(a) Definitions. The following words and terms, when
used in this section, shall have the following meanings, unless the
context clearly indicates otherwise.
(1) Cybersecurity incident--
(A) the unauthorized acquisition of computerized or
electronic data that compromises the security, confidentiality, or
integrity of sensitive personal information being maintained;
(B) an occurrence that otherwise jeopardizes the security
of the information system or the information the system processes,
stores or transmits; or
(C) violates the security policies, security procedures
or acceptable use policies of the information system owner to the
extent such occurrence results from unauthorized or malicious activity.
(2) Information system--a set of applications, services,
information technology assets or other information-handling components
organized for the collection, processing, maintenance, use, sharing,
dissemination or disposition of electronic information, which is maintained
by the investment adviser, an affiliate, or a third party service
provider at the direction of the investment adviser.
(3) "Triggering event" means a cybersecurity incident
regarding the information system maintained by or on behalf of the
investment adviser, that will require:
(A) submission of a notice to a state or federal agency,
law enforcement, or to a self-regulatory body; or
(B) sending a data breach notification to customers
of the investment adviser under applicable state or federal law, including
Business and Commerce Code, §521.053, or a similar law of another
state.
(b) Notice to the Securities Commissioner. When a triggering
event occurs that does or may affect customers or clients of the investment
adviser located in Texas, the registered investment adviser must provide
notice to the Securities Commissioner at the time the notice or notification
identified in paragraph (3)(A) or (3)(B) of subsection (a) of this
section occurs.
(c) Content of notice. The notice required by subsection
(b) of this section is met by the registered investment adviser forwarding
a copy of the notice or notification identified in paragraph (3)(A)
or (3)(B) of subsection (a) of this section or other document containing
substantially the same information. Additionally, if such information
is available to the registered investment adviser at the time the
notice is provided, the investment adviser should identify the number
of customers located in Texas affected by the triggering event.
|