(a) Definitions. The following words and terms, when
used in this section, shall have the following meanings, unless the
context clearly indicates otherwise.
(1) "Cybersecurity incident" means any observed occurrence
in an information system, whether maintained by you or by an affiliate
or third party service provider at your direction, that:
(A) jeopardizes the cybersecurity of the information
system or the information the system processes, stores or transmits;
or
(B) violates the security policies, security procedures
or acceptable use policies of the information system owner to the
extent such occurrence results from unauthorized or malicious activity.
(2) "Information system" means a set of applications,
services, information technology assets or other information-handling
components organized for the collection, processing, maintenance,
use, sharing, dissemination or disposition of electronic information,
including the operating environment as well as any specialized system
such as electronic payment systems, industrial/process control systems,
telephone switching and private branch exchange systems and environmental
control systems.
(3) "You" means a holder of a money transmission or
currency exchange license issued under Finance Code, Chapter 152.
(b) Notice required. You must notify the banking commissioner
and submit the information required by subsection (c) of this section
as soon as practicable but prior to customer notification, and not
later than 15 days following your determination that a cybersecurity
incident regarding your information system will likely:
(1) require you to submit a notice or report to another
state or federal regulatory or law enforcement agency or to a self-regulatory
body other than the notice required by this section;
(2) require you to provide a data breach notification
to any of your customers under applicable state or federal law, including
Business and Commerce Code, §521.053, or a similar law of another
state; or
(3) substantively impact your ability to effect transactions
on behalf of your customers, accurately report transactions to your
customers, or otherwise conduct your business.
(c) The notice required by subsection (b) of this section
must include, to the extent known at the time of submission:
(1) a brief description of the cybersecurity incident,
including the approximate date of the incident, the date the incident
was discovered, and the nature of any data that may have been illegally
obtained or accessed;
(2) subject to subsection (d) of this section, a list
of the state and federal regulatory agencies, self-regulatory bodies,
and foreign regulatory agencies to whom you have provided or will
provide notice of the incident; and
(3) the name, address, telephone number, and email
address of your employee or agent from whom additional information
may be obtained regarding the incident.
(d) Omission of certain information. The filing of
a suspicious activity report (SAR) related to the cybersecurity incident
under applicable federal law constitutes a notice described by subsection
(b)(1) of this section. However, you should not reference or mention
the filing of a SAR in the notice filed with the commissioner.
(e) Incident response plan. The notice requirement
imposed by this section must be incorporated into the written incident
response plan that you maintain as part of your information security
program.
|