89R186 MLH-D
 
  By: Raymond H.B. No. 1172
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to requiring the Department of Information Resources to
  conduct a study concerning the cybersecurity of small businesses.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  DEFINITIONS. In this Act:
               (1)  "Department" means the Department of Information
  Resources.
               (2)  "Tax incentive" means any exemption, deduction,
  credit, exclusion, waiver, rebate, discount, deferral, or other
  abatement or reduction of state tax liability of a business entity.
         SECTION 2.  STUDY CONCERNING CYBERSECURITY OF SMALL
  BUSINESSES. (a) The department, in collaboration with the Texas
  Workforce Commission, shall conduct a study to determine:
               (1)  how small businesses can improve their ability to
  protect against cybersecurity risks and threats to the businesses'
  supply chain and to mitigate and recover from cybersecurity
  incidents; and
               (2)  the feasibility of establishing a grant program
  for small businesses to receive funds to upgrade their
  cybersecurity infrastructure and to participate in cybersecurity
  awareness training.
         (b)  The department may, if necessary and as appropriate,
  partner with a nonprofit entity or institution of higher education,
  as defined by Section 61.003, Education Code, to conduct the study.
         (c)  The study may be limited to the geographic region or
  regions served by a nonprofit entity or institution of higher
  education with which the department partners under Subsection (b)
  of this section.
         (d)  In conducting the study, the department may consider:
               (1)  the current best practices used by small
  businesses for cybersecurity controls for their information
  systems to protect against supply chain vulnerabilities, which may
  include best practices related to:
                     (A)  software integrity and authenticity; and
                     (B)  vendor risk management and procurement
  controls, including notification by vendors of any cybersecurity
  incidents related to the vendor's products and services;
               (2)  barriers or challenges for small businesses in
  purchasing or acquiring cybersecurity products or services;
               (3)  the estimated cost of any available tax incentives
  or other state incentives to increase the ability of small
  businesses to acquire products and services that promote
  cybersecurity;
               (4)  the availability of resources small businesses
  need to respond to and recover from a cybersecurity event;
               (5)  the impact of cybersecurity incidents that have
  affected small businesses, including the resulting costs to small
  businesses;
               (6)  to the extent possible, any emerging cybersecurity
  risks and threats to small businesses resulting from the deployment
  of new technologies; and
               (7)  any other issue the department and the Texas
  Workforce Commission determine would have a future impact on
  cybersecurity for small businesses with supply chain
  vulnerabilities.
         (e)  In determining the feasibility of establishing a grant
  program described by Subsection (a)(2) of this section, the study
  must:
               (1)  identify the most significant and widespread
  cybersecurity incidents impacting small businesses, vendors, and
  others in the supply chain network of small businesses;
               (2)  consider the amount small businesses currently
  spend on cybersecurity products and services and the availability
  and market price of those services; and
               (3)  identify the type and frequency of training
  necessary to protect small businesses from supply chain
  cybersecurity risks and threats.
         SECTION 3.  REPORT. (a) Not later than December 31, 2026,
  the department shall submit to the standing committees of the
  senate and house of representatives with jurisdiction over small
  businesses and cybersecurity a report that contains:
               (1)  the results of the study conducted under Section 2
  of this Act, including the feasibility of establishing a grant
  program described by Subsection (a)(2) of that section; and
               (2)  recommendations for best practices and controls
  for small businesses to implement in order to update and protect
  their information systems against cybersecurity risks and threats.
         (b)  The department shall make the report available on the
  department's Internet website.
         SECTION 4.  EXPIRATION OF ACT. This Act expires September 1,
  2027.
         SECTION 5.  EFFECTIVE DATE.  This Act takes effect
  immediately if it receives a vote of two-thirds of all the members
  elected to each house, as provided by Section 39, Article III, Texas
  Constitution.  If this Act does not receive the vote necessary for
  immediate effect, this Act takes effect September 1, 2025.