TO:	Honorable Gary Elkins, Chair, House Committee on Government Transparency & Operation
FROM:	Ursula Parks, Director, Legislative Budget Board
IN RE:	HB8 by Capriglione (Relating to cybersecurity for state agency information resources.), As Introduced

The bill sets forth certain requirements all agencies would be required to follow relating to cybersecurity. The costs cannot be determined because the impact would be contingent on factors such as an agency's existing information technology infrastructure, current practices, and the number of full-time equivalent (FTE) positions currently supporting related services. Some agencies such as Texas A&M University and the Texas Department of Transportation (TxDOT) estimate an indeterminate but significant cost would be incurred to comply with the requirements of the bill. The University of Texas System Administration reported a cumulative cost of $22.6 million in General Revenue Funds, $1.3 million in Available University Funds and an additional 13.2 FTEs would be required in the 2018-19 biennium to accomplish the provisions of the bill.

The bill also sets forth requirements that would only be applicable to certain agencies. The Sunset Advisory Commission would be required to assess agency cybersecurity practices as part of their reviews, which the Commission estimates would cost $229,890 in General Revenue Funds during the 2018-19 biennium, including 1.0 additional FTE. Requirements that would apply to the Department of Public Safety (DPS) and Department of Information Resources (DIR) are noted below. Based on LBB staff analysis, the cumulative impact to DPS would be an additional 4.0 FTEs at a cost of $1.0 million in General Revenue Funds, and certain requirements would have significant yet indeterminate costs. No significant fiscal impact is assumed for DIR to accomplish the bill's requirements of them specifically.

The bill would authorize DPS to enter into an agreement with a national organization to address cybersecurity risks and incidents in the state, and authorizes an agreement with an organization to include certain provisions such as providing state agencies training and simulation exercises and assistance in developing emergency plans. Based on LBB staff analysis, DPS would require 3.0 additional FTEs to accomplish these provisions at a cost of approximately $0.7 million in General Revenue Funds for the 2018-19 biennium.

The bill would require the Homeland Security Council conduct a one-time study regarding cyber attacks on state agencies and critical infrastructure, and develop a plan agencies would implement in the event of a cyber attack. Based on LBB staff analysis, DPS would incur a one-time cost of  approximately $86,647 for 1.0 additional FTE, plus benefits, to assist the Council in completing this requirement.

The bill would require DIR to provide mandatory guidelines for all state agency information resources employees regarding continuing education for cybersecurity training and certification. The fiscal impact of continuing education would depend on the training requirements developed by DIR. Agencies such as Trusteed Programs within the Office of the Governor (Trusteed Programs) and the Health and Human Services Commission reported costs associated with ongoing training requirements could be absorbed within existing resources. The Texas Workforce Commission reported 272 FTEs perform IT-related projects and training these staff is estimated to cost $791,384 in General Revenue Funds for the 2018-19 biennium. It is assumed that training and certification requirements and associated costs would continue in subsequent biennia.

The bill would require the executive head and chief information security officer (CISO) of each state agency to annually review the agency's information security plan, develop strategies for information resources systems that are at highest risk for security breaches, and submit these to the Legislative Budget Board. There is no statutory requirement for agencies to have a CISO; therefore some agencies may need additional staff to fulfill this requirement, although the number of additional staff that would be hired is unknown. The average annual salary, without benefits, for a CISO is $119,847 per year.

The bill would require each state agency to contract at least every five years with an independent third party to conduct and submit to DIR a risk assessment of exposure to security risks. The fiscal impact of this provision would depend on DIR's certification of contractors and the scope and requirements DIR develops for the risk assessment. Agencies provided a variety of estimates regarding potential costs for these risk assessments. Trusteed Programs estimated a cost of $50,000 in General Revenue Funds per assessment and the University of Texas System estimated costs of $150,000 to $350,000 per institution. It is assumed these costs would repeat in subsequent five-year periods.

The bill would also require that each state agency website or mobile application processing any personally identifiable or confidential information undergo a vulnerability and penetration test conducted by an independent third party. UT Austin indicated they currently perform 20 to 25 of these types of tests each month in-house. At an estimated $10,000 per external test, they estimate a cost of $2.4 million annually to expand this testing to meet the third party contract requirements of the bill. The Comptroller of Public Accounts estimated third party contracting costs would be $750,000 per year and require 1.0 additional FTE for the agency's approximately 88 website applications processing confidential taxpayer information.

DIR indicated it could extend its risk assessment programs to include all agencies and institutions of higher education. If agencies or institutions were to use DIR to accomplish the provisions of the bill related to third party testing requirements, DIR reports that third party costs for up to 48 tests per year could be absorbed under their current contract model. DIR estimates a potential cost of $4.0 million in the biennium were agencies to choose to use a standardized framework developed by DIR for both risk assessment and testing requirements, and assumes this would include 20 new vulnerability tests per year at a cost of $10,000 per test.

The bill would require a state agency to destroy or arrange for the destruction of information that alone or in conjunction with other information identifies an individual, if retention of the information is not required under other law. The cost of this would vary based on how much personally identifiable information an agency retains and what related activities an agency currently undertakes. DIR indicated this could be absorbed within existing resources, the Texas Medical Board estimated this would cost $50,000 in fiscal year 2019, and DPS stated the cost would be significant but cannot be determined.

The bill would require the Texas Rangers conduct a one-time study regarding cyber attacks on election infrastructure. DPS staff stated the cost for this would be significant but cannot be determined.

Based on agency responses and LBB staff analysis, it is assumed that other provisions of the bill would not have a significant fiscal impact and could be implemented within existing resources.

The bill would take effect September 1, 2017.

Local Government Impact

No fiscal implication to units of local government is anticipated.