By Jay Fishman, J.D.
The Texas State Securities Board has adopted certain notification procedures that dealers and investment advisers must undertake when a cybersecurity incident is triggered, effective February 27, 2020.
Cybersecurity incident procedures. Definitions. A "cybersecurity incident" is defined as the unauthorized acquisition of computerized or electronic data that: (1) compromises the security, confidentiality, or integrity of sensitive personal information being maintained; (2) jeopardizes the security of the information system or the information the system processes, stores or transmits; or (3) violates the information system owner’s security policies, security procedures or acceptable use policies to the extent the occurrence results from unauthorized or malicious activity.
An "information system" is a set of applications, services, information technology assets or other information-handling components organized for collecting, processing, maintaining, using, sharing, disseminating or disposing of electronic information, which is maintained by the dealer, investment adviser, an affiliate, or a third party at the dealer’s or investment adviser’s direction.
A "triggering event" is a cybersecurity incident pertaining to the information system a dealer or investment adviser maintains (or that is maintained on the dealer’s or investment adviser’s behalf). The triggering event requires the dealer or investment adviser to either submit a notice to a state or federal agency, law enforcement or self-regulatory body, or send a data breach notification to the dealer’s customers or to the investment adviser’s clients under applicable state or federal law, including Texas Business and Commerce Code Section 521.053 (or a similar law of another state).
Notice filing. A dealer or investment adviser must file a notice with the Texas Securities Commissioner when a triggering event occurs that does or may affect the dealer’s Texas-located customers or that does or may affect the investment adviser’s Texas-located clients. The dealer or investment adviser must specifically forward to the Securities Commissioner a copy of the above-mentioned "triggering event notice or notification" or a substantially similar document containing the same information. The dealer or investment adviser must include with the "notice document" the number of Texas-located customers or clients affected by the triggering event (if this information is available).