regular cybersecurity updates. Our company depends on SBA systems for loans.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 8 |
| Year 3 | 9 | 8 |
| Year 5 | 9 | 8 |
| Year 10 | 9 | 7 |
| Year 20 | 8 | 6 |
Non-profit Consultant (Miami, Florida)
Age: 54 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 7.0 years
Commonness: 5/20
Statement of Opinion:
- Many of my clients rely on SBA, so strong cybersecurity is essential. This policy provides some reassurance.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 5 |
Cybersecurity Specialist (Chicago, Illinois)
Age: 40 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 10.0 years
Commonness: 4/20
Statement of Opinion:
- It's a decent start but $50 million isn't much. I think more investment is needed.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 4 |
Freelancer (Austin, Texas)
Age: 27 | Gender: other
Wellbeing Before Policy: 6
Duration of Impact: 3.0 years
Commonness: 7/20
Statement of Opinion:
- While indirectly affecting me, it seems like a cautious step towards better digital integrity.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 6 | 6 |
| Year 10 | 6 | 5 |
| Year 20 | 5 | 5 |
Financial Analyst (New York, New York)
Age: 39 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 7/20
Statement of Opinion:
- SBA cyber policy strategy is crucial for maintaining business trust. A financial loss due to cyber issues would be disastrous for SMBs.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 6 |
| Year 20 | 6 | 5 |
Small Business Advocate (Boulder, Colorado)
Age: 50 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 3/20
Statement of Opinion:
- For rural areas where resources are limited, any cybersecurity improvement is vital.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 5 |
| Year 20 | 8 | 4 |
Retired Tech Executive (Seattle, Washington)
Age: 61 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 4/20
Statement of Opinion:
- In my experience, proactive cybersecurity is a lifeline for ensured business continuation.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 5 |
Small Manufacturing Owner (Philadelphia, Pennsylvania)
Age: 36 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 8.0 years
Commonness: 6/20
Statement of Opinion:
- Cyber risk affects all industries. Anything to minimize this risk is welcome.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 4 |
HR Manager (Detroit, Michigan)
Age: 43 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 4.0 years
Commonness: 8/20
Statement of Opinion:
- Enhanced cybersecurity is overdue. I was worried about data breaches.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 6 | 5 |
| Year 20 | 6 | 5 |
Cost Estimates
Year 1: $50000000 (Low: $45000000, High: $55000000)
Year 2: $35000000 (Low: $30000000, High: $40000000)
Year 3: $35000000 (Low: $30000000, High: $40000000)
Year 5: $35000000 (Low: $30000000, High: $40000000)
Year 10: $35000000 (Low: $30000000, High: $40000000)
Year 100: $35000000 (Low: $30000000, High: $40000000)
Key Considerations
- The effectiveness of the policy heavily depends on the timely implementation of cybersecurity measures.
- The level of collaboration between SBA and cybersecurity experts will influence the overall success and cost-effectiveness.
- Data security regulations might impact SBA operations and require additional resources to meet compliance.