|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to requiring the Department of Information Resources to |
|
conduct a study concerning the cybersecurity of small businesses. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. DEFINITIONS. In this Act: |
|
(1) "Department" means the Department of Information |
|
Resources. |
|
(2) "Tax incentive" means any exemption, deduction, |
|
credit, exclusion, waiver, rebate, discount, deferral, or other |
|
abatement or reduction of state tax liability of a business entity. |
|
SECTION 2. STUDY CONCERNING CYBERSECURITY OF SMALL |
|
BUSINESSES. (a) The department, in collaboration with the Texas |
|
Workforce Commission, shall conduct a study to determine: |
|
(1) how small businesses can improve their ability to |
|
protect against cybersecurity risks and threats to the businesses' |
|
supply chain and to mitigate and recover from cybersecurity |
|
incidents; and |
|
(2) the feasibility of establishing a grant program |
|
for small businesses to receive funds to upgrade their |
|
cybersecurity infrastructure and to participate in cybersecurity |
|
awareness training. |
|
(b) The department may, if necessary and as appropriate, |
|
partner with a nonprofit entity or institution of higher education, |
|
as defined by Section 61.003, Education Code, to conduct the study. |
|
(c) The study may be limited to the geographic region or |
|
regions served by a nonprofit entity or institution of higher |
|
education with which the department partners under Subsection (b) |
|
of this section. |
|
(d) In conducting the study, the department may consider: |
|
(1) the current best practices used by small |
|
businesses for cybersecurity controls for their information |
|
systems to protect against supply chain vulnerabilities, which may |
|
include best practices related to: |
|
(A) software integrity and authenticity; and |
|
(B) vendor risk management and procurement |
|
controls, including notification by vendors of any cybersecurity |
|
incidents related to the vendor's products and services; |
|
(2) barriers or challenges for small businesses in |
|
purchasing or acquiring cybersecurity products or services; |
|
(3) the estimated cost of any available tax incentives |
|
or other state incentives to increase the ability of small |
|
businesses to acquire products and services that promote |
|
cybersecurity; |
|
(4) the availability of resources small businesses |
|
need to respond to and recover from a cybersecurity event; |
|
(5) the impact of cybersecurity incidents that have |
|
affected small businesses, including the resulting costs to small |
|
businesses; |
|
(6) to the extent possible, any emerging cybersecurity |
|
risks and threats to small businesses resulting from the deployment |
|
of new technologies; and |
|
(7) any other issue the department and the Texas |
|
Workforce Commission determine would have a future impact on |
|
cybersecurity for small businesses with supply chain |
|
vulnerabilities. |
|
(e) In determining the feasibility of establishing a grant |
|
program described by Subsection (a)(2) of this section, the study |
|
must: |
|
(1) identify the most significant and widespread |
|
cybersecurity incidents impacting small businesses, vendors, and |
|
others in the supply chain network of small businesses; |
|
(2) consider the amount small businesses currently |
|
spend on cybersecurity products and services and the availability |
|
and market price of those services; and |
|
(3) identify the type and frequency of training |
|
necessary to protect small businesses from supply chain |
|
cybersecurity risks and threats. |
|
SECTION 3. REPORT. (a) Not later than December 31, 2026, |
|
the department shall submit to the standing committees of the |
|
senate and house of representatives with jurisdiction over small |
|
businesses and cybersecurity a report that contains: |
|
(1) the results of the study conducted under Section 2 |
|
of this Act, including the feasibility of establishing a grant |
|
program described by Subsection (a)(2) of that section; and |
|
(2) recommendations for best practices and controls |
|
for small businesses to implement in order to update and protect |
|
their information systems against cybersecurity risks and threats. |
|
(b) The department shall make the report available on the |
|
department's Internet website. |
|
SECTION 4. EXPIRATION OF ACT. This Act expires September 1, |
|
2027. |
|
SECTION 5. EFFECTIVE DATE. This Act takes effect |
|
immediately if it receives a vote of two-thirds of all the members |
|
elected to each house, as provided by Section 39, Article III, Texas |
|
Constitution. If this Act does not receive the vote necessary for |
|
immediate effect, this Act takes effect September 1, 2025. |