Honorable Kelly Hancock, Chair, Senate Committee on Business & Commerce
FROM:
John McGeady, Assistant Director Sarah Keyton, Assistant Director Legislative Budget Board
IN RE:
SB64 by Nelson (Relating to cybersecurity for information resources.), As Introduced
The fiscal implications of the bill cannot be determined at this time, due to the uncertainty of the number of unknown variables for producing an approved cybersecurity vendor list for utilities as defined by the bill.
The bill defines "utility" to include electric cooperatives, electric utilities, municipally owned utilities, power marketers, retail electric providers, and transmission and distribution utilities. Based on information contained in the PUC's company database, this bill is applicable to more than 500 utilities that may have multiple vendors. The PUC is unable to determine the actual number of unique providers that each utility contracts with that provide information technology services. An accurate cost estimate to implement this section of the bill cannot be completed.
According to the PUC, each independent vendor verification would cost no less than $2,000 per vendor per year. Ultimately, the PUC would need to hire a third-party contractor to review vendors and create the approved vendor list based on a risk assessment completed on each vendor.
The Higher Education Coordinating Board, Department of Information Resources, Teacher Retirement System and Employees Retirement System indicate that all any costs could be absorbed using existing resources for the provisions of the bill.
Local Government Impact
PUC anticipates that the bill may have a local impact, as it applies to municipally owned utilities, but the PUC cannot determine that cost at this time.
Source Agencies:
313 Department of Information Resources, 323 Teacher Retirement System, 327 Employees Retirement System, 473 Public Utility Commission of Texas, 781 Higher Education Coordinating Board