88R2653 MLH-D
By: Raymond H.B. No. 1723
A BILL TO BE ENTITLED
AN ACT
relating to requiring the Department of Information Resources to
conduct a study concerning the cybersecurity of small businesses.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. DEFINITIONS. In this Act:
(1) "Department" means the Department of Information
Resources.
(2) "Tax incentive" means any exemption, deduction,
credit, exclusion, waiver, rebate, discount, deferral, or other
abatement or reduction of state tax liability of a business entity.
SECTION 2. STUDY CONCERNING CYBERSECURITY OF SMALL
BUSINESSES. (a) The department, in collaboration with the Texas
Workforce Commission, shall conduct a study to:
(1) assess how small businesses can improve their
ability to protect against cybersecurity risks and threats to the
businesses' supply chain and to mitigate and recover from
cybersecurity incidents; and
(2) determine the feasibility of establishing a grant
program for small businesses to receive funds to upgrade their
cybersecurity infrastructure and to participate in cybersecurity
awareness training.
(b) The department may, if necessary and as appropriate,
partner with a nonprofit entity or institution of higher education,
as defined by Section 61.003, Education Code, to conduct the study.
(c) In conducting the study, the department shall:
(1) consider the current best practices used by small
businesses for cybersecurity controls for their information
systems to protect against supply chain vulnerabilities, which may
include best practices related to:
(A) software integrity and authenticity; and
(B) vendor risk management and procurement
controls, including notification by vendors of any cybersecurity
incidents related to the vendor's products and services;
(2) identify barriers or challenges for small
businesses in purchasing or acquiring cybersecurity products or
services;
(3) consider and estimate the cost of any available
tax incentives or other state incentives to increase the ability of
small businesses to acquire products and services that promote
cybersecurity;
(4) assess the availability of resources small
businesses need to respond to and recover from a cybersecurity
event;
(5) assess the impact of cybersecurity incidents that
have affected small businesses, including the resulting costs to
small businesses;
(6) to the extent possible, identify any emerging
cybersecurity risks and threats to small businesses resulting from
the deployment of new technologies; and
(7) assess any other issue the department and the
Texas Workforce Commission determine would have a future impact on
cybersecurity for small businesses with supply chain
vulnerabilities.
(d) In determining the feasibility of establishing a grant
program described by Subsection (a)(2) of this section, the study
must:
(1) identify the most significant and widespread
cybersecurity incidents impacting small businesses, vendors, and
others in the supply chain network of small businesses;
(2) consider the amount small businesses currently
spend on cybersecurity products and services and the availability
and market price of those services; and
(3) identify the type and frequency of training
necessary to protect small businesses from supply chain
cybersecurity risks and threats.
SECTION 3. REPORT. (a) Not later than December 31, 2024,
the department shall submit to the standing committees of the
senate and house of representatives with jurisdiction over small
businesses and cybersecurity a report that contains:
(1) the results of the study conducted under Section 2
of this Act, including the feasibility of establishing a grant
program described by Subsection (a)(2) of that section; and
(2) recommendations for best practices and controls
for small businesses to implement in order to update and protect
their information systems against cybersecurity risks and threats.
(b) The department shall make the report available on the
department's Internet website.
SECTION 4. EXPIRATION OF ACT. This Act expires September 1,
2025.
SECTION 5. EFFECTIVE DATE. This Act takes effect
immediately if it receives a vote of two-thirds of all the members
elected to each house, as provided by Section 39, Article III, Texas
Constitution. If this Act does not receive the vote necessary for
immediate effect, this Act takes effect September 1, 2023.