88R23979 MLH-F
By: Raymond, Button H.B. No. 1723
Substitute the following for H.B. No. 1723:
By: Button C.S.H.B. No. 1723
A BILL TO BE ENTITLED
AN ACT
relating to requiring the Department of Information Resources to
conduct a study concerning the cybersecurity of small businesses.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. DEFINITIONS. In this Act:
(1) "Department" means the Department of Information
Resources.
(2) "Tax incentive" means any exemption, deduction,
credit, exclusion, waiver, rebate, discount, deferral, or other
abatement or reduction of state tax liability of a business entity.
SECTION 2. STUDY CONCERNING CYBERSECURITY OF SMALL
BUSINESSES. (a) The department, in collaboration with the Texas
Workforce Commission, shall conduct a study to determine:
(1) how small businesses can improve their ability to
protect against cybersecurity risks and threats to the businesses'
supply chain and to mitigate and recover from cybersecurity
incidents; and
(2) the feasibility of establishing a grant program
for small businesses to receive funds to upgrade their
cybersecurity infrastructure and to participate in cybersecurity
awareness training.
(b) The department may, if necessary and as appropriate,
partner with a nonprofit entity or institution of higher education,
as defined by Section 61.003, Education Code, to conduct the study.
(c) The study may be limited to the geographic region or
regions served by a nonprofit entity or institution of higher
education with which the department partners under Subsection (b)
of this section.
(d) In conducting the study, the department may consider:
(1) the current best practices used by small
businesses for cybersecurity controls for their information
systems to protect against supply chain vulnerabilities, which may
include best practices related to:
(A) software integrity and authenticity; and
(B) vendor risk management and procurement
controls, including notification by vendors of any cybersecurity
incidents related to the vendor's products and services;
(2) barriers or challenges for small businesses in
purchasing or acquiring cybersecurity products or services;
(3) the estimated cost of any available tax incentives
or other state incentives to increase the ability of small
businesses to acquire products and services that promote
cybersecurity;
(4) the availability of resources small businesses
need to respond to and recover from a cybersecurity event;
(5) the impact of cybersecurity incidents that have
affected small businesses, including the resulting costs to small
businesses;
(6) to the extent possible, any emerging cybersecurity
risks and threats to small businesses resulting from the deployment
of new technologies; and
(7) any other issue the department and the Texas
Workforce Commission determine would have a future impact on
cybersecurity for small businesses with supply chain
vulnerabilities.
(e) In determining the feasibility of establishing a grant
program described by Subsection (a)(2) of this section, the study
must:
(1) identify the most significant and widespread
cybersecurity incidents impacting small businesses, vendors, and
others in the supply chain network of small businesses;
(2) consider the amount small businesses currently
spend on cybersecurity products and services and the availability
and market price of those services; and
(3) identify the type and frequency of training
necessary to protect small businesses from supply chain
cybersecurity risks and threats.
SECTION 3. REPORT. (a) Not later than December 31, 2024,
the department shall submit to the standing committees of the
senate and house of representatives with jurisdiction over small
businesses and cybersecurity a report that contains:
(1) the results of the study conducted under Section 2
of this Act, including the feasibility of establishing a grant
program described by Subsection (a)(2) of that section; and
(2) recommendations for best practices and controls
for small businesses to implement in order to update and protect
their information systems against cybersecurity risks and threats.
(b) The department shall make the report available on the
department's Internet website.
SECTION 4. EXPIRATION OF ACT. This Act expires September 1,
2025.
SECTION 5. EFFECTIVE DATE. This Act takes effect
immediately if it receives a vote of two-thirds of all the members
elected to each house, as provided by Section 39, Article III, Texas
Constitution. If this Act does not receive the vote necessary for
immediate effect, this Act takes effect September 1, 2023.