TO:	Honorable Kelly Hancock, Chair, Senate Committee on Business & Commerce
FROM:	Ursula Parks, Director, Legislative Budget Board
IN RE:	HB8 by Capriglione (Relating to cybersecurity for state agency information resources.), As Engrossed

The bill sets forth certain requirements all agencies would be required to follow relating to cybersecurity. Statewide costs cannot be determined because the impact would be contingent on factors such as an agency's existing information technology infrastructure, current practices, and the number of full-time equivalent (FTE) positions currently supporting related services. Some agencies such as Texas A&M University and the Texas Department of Transportation (TxDOT) estimate an indeterminate but significant cost would be incurred to comply with the requirements of the bill. The University of Texas System Administration reported a cumulative cost of $6.0 million in General Revenue Funds, $1.4 million in Available University Funds and an additional 13.2 FTEs would be required in the 2018-19 biennium to accomplish the provisions of the bill.

The bill also sets forth requirements that would only be applicable to certain agencies. The Sunset Advisory Commission would be required to assess agency cybersecurity practices as part of their reviews, which the Commission estimates would cost $229,890 in General Revenue Funds during the 2018-19 biennium, including 1.0 additional FTE to provide relevant subject matter expertise. This analysis assumes the Department of Information Resources (DIR) would have an estimated cumulative cost of $5.2 million and 2.0 additional FTEs for the 2018-19 biennium as a result of requirements to develop plans to address cybersecurity risks and incidents. Additionally, if agencies were to utilize DIR's existing third party independent risk assessment services and website and application vulnerability and penetration testing services, the agency estimates an additional cost of $4.0 million for the biennium to expand current offerings of these services.  All costs would be funded through the Clearing Fund (Appropriated Receipts), which is generated through administrative fees charged to purchases made through DIR's Cooperative Contracts program. Entities that make purchases through the Cooperative Contracts program include state agencies, institutions of higher education, and local jurisdictions.  This analysis assumes DIR would increase administrative fee rates to generate sufficient revenues to cover the costs of implementation.

The bill would require DIR to provide mandatory guidelines for all state agency information resources employees regarding continuing education for cybersecurity training and certification. The fiscal impact of continuing education would depend on the training requirements developed by DIR. Agencies such as Trusteed Programs within the Office of the Governor (Trusteed Programs) and the Health and Human Services Commission reported costs associated with ongoing training requirements could be absorbed within existing resources. The Texas Workforce Commission reported 272.0 FTEs perform IT-related projects and training these staff is estimated to cost $791,384 in General Revenue Funds for the 2018-19 biennium. It is assumed that training and certification requirements and associated costs would continue in subsequent biennia.

The bill would require each state agency to contract at least every five years with an independent third party to conduct and submit to DIR a risk assessment of exposure to security risks. The fiscal impact of this provision would depend on DIR's certification of contractors and the scope and requirements DIR develops for the risk assessment. Agencies provided a variety of estimates regarding potential costs for these risk assessments. Trusteed Programs estimated a cost of $50,000 in General Revenue Funds per assessment and the University of Texas System estimated costs of $150,000 to $350,000 per institution. It is assumed these costs would repeat in subsequent five-year periods.

The bill would also require that an independent third party conduct a vulnerability and penetration test of each state agency's (other than an institution higher education) website or mobile application that processes any personally identifiable or confidential information. The Comptroller of Public Accounts estimated third party contracting costs would be $750,000 per year and require 1.0 additional FTE for the agency's approximately 88 website applications processing confidential taxpayer information.

DIR indicated it could extend its risk assessment programs to include all agencies and institutions of higher education. If agencies or institutions were to use DIR to accomplish the provisions of the bill related to third party testing requirements, DIR reports that third party costs for up to 48 tests per year could be absorbed under their current contract model. DIR estimates a potential cost of $4.0 million to agencies in the biennium, were agencies to choose to use a standardized framework developed by DIR for both risk assessment and testing requirements. This assumes that 187 independent risk assessments would be performed over a five year period at a cost of $48,000 per assessment, and that 20 mobile and application vulnerability tests would be performed per year, at a cost of $10,000 per test.
 
The bill would require DIR to develop a plan to address cybersecurity risks and incidents in the state, and authorizes an agreement with a national organization to support DIR's efforts in implementing components for which the agency lacks resources to address internally. This may include provisions such as providing state agencies training and simulation exercises and assistance in developing emergency plans. DIR indicated that the agency would need 2.0 additional FTEs to accomplish the provisions of the bill, estimated at $5.2 million for the 2018-19 biennium.

The bill would require a state agency to destroy or arrange for the destruction of information that alone or in conjunction with other information presents a cybersecurity risk and alone or in conjunction with other information identifies an individual, if retention of the information is not required under law or for other legal reasons. The cost of this would vary based on how much personally identifiable information an agency retains and what related activities an agency currently undertakes. DIR indicated this could be absorbed within existing resources, the Texas Medical Board estimated this would cost $50,000 in fiscal year 2019 and DPS reported that 3.0 additional FTEs at a cost of $697,925 would be required for the 2018-19 biennium.

Based on agency responses and LBB staff analysis, it is assumed that other provisions of the bill would not have a significant fiscal impact and could be implemented within existing resources.

The bill would take effect September 1, 2017.

Local Government Impact

According to DIR, estimated costs of certification examinations for and training to state and local officials and first responders preparing for and responding to cybersecurity risks and incidents could be $3.2 million for the biennium, assuming 1,081 school districts, 900 cities and 256 counties at $2,000 per year. One employee training and certification exam would be conducted per year for one-third of these entities. DIR assumes the cost for the certification examinations and training would be paid out of DIR's Clearing Fund (Appropriated Receipts).