88R8305 SCP-F
 
  By: Bell of Montgomery H.B. No. 4996
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to a statewide cyber insurance program.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  DEFINITIONS. In this Act:
               (1)  "Department" means the Department of Information
  Resources.
               (2)  "Office" means the State Office of Risk
  Management.
               (3)  "Risk framework" means key security domains
  identified by cyber insurance underwriters based on current
  security controls.
               (4)  "Security controls" include:
                     (A)  use of multiple security levels;
                     (B)  managing user access;
                     (C)  user authentication;
                     (D)  network and server vulnerability;
                     (E)  malware defense;
                     (F)  operational technology;
                     (G)  remote work;
                     (H)  third-party vendor management;
                     (I)  e-mail filtering;
                     (J)  response planning;
                     (K)  data encryption and backup;
                     (L)  use of wireless devices and connections;
                     (M)  monitoring users or devices;
                     (N)  continuity of service;
                     (O)  incident response;
                     (P)  appropriate insurance coverage; and
                     (Q)  governance.
         SECTION 2.  STUDY. Not later than October 1, 2023, the
  department shall contract with a cyber risk model vendor to conduct
  a study on the development of a statewide risk framework in order to
  determine the need for and feasibility of implementing a statewide
  cyber insurance program. The department shall enter into a
  memorandum of understanding with the office to support this
  assessment.
         SECTION 3.  INSURANCE PROGRAM. Based on the results of the
  study required by Section 2 of this Act, the office may develop and
  maintain a statewide cyber insurance program meeting the
  specifications identified in the study.
         SECTION 4.  REPORT. Not later than April 1, 2024, the
  department, in conjunction with the office, shall prepare and
  submit to the governor and the legislature a report containing the
  results of the study and any recommendations for legislative or
  other action to address the need for and feasibility of requiring
  cyber insurance.
         SECTION 5.  EXPIRATION. This Act expires September 1, 2025.
         SECTION 6.  EFFECTIVE DATE. This Act takes effect
  immediately if it receives a vote of two-thirds of all the members
  elected to each house, as provided by Section 39, Article III, Texas
  Constitution. If this Act does not receive the vote necessary for
  immediate effect, this Act takes effect September 1, 2023.