87R7237 MWC-D
 
  By: Raymond H.B. No. 2160
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to requiring the Department of Information Resources to
  conduct a study concerning the cybersecurity of small businesses.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  DEFINITIONS. In this Act:
               (1)  "Department" means the Department of Information
  Resources.
               (2)  "Tax incentive" means any exemption, deduction,
  credit, exclusion, waiver, rebate, discount, deferral, or other
  abatement or reduction of state tax liability of a business entity.
         SECTION 2.  STUDY CONCERNING CYBERSECURITY OF SMALL
  BUSINESSES. (a) The department, in collaboration with the Texas
  Workforce Commission, shall conduct a study to:
               (1)  assess how small businesses can improve their
  ability to protect against cybersecurity risks and threats to the
  businesses' supply chain and to mitigate and recover from
  cybersecurity incidents; and
               (2)  determine the feasibility of establishing a grant
  program for small businesses to receive funds to upgrade their
  cybersecurity infrastructure and to participate in cybersecurity
  awareness training.
         (b)  In conducting the study, the department must:
               (1)  consider the current best practices used by small
  businesses for cybersecurity controls for their information
  systems to protect against supply chain vulnerabilities, which may
  include best practices related to:
                     (A)  software integrity and authenticity; and
                     (B)  vendor risk management and procurement
  controls, including notification by vendors of any cybersecurity
  incidents related to the vendor's products and services;
               (2)  identify barriers or challenges for small
  businesses in purchasing or acquiring cybersecurity products or
  services;
               (3)  consider and estimate the cost of any available
  tax incentives or other state incentives to increase the ability of
  small businesses to acquire products and services that promote
  cybersecurity;
               (4)  assess the availability of resources small
  businesses need to respond to and recover from a cybersecurity
  event;
               (5)  study the impact of cybersecurity incidents that
  have affected small businesses, including the resulting costs to
  small businesses;
               (6)  to the extent possible, identify any emerging
  cybersecurity risks and threats to small businesses resulting from
  the deployment of new technologies; and
               (7)  study any other issue the department and the Texas
  Workforce Commission determine would have a future impact on
  cybersecurity for small businesses with supply chain
  vulnerabilities.
         (c)  In determining the feasibility of establishing a grant
  program described by Subsection (a)(2) of this section, the study
  must:
               (1)  identify the most significant and widespread
  cybersecurity incidents impacting small businesses, vendors, and
  others in the supply chain network of small businesses;
               (2)  consider the amount small businesses currently
  spend on cybersecurity products and services and the availability
  and market price of those services; and
               (3)  identify the type and frequency of training
  necessary to protect small businesses from supply chain
  cybersecurity risks and threats.
         SECTION 3.  REPORT. (a) Not later than December 31, 2022,
  the department shall submit to the standing committees of the
  senate and house of representatives with jurisdiction over small
  businesses and cybersecurity a report that contains:
               (1)  the results of the study conducted under Section 2
  of this Act, including the feasibility of establishing a grant
  program described by Subsection (a)(2) of that section; and
               (2)  recommendations for best practices and controls
  for small businesses to implement in order to update and protect
  their information systems against cybersecurity risks and threats.
         (b)  The department shall make the report available on the
  department's Internet website.
         SECTION 4.  EXPIRATION OF ACT. This Act expires September 1,
  2023.
         SECTION 5.  EFFECTIVE DATE. This Act takes effect
  immediately if it receives a vote of two-thirds of all the members
  elected to each house, as provided by Section 39, Article III, Texas
  Constitution.  If this Act does not receive the vote necessary for
  immediate effect, this Act takes effect September 1, 2021.