(a) Definitions. The following words and terms, when used in this section, shall have the following meanings, unless the context clearly indicates otherwise.
(1) "Cybersecurity incident" means any observed occurrence in an information system, whether maintained by the bank or by an affiliate or third party service provider at the direction of the bank, that:
- (A) jeopardizes the cybersecurity of the information system or the information the system processes, stores or transmits; or
- (B) violates the security policies, security procedures or acceptable use policies of the information system owner to the extent such occurrence results from unauthorized or malicious activity.
- (2) "Information system" means a set of applications, services, information technology assets or other information-handling components organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, including the operating environment as well as any specialized system such as electronic banking systems, industrial/process control systems, telephone switching and private branch exchange systems, and environmental control systems.
(b) Notice required. A state bank shall notify the banking commissioner and submit the information required by subsection (c) of this section as soon as practicable but prior to customer notification, and not later than 15 days following the bank's determination that a cybersecurity incident regarding the bank's information system will likely:
- (1) require submission of a notice or report to a state or federal regulatory or law enforcement agency or to a self-regulatory body other than the notice required by this section;
- (2) require sending a data breach notification to customers of the bank under applicable state or federal law, including Business and Commerce Code, §521.053, or a similar law of another state; or
- (3) substantively impact the ability of the bank to effect transactions on behalf of customers, accurately report transactions to customers, or otherwise conduct bank business.
(c) Content of notice. The confidential notice required by subsection (b) of this section must include, to the extent known at the time of submission:
- (1) a brief description of the cybersecurity incident, including the approximate date of the incident, the date the incident was discovered, and the nature of any data that may have been illegally obtained or accessed;
- (2) subject to subsection (d) of this section, a list of the state and federal regulatory agencies, self-regulatory bodies, and foreign regulatory agencies to whom notice has been or will be provided; and
- (3) the name, address, telephone number, and email address of the employee or agent of the bank from whom additional information may be obtained regarding the incident.
- (d) Omission of certain information. The filing of a suspicious activity report (SAR) related to the cybersecurity incident under applicable federal law constitutes a notice described by subsection (b)(1) of this section. However, the bank should not reference or mention the filing of a SAR in the notice filed with the commissioner.
- (e) Incident response plan. The notice requirement imposed by this section must be incorporated into the bank's written incident response plan, maintained as part of the bank's information security program.
Source Note:The provisions of this §3.24 adopted to be effective January 2, 2020, 44 TexReg 8227.