| 1 | 1 | | 89R186 MLH-D |
|---|
| 2 | 2 | | By: Raymond H.B. No. 1172 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | A BILL TO BE ENTITLED |
|---|
| 8 | 8 | | AN ACT |
|---|
| 9 | 9 | | relating to requiring the Department of Information Resources to |
|---|
| 10 | 10 | | conduct a study concerning the cybersecurity of small businesses. |
|---|
| 11 | 11 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 12 | 12 | | SECTION 1. DEFINITIONS. In this Act: |
|---|
| 13 | 13 | | (1) "Department" means the Department of Information |
|---|
| 14 | 14 | | Resources. |
|---|
| 15 | 15 | | (2) "Tax incentive" means any exemption, deduction, |
|---|
| 16 | 16 | | credit, exclusion, waiver, rebate, discount, deferral, or other |
|---|
| 17 | 17 | | abatement or reduction of state tax liability of a business entity. |
|---|
| 18 | 18 | | SECTION 2. STUDY CONCERNING CYBERSECURITY OF SMALL |
|---|
| 19 | 19 | | BUSINESSES. (a) The department, in collaboration with the Texas |
|---|
| 20 | 20 | | Workforce Commission, shall conduct a study to determine: |
|---|
| 21 | 21 | | (1) how small businesses can improve their ability to |
|---|
| 22 | 22 | | protect against cybersecurity risks and threats to the businesses' |
|---|
| 23 | 23 | | supply chain and to mitigate and recover from cybersecurity |
|---|
| 24 | 24 | | incidents; and |
|---|
| 25 | 25 | | (2) the feasibility of establishing a grant program |
|---|
| 26 | 26 | | for small businesses to receive funds to upgrade their |
|---|
| 27 | 27 | | cybersecurity infrastructure and to participate in cybersecurity |
|---|
| 28 | 28 | | awareness training. |
|---|
| 29 | 29 | | (b) The department may, if necessary and as appropriate, |
|---|
| 30 | 30 | | partner with a nonprofit entity or institution of higher education, |
|---|
| 31 | 31 | | as defined by Section 61.003, Education Code, to conduct the study. |
|---|
| 32 | 32 | | (c) The study may be limited to the geographic region or |
|---|
| 33 | 33 | | regions served by a nonprofit entity or institution of higher |
|---|
| 34 | 34 | | education with which the department partners under Subsection (b) |
|---|
| 35 | 35 | | of this section. |
|---|
| 36 | 36 | | (d) In conducting the study, the department may consider: |
|---|
| 37 | 37 | | (1) the current best practices used by small |
|---|
| 38 | 38 | | businesses for cybersecurity controls for their information |
|---|
| 39 | 39 | | systems to protect against supply chain vulnerabilities, which may |
|---|
| 40 | 40 | | include best practices related to: |
|---|
| 41 | 41 | | (A) software integrity and authenticity; and |
|---|
| 42 | 42 | | (B) vendor risk management and procurement |
|---|
| 43 | 43 | | controls, including notification by vendors of any cybersecurity |
|---|
| 44 | 44 | | incidents related to the vendor's products and services; |
|---|
| 45 | 45 | | (2) barriers or challenges for small businesses in |
|---|
| 46 | 46 | | purchasing or acquiring cybersecurity products or services; |
|---|
| 47 | 47 | | (3) the estimated cost of any available tax incentives |
|---|
| 48 | 48 | | or other state incentives to increase the ability of small |
|---|
| 49 | 49 | | businesses to acquire products and services that promote |
|---|
| 50 | 50 | | cybersecurity; |
|---|
| 51 | 51 | | (4) the availability of resources small businesses |
|---|
| 52 | 52 | | need to respond to and recover from a cybersecurity event; |
|---|
| 53 | 53 | | (5) the impact of cybersecurity incidents that have |
|---|
| 54 | 54 | | affected small businesses, including the resulting costs to small |
|---|
| 55 | 55 | | businesses; |
|---|
| 56 | 56 | | (6) to the extent possible, any emerging cybersecurity |
|---|
| 57 | 57 | | risks and threats to small businesses resulting from the deployment |
|---|
| 58 | 58 | | of new technologies; and |
|---|
| 59 | 59 | | (7) any other issue the department and the Texas |
|---|
| 60 | 60 | | Workforce Commission determine would have a future impact on |
|---|
| 61 | 61 | | cybersecurity for small businesses with supply chain |
|---|
| 62 | 62 | | vulnerabilities. |
|---|
| 63 | 63 | | (e) In determining the feasibility of establishing a grant |
|---|
| 64 | 64 | | program described by Subsection (a)(2) of this section, the study |
|---|
| 65 | 65 | | must: |
|---|
| 66 | 66 | | (1) identify the most significant and widespread |
|---|
| 67 | 67 | | cybersecurity incidents impacting small businesses, vendors, and |
|---|
| 68 | 68 | | others in the supply chain network of small businesses; |
|---|
| 69 | 69 | | (2) consider the amount small businesses currently |
|---|
| 70 | 70 | | spend on cybersecurity products and services and the availability |
|---|
| 71 | 71 | | and market price of those services; and |
|---|
| 72 | 72 | | (3) identify the type and frequency of training |
|---|
| 73 | 73 | | necessary to protect small businesses from supply chain |
|---|
| 74 | 74 | | cybersecurity risks and threats. |
|---|
| 75 | 75 | | SECTION 3. REPORT. (a) Not later than December 31, 2026, |
|---|
| 76 | 76 | | the department shall submit to the standing committees of the |
|---|
| 77 | 77 | | senate and house of representatives with jurisdiction over small |
|---|
| 78 | 78 | | businesses and cybersecurity a report that contains: |
|---|
| 79 | 79 | | (1) the results of the study conducted under Section 2 |
|---|
| 80 | 80 | | of this Act, including the feasibility of establishing a grant |
|---|
| 81 | 81 | | program described by Subsection (a)(2) of that section; and |
|---|
| 82 | 82 | | (2) recommendations for best practices and controls |
|---|
| 83 | 83 | | for small businesses to implement in order to update and protect |
|---|
| 84 | 84 | | their information systems against cybersecurity risks and threats. |
|---|
| 85 | 85 | | (b) The department shall make the report available on the |
|---|
| 86 | 86 | | department's Internet website. |
|---|
| 87 | 87 | | SECTION 4. EXPIRATION OF ACT. This Act expires September 1, |
|---|
| 88 | 88 | | 2027. |
|---|
| 89 | 89 | | SECTION 5. EFFECTIVE DATE. This Act takes effect |
|---|
| 90 | 90 | | immediately if it receives a vote of two-thirds of all the members |
|---|
| 91 | 91 | | elected to each house, as provided by Section 39, Article III, Texas |
|---|
| 92 | 92 | | Constitution. If this Act does not receive the vote necessary for |
|---|
| 93 | 93 | | immediate effect, this Act takes effect September 1, 2025. |
|---|