(a) Definitions. The following words and terms, when
used in this section, shall have the following meanings, unless the
context clearly indicates otherwise.
(1) "Cybersecurity incident" means any observed occurrence
in an information system, whether maintained by the trust company
or by an affiliate or third party service provider at the direction
of the trust company, that:
(A) jeopardizes the cybersecurity of the information
system or the information the system processes, stores or transmits;
or
(B) violates the security policies, security procedures
or acceptable use policies of the information system owner to the
extent such occurrence results from unauthorized or malicious activity.
(2) "Information system" means a set of applications,
services, information technology assets or other information-handling
components organized for the collection, processing, maintenance,
use, sharing, dissemination or disposition of electronic information,
including the operating environment as well as any specialized system
such as telephone switching or exchange systems and environmental
control systems.
(b) Notice required. A state trust company shall notify
the banking commissioner and submit the information required by subsection
(c) of this section as soon as practicable but prior to customer notification,
and not later than 15 days following the trust company's determination
that a cybersecurity incident regarding the trust company's information
system will likely:
(1) require submission of a notice or report to another
state or federal regulatory agency or to a self-regulatory body other
than the notice required by this section;
(2) require sending a data breach notification to trust
company clients or beneficiaries of trusts and custodial arrangements
handled by the trust company under applicable state or federal law,
including Business and Commerce Code, §521.053, or a similar
law of another state; or
(3) substantively impact the ability of the state trust
company to effect transactions on behalf of its clients or beneficiaries
of trusts and custodial arrangements handled by the trust company,
accurately report transactions to clients and beneficiaries, or otherwise
conduct trust company business.
(c) Content of notice. The confidential notice required
by subsection (b) of this section must include, to the extent known
at the time of submission:
(1) a brief description of the cybersecurity incident,
including the approximate date of the incident, the date the incident
was discovered, and the nature of any data that may have been illegally
obtained or accessed;
(2) subject to subsection (d) of this section, a list
of the state and federal regulatory agencies, self-regulatory bodies,
and foreign regulatory agencies to whom notice has been or will be
provided; and
(3) the name, address, telephone number, and email
address of the employee or agent of the trust company from whom additional
information may be obtained regarding the incident.
(d) Omission of certain information. The filing of
a suspicious activity report (SAR) related to the cybersecurity incident
under applicable federal law constitutes a notice described by subsection
(b)(1) of this section. However, the trust company should not reference
or mention the filing of a SAR in the notice filed with the commissioner.
(e) Incident response plan. The notice requirement
imposed by this section must be incorporated into the trust company's
written incident response plan, maintained as part of the trust company's
information security program.
(f) Exemptions. This section does not apply to a state
trust company that is exempt under Finance Code, §182.011.
|