| 1 | 1 | | 88R8305 SCP-F |
|---|
| 2 | 2 | | By: Bell of Montgomery, AnchÃa, Capriglione H.B. No. 4996 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to a statewide cyber insurance program. |
|---|
| 8 | 8 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 9 | 9 | | SECTION 1. DEFINITIONS. In this Act: |
|---|
| 10 | 10 | | (1) "Department" means the Department of Information |
|---|
| 11 | 11 | | Resources. |
|---|
| 12 | 12 | | (2) "Office" means the State Office of Risk |
|---|
| 13 | 13 | | Management. |
|---|
| 14 | 14 | | (3) "Risk framework" means key security domains |
|---|
| 15 | 15 | | identified by cyber insurance underwriters based on current |
|---|
| 16 | 16 | | security controls. |
|---|
| 17 | 17 | | (4) "Security controls" include: |
|---|
| 18 | 18 | | (A) use of multiple security levels; |
|---|
| 19 | 19 | | (B) managing user access; |
|---|
| 20 | 20 | | (C) user authentication; |
|---|
| 21 | 21 | | (D) network and server vulnerability; |
|---|
| 22 | 22 | | (E) malware defense; |
|---|
| 23 | 23 | | (F) operational technology; |
|---|
| 24 | 24 | | (G) remote work; |
|---|
| 25 | 25 | | (H) third-party vendor management; |
|---|
| 26 | 26 | | (I) e-mail filtering; |
|---|
| 27 | 27 | | (J) response planning; |
|---|
| 28 | 28 | | (K) data encryption and backup; |
|---|
| 29 | 29 | | (L) use of wireless devices and connections; |
|---|
| 30 | 30 | | (M) monitoring users or devices; |
|---|
| 31 | 31 | | (N) continuity of service; |
|---|
| 32 | 32 | | (O) incident response; |
|---|
| 33 | 33 | | (P) appropriate insurance coverage; and |
|---|
| 34 | 34 | | (Q) governance. |
|---|
| 35 | 35 | | SECTION 2. STUDY. Not later than October 1, 2023, the |
|---|
| 36 | 36 | | department shall contract with a cyber risk model vendor to conduct |
|---|
| 37 | 37 | | a study on the development of a statewide risk framework in order to |
|---|
| 38 | 38 | | determine the need for and feasibility of implementing a statewide |
|---|
| 39 | 39 | | cyber insurance program. The department shall enter into a |
|---|
| 40 | 40 | | memorandum of understanding with the office to support this |
|---|
| 41 | 41 | | assessment. |
|---|
| 42 | 42 | | SECTION 3. INSURANCE PROGRAM. Based on the results of the |
|---|
| 43 | 43 | | study required by Section 2 of this Act, the office may develop and |
|---|
| 44 | 44 | | maintain a statewide cyber insurance program meeting the |
|---|
| 45 | 45 | | specifications identified in the study. |
|---|
| 46 | 46 | | SECTION 4. REPORT. Not later than April 1, 2024, the |
|---|
| 47 | 47 | | department, in conjunction with the office, shall prepare and |
|---|
| 48 | 48 | | submit to the governor and the legislature a report containing the |
|---|
| 49 | 49 | | results of the study and any recommendations for legislative or |
|---|
| 50 | 50 | | other action to address the need for and feasibility of requiring |
|---|
| 51 | 51 | | cyber insurance. |
|---|
| 52 | 52 | | SECTION 5. EXPIRATION. This Act expires September 1, 2025. |
|---|
| 53 | 53 | | SECTION 6. EFFECTIVE DATE. This Act takes effect |
|---|
| 54 | 54 | | immediately if it receives a vote of two-thirds of all the members |
|---|
| 55 | 55 | | elected to each house, as provided by Section 39, Article III, Texas |
|---|
| 56 | 56 | | Constitution. If this Act does not receive the vote necessary for |
|---|
| 57 | 57 | | immediate effect, this Act takes effect September 1, 2023. |
|---|