Bill Overview
Title: Small Business Cybersecurity Enhancement Act
Description: This bill authorizes the Small Business Administration to guarantee up to 90% of the amount of a loan made to a small business that has 100 or fewer employees, has been in business for at least one year, and has obtained training from a small business development center. The loan guarantee must be used for the acquisition of cybersecurity technology and services and the cost of the installation or use of such technology and services. For purposes of this bill, cybersecurity technology and services excludes information technology whose sole use is financial management, maintenance of inventory of basic supplies, or appointment scheduling.
Sponsors: Rep. Schneider, Bradley Scott [D-IL-10]
Target Audience
Population: Small businesses with 100 or fewer employees seeking cybersecurity enhancements
Estimated Size: 10000000
- Small businesses are defined by this bill as having 100 or fewer employees and being operational for at least one year.
- These businesses are required to have obtained training from a small business development center to qualify for the loan guarantee.
- The bill does not apply to sole proprietors or businesses without a significant growth outlook, since it is limited to those seeking cybersecurity enhancements.
- Cyber threats are a known issue globally, and cybersecurity measures are a growing concern for businesses worldwide.
- The U.S. Small Business Administration serves small businesses across the entire United States, which affects a significant number of small business entities.
- According to U.S. Census data, a substantial percentage of businesses fall into the category of having 100 or fewer employees.
Reasoning
- The policy is designed to assist small businesses in improving their cybersecurity, which is increasingly important given the rise of cyber threats.
- Not all small businesses will be eligible; it focuses on those with 100 or fewer employees that have been in operation for at least a year and have received specific training.
- The budget constraints mean that not all eligible businesses can be funded immediately; prioritization or staggered implementation might occur.
- A wide range of small businesses might be impacted, from retail stores to tech startups, though not all might feel a significant change in their self-reported wellbeing.
- Businesses already investing in cybersecurity may experience less impact compared to those who have not yet addressed it.
Simulated Interviews
Owner of a digital marketing agency (Miami, FL)
Age: 42 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 6/20
Statement of Opinion:
- The policy is a great opportunity to enhance our cybersecurity measures without straining our finances.
- I believe it will help us avoid potential threats that could disrupt our service.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 5 |
Entrepreneur running an online retail store (San Francisco, CA)
Age: 35 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 8/20
Statement of Opinion:
- With increasing online transactions, cybersecurity is crucial for us.
- Access to this loan guarantee can significantly improve our security setup, making us more resilient against cyber attacks.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 9 | 7 |
| Year 3 | 9 | 7 |
| Year 5 | 9 | 7 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 5 |
Owner of a local coffee shop (Austin, TX)
Age: 29 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 0.0 years
Commonness: 12/20
Statement of Opinion:
- Cybersecurity isn't our top priority since most transactions are physical, but I see its importance.
- This policy doesn't directly impact us as we haven't undergone the necessary training.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 5 | 5 |
| Year 3 | 5 | 5 |
| Year 5 | 5 | 5 |
| Year 10 | 4 | 4 |
| Year 20 | 3 | 3 |
CEO of a tech startup (Denver, CO)
Age: 50 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 2.0 years
Commonness: 5/20
Statement of Opinion:
- We've always prioritized cybersecurity, so this policy might not drastically change our situation.
- It could offer some financial relief, allowing us to allocate funds elsewhere.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 8 |
| Year 3 | 8 | 7 |
| Year 5 | 7 | 7 |
| Year 10 | 6 | 6 |
| Year 20 | 5 | 5 |
Runs a local print shop (Chicago, IL)
Age: 45 | Gender: male
Wellbeing Before Policy: 4
Duration of Impact: 0.0 years
Commonness: 10/20
Statement of Opinion:
- While the policy is beneficial, we don't really engage in online activities.
- We benefit more from traditional small business supports than cybersecurity.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 4 | 4 |
| Year 2 | 4 | 4 |
| Year 3 | 4 | 4 |
| Year 5 | 3 | 3 |
| Year 10 | 3 | 3 |
| Year 20 | 2 | 2 |
Owner of a small IT consulting firm (Seattle, WA)
Age: 37 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 7/20
Statement of Opinion:
- The policy is exactly what we need to advance our services and protect our client's data.
- It's an essential support that comes at a time when threats are increasing.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 4 |
Founder of a small law firm (New York, NY)
Age: 41 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 3.0 years
Commonness: 9/20
Statement of Opinion:
- I see potential benefits, but implementing new technologies can be disruptive.
- Keeping client data secure is a priority, so the policy could help us.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 6 | 5 |
| Year 10 | 5 | 4 |
| Year 20 | 4 | 3 |
Manager of a small logistics company (Salt Lake City, UT)
Age: 58 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 4/20
Statement of Opinion:
- Given our recent experiences with cyber threats, this policy could offer crucial support.
- It's a much-needed step to advance our cybersecurity framework.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 9 | 7 |
| Year 3 | 9 | 6 |
| Year 5 | 9 | 6 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 4 |
Owner of a boutique hotel (Boston, MA)
Age: 33 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 7.0 years
Commonness: 6/20
Statement of Opinion:
- Cybersecurity is critical in protecting guest information and maintaining our reputation.
- This policy would help us implement stronger defenses.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 4 |
Freelancer running a social media consultancy (Portland, OR)
Age: 26 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 0.0 years
Commonness: 14/20
Statement of Opinion:
- The policy seems beneficial for businesses at a larger scale than mine.
- As a sole proprietor, I'd like to see similar support for micro-businesses.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 5 | 5 |
| Year 3 | 5 | 5 |
| Year 5 | 4 | 4 |
| Year 10 | 3 | 3 |
| Year 20 | 2 | 2 |
Cost Estimates
Year 1: $1500000000 (Low: $1400000000, High: $1600000000)
Year 2: $1500000000 (Low: $1400000000, High: $1600000000)
Year 3: $1550000000 (Low: $1450000000, High: $1650000000)
Year 5: $1500000000 (Low: $1400000000, High: $1600000000)
Year 10: $1500000000 (Low: $1400000000, High: $1600000000)
Year 100: $1500000000 (Low: $1400000000, High: $1600000000)
Key Considerations
- The program significantly extends credit guarantees to small businesses, which has budgetary implications.
- The exclusion of basic IT functions aims to ensure that only cybersecurity-specific expenditures are supported.
- Widespread adoption might lead to high upfront costs for the government but could stabilize small businesses in the long run, protecting the labor market.