| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to requiring the Department of Information Resources to |
|
|
conduct a study concerning the cybersecurity of small businesses. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. DEFINITIONS. In this Act: |
|
|
(1) "Department" means the Department of Information |
|
|
Resources. |
|
|
(2) "Tax incentive" means any exemption, deduction, |
|
|
credit, exclusion, waiver, rebate, discount, deferral, or other |
|
|
abatement or reduction of state tax liability of a business entity. |
|
|
SECTION 2. STUDY CONCERNING CYBERSECURITY OF SMALL |
|
|
BUSINESSES. (a) The department, in collaboration with the Texas |
|
|
Workforce Commission, shall conduct a study to: |
|
|
(1) assess how small businesses can improve their |
|
|
ability to protect against cybersecurity risks and threats to the |
|
|
businesses' supply chain and to mitigate and recover from |
|
|
cybersecurity incidents; and |
|
|
(2) determine the feasibility of establishing a grant |
|
|
program for small businesses to receive funds to upgrade their |
|
|
cybersecurity infrastructure and to participate in cybersecurity |
|
|
awareness training. |
|
|
(b) The department may, if necessary and as appropriate, |
|
|
partner with a nonprofit entity or institution of higher education, |
|
|
as defined by Section 61.003, Education Code, to conduct the study. |
|
|
(c) In conducting the study, the department shall: |
|
|
(1) consider the current best practices used by small |
|
|
businesses for cybersecurity controls for their information |
|
|
systems to protect against supply chain vulnerabilities, which may |
|
|
include best practices related to: |
|
|
(A) software integrity and authenticity; and |
|
|
(B) vendor risk management and procurement |
|
|
controls, including notification by vendors of any cybersecurity |
|
|
incidents related to the vendor's products and services; |
|
|
(2) identify barriers or challenges for small |
|
|
businesses in purchasing or acquiring cybersecurity products or |
|
|
services; |
|
|
(3) consider and estimate the cost of any available |
|
|
tax incentives or other state incentives to increase the ability of |
|
|
small businesses to acquire products and services that promote |
|
|
cybersecurity; |
|
|
(4) assess the availability of resources small |
|
|
businesses need to respond to and recover from a cybersecurity |
|
|
event; |
|
|
(5) assess the impact of cybersecurity incidents that |
|
|
have affected small businesses, including the resulting costs to |
|
|
small businesses; |
|
|
(6) to the extent possible, identify any emerging |
|
|
cybersecurity risks and threats to small businesses resulting from |
|
|
the deployment of new technologies; and |
|
|
(7) assess any other issue the department and the |
|
|
Texas Workforce Commission determine would have a future impact on |
|
|
cybersecurity for small businesses with supply chain |
|
|
vulnerabilities. |
|
|
(d) In determining the feasibility of establishing a grant |
|
|
program described by Subsection (a)(2) of this section, the study |
|
|
must: |
|
|
(1) identify the most significant and widespread |
|
|
cybersecurity incidents impacting small businesses, vendors, and |
|
|
others in the supply chain network of small businesses; |
|
|
(2) consider the amount small businesses currently |
|
|
spend on cybersecurity products and services and the availability |
|
|
and market price of those services; and |
|
|
(3) identify the type and frequency of training |
|
|
necessary to protect small businesses from supply chain |
|
|
cybersecurity risks and threats. |
|
|
SECTION 3. REPORT. (a) Not later than December 31, 2024, |
|
|
the department shall submit to the standing committees of the |
|
|
senate and house of representatives with jurisdiction over small |
|
|
businesses and cybersecurity a report that contains: |
|
|
(1) the results of the study conducted under Section 2 |
|
|
of this Act, including the feasibility of establishing a grant |
|
|
program described by Subsection (a)(2) of that section; and |
|
|
(2) recommendations for best practices and controls |
|
|
for small businesses to implement in order to update and protect |
|
|
their information systems against cybersecurity risks and threats. |
|
|
(b) The department shall make the report available on the |
|
|
department's Internet website. |
|
|
SECTION 4. EXPIRATION OF ACT. This Act expires September 1, |
|
|
2025. |
|
|
SECTION 5. EFFECTIVE DATE. This Act takes effect |
|
|
immediately if it receives a vote of two-thirds of all the members |
|
|
elected to each house, as provided by Section 39, Article III, Texas |
|
|
Constitution. If this Act does not receive the vote necessary for |
|
|
immediate effect, this Act takes effect September 1, 2023. |