Bill Text: TX HB1172 | 2025-2026 | 89th Legislature | Introduced
Bill Title: Relating to requiring the Department of Information Resources to conduct a study concerning the cybersecurity of small businesses.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced) 2024-11-12 - Filed [HB1172 Detail]
Download: Texas-2025-HB1172-Introduced.html
| 89R186 MLH-D | ||
| By: Raymond | H.B. No. 1172 | |
|
|
||
|
|
||
| relating to requiring the Department of Information Resources to | ||
| conduct a study concerning the cybersecurity of small businesses. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. DEFINITIONS. In this Act: | ||
| (1) "Department" means the Department of Information | ||
| Resources. | ||
| (2) "Tax incentive" means any exemption, deduction, | ||
| credit, exclusion, waiver, rebate, discount, deferral, or other | ||
| abatement or reduction of state tax liability of a business entity. | ||
| SECTION 2. STUDY CONCERNING CYBERSECURITY OF SMALL | ||
| BUSINESSES. (a) The department, in collaboration with the Texas | ||
| Workforce Commission, shall conduct a study to determine: | ||
| (1) how small businesses can improve their ability to | ||
| protect against cybersecurity risks and threats to the businesses' | ||
| supply chain and to mitigate and recover from cybersecurity | ||
| incidents; and | ||
| (2) the feasibility of establishing a grant program | ||
| for small businesses to receive funds to upgrade their | ||
| cybersecurity infrastructure and to participate in cybersecurity | ||
| awareness training. | ||
| (b) The department may, if necessary and as appropriate, | ||
| partner with a nonprofit entity or institution of higher education, | ||
| as defined by Section 61.003, Education Code, to conduct the study. | ||
| (c) The study may be limited to the geographic region or | ||
| regions served by a nonprofit entity or institution of higher | ||
| education with which the department partners under Subsection (b) | ||
| of this section. | ||
| (d) In conducting the study, the department may consider: | ||
| (1) the current best practices used by small | ||
| businesses for cybersecurity controls for their information | ||
| systems to protect against supply chain vulnerabilities, which may | ||
| include best practices related to: | ||
| (A) software integrity and authenticity; and | ||
| (B) vendor risk management and procurement | ||
| controls, including notification by vendors of any cybersecurity | ||
| incidents related to the vendor's products and services; | ||
| (2) barriers or challenges for small businesses in | ||
| purchasing or acquiring cybersecurity products or services; | ||
| (3) the estimated cost of any available tax incentives | ||
| or other state incentives to increase the ability of small | ||
| businesses to acquire products and services that promote | ||
| cybersecurity; | ||
| (4) the availability of resources small businesses | ||
| need to respond to and recover from a cybersecurity event; | ||
| (5) the impact of cybersecurity incidents that have | ||
| affected small businesses, including the resulting costs to small | ||
| businesses; | ||
| (6) to the extent possible, any emerging cybersecurity | ||
| risks and threats to small businesses resulting from the deployment | ||
| of new technologies; and | ||
| (7) any other issue the department and the Texas | ||
| Workforce Commission determine would have a future impact on | ||
| cybersecurity for small businesses with supply chain | ||
| vulnerabilities. | ||
| (e) In determining the feasibility of establishing a grant | ||
| program described by Subsection (a)(2) of this section, the study | ||
| must: | ||
| (1) identify the most significant and widespread | ||
| cybersecurity incidents impacting small businesses, vendors, and | ||
| others in the supply chain network of small businesses; | ||
| (2) consider the amount small businesses currently | ||
| spend on cybersecurity products and services and the availability | ||
| and market price of those services; and | ||
| (3) identify the type and frequency of training | ||
| necessary to protect small businesses from supply chain | ||
| cybersecurity risks and threats. | ||
| SECTION 3. REPORT. (a) Not later than December 31, 2026, | ||
| the department shall submit to the standing committees of the | ||
| senate and house of representatives with jurisdiction over small | ||
| businesses and cybersecurity a report that contains: | ||
| (1) the results of the study conducted under Section 2 | ||
| of this Act, including the feasibility of establishing a grant | ||
| program described by Subsection (a)(2) of that section; and | ||
| (2) recommendations for best practices and controls | ||
| for small businesses to implement in order to update and protect | ||
| their information systems against cybersecurity risks and threats. | ||
| (b) The department shall make the report available on the | ||
| department's Internet website. | ||
| SECTION 4. EXPIRATION OF ACT. This Act expires September 1, | ||
| 2027. | ||
| SECTION 5. EFFECTIVE DATE. This Act takes effect | ||
| immediately if it receives a vote of two-thirds of all the members | ||
| elected to each house, as provided by Section 39, Article III, Texas | ||
| Constitution. If this Act does not receive the vote necessary for | ||
| immediate effect, this Act takes effect September 1, 2025. | ||
