| 1 | 1 | | 87R7237 MWC-D |
|---|
| 2 | 2 | | By: Raymond H.B. No. 2160 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to requiring the Department of Information Resources to |
|---|
| 8 | 8 | | conduct a study concerning the cybersecurity of small businesses. |
|---|
| 9 | 9 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 10 | 10 | | SECTION 1. DEFINITIONS. In this Act: |
|---|
| 11 | 11 | | (1) "Department" means the Department of Information |
|---|
| 12 | 12 | | Resources. |
|---|
| 13 | 13 | | (2) "Tax incentive" means any exemption, deduction, |
|---|
| 14 | 14 | | credit, exclusion, waiver, rebate, discount, deferral, or other |
|---|
| 15 | 15 | | abatement or reduction of state tax liability of a business entity. |
|---|
| 16 | 16 | | SECTION 2. STUDY CONCERNING CYBERSECURITY OF SMALL |
|---|
| 17 | 17 | | BUSINESSES. (a) The department, in collaboration with the Texas |
|---|
| 18 | 18 | | Workforce Commission, shall conduct a study to: |
|---|
| 19 | 19 | | (1) assess how small businesses can improve their |
|---|
| 20 | 20 | | ability to protect against cybersecurity risks and threats to the |
|---|
| 21 | 21 | | businesses' supply chain and to mitigate and recover from |
|---|
| 22 | 22 | | cybersecurity incidents; and |
|---|
| 23 | 23 | | (2) determine the feasibility of establishing a grant |
|---|
| 24 | 24 | | program for small businesses to receive funds to upgrade their |
|---|
| 25 | 25 | | cybersecurity infrastructure and to participate in cybersecurity |
|---|
| 26 | 26 | | awareness training. |
|---|
| 27 | 27 | | (b) In conducting the study, the department must: |
|---|
| 28 | 28 | | (1) consider the current best practices used by small |
|---|
| 29 | 29 | | businesses for cybersecurity controls for their information |
|---|
| 30 | 30 | | systems to protect against supply chain vulnerabilities, which may |
|---|
| 31 | 31 | | include best practices related to: |
|---|
| 32 | 32 | | (A) software integrity and authenticity; and |
|---|
| 33 | 33 | | (B) vendor risk management and procurement |
|---|
| 34 | 34 | | controls, including notification by vendors of any cybersecurity |
|---|
| 35 | 35 | | incidents related to the vendor's products and services; |
|---|
| 36 | 36 | | (2) identify barriers or challenges for small |
|---|
| 37 | 37 | | businesses in purchasing or acquiring cybersecurity products or |
|---|
| 38 | 38 | | services; |
|---|
| 39 | 39 | | (3) consider and estimate the cost of any available |
|---|
| 40 | 40 | | tax incentives or other state incentives to increase the ability of |
|---|
| 41 | 41 | | small businesses to acquire products and services that promote |
|---|
| 42 | 42 | | cybersecurity; |
|---|
| 43 | 43 | | (4) assess the availability of resources small |
|---|
| 44 | 44 | | businesses need to respond to and recover from a cybersecurity |
|---|
| 45 | 45 | | event; |
|---|
| 46 | 46 | | (5) study the impact of cybersecurity incidents that |
|---|
| 47 | 47 | | have affected small businesses, including the resulting costs to |
|---|
| 48 | 48 | | small businesses; |
|---|
| 49 | 49 | | (6) to the extent possible, identify any emerging |
|---|
| 50 | 50 | | cybersecurity risks and threats to small businesses resulting from |
|---|
| 51 | 51 | | the deployment of new technologies; and |
|---|
| 52 | 52 | | (7) study any other issue the department and the Texas |
|---|
| 53 | 53 | | Workforce Commission determine would have a future impact on |
|---|
| 54 | 54 | | cybersecurity for small businesses with supply chain |
|---|
| 55 | 55 | | vulnerabilities. |
|---|
| 56 | 56 | | (c) In determining the feasibility of establishing a grant |
|---|
| 57 | 57 | | program described by Subsection (a)(2) of this section, the study |
|---|
| 58 | 58 | | must: |
|---|
| 59 | 59 | | (1) identify the most significant and widespread |
|---|
| 60 | 60 | | cybersecurity incidents impacting small businesses, vendors, and |
|---|
| 61 | 61 | | others in the supply chain network of small businesses; |
|---|
| 62 | 62 | | (2) consider the amount small businesses currently |
|---|
| 63 | 63 | | spend on cybersecurity products and services and the availability |
|---|
| 64 | 64 | | and market price of those services; and |
|---|
| 65 | 65 | | (3) identify the type and frequency of training |
|---|
| 66 | 66 | | necessary to protect small businesses from supply chain |
|---|
| 67 | 67 | | cybersecurity risks and threats. |
|---|
| 68 | 68 | | SECTION 3. REPORT. (a) Not later than December 31, 2022, |
|---|
| 69 | 69 | | the department shall submit to the standing committees of the |
|---|
| 70 | 70 | | senate and house of representatives with jurisdiction over small |
|---|
| 71 | 71 | | businesses and cybersecurity a report that contains: |
|---|
| 72 | 72 | | (1) the results of the study conducted under Section 2 |
|---|
| 73 | 73 | | of this Act, including the feasibility of establishing a grant |
|---|
| 74 | 74 | | program described by Subsection (a)(2) of that section; and |
|---|
| 75 | 75 | | (2) recommendations for best practices and controls |
|---|
| 76 | 76 | | for small businesses to implement in order to update and protect |
|---|
| 77 | 77 | | their information systems against cybersecurity risks and threats. |
|---|
| 78 | 78 | | (b) The department shall make the report available on the |
|---|
| 79 | 79 | | department's Internet website. |
|---|
| 80 | 80 | | SECTION 4. EXPIRATION OF ACT. This Act expires September 1, |
|---|
| 81 | 81 | | 2023. |
|---|
| 82 | 82 | | SECTION 5. EFFECTIVE DATE. This Act takes effect |
|---|
| 83 | 83 | | immediately if it receives a vote of two-thirds of all the members |
|---|
| 84 | 84 | | elected to each house, as provided by Section 39, Article III, Texas |
|---|
| 85 | 85 | | Constitution. If this Act does not receive the vote necessary for |
|---|
| 86 | 86 | | immediate effect, this Act takes effect September 1, 2021. |
|---|