Tuesday, February 25, 2020

Texas adopts cybersecurity incident procedures for dealers and investment advisers

By Jay Fishman, J.D.

The Texas State Securities Board has adopted certain notification procedures that dealers and investment advisers must undertake when a cybersecurity incident is triggered, effective February 27, 2020.

Cybersecurity incident procedures. Definitions. A "cybersecurity incident" is defined as the unauthorized acquisition of computerized or electronic data that: (1) compromises the security, confidentiality, or integrity of sensitive personal information being maintained; (2) jeopardizes the security of the information system or the information the system processes, stores or transmits; or (3) violates the information system owner’s security policies, security procedures or acceptable use policies to the extent the occurrence results from unauthorized or malicious activity.

An "information system" is a set of applications, services, information technology assets or other information-handling components organized for collecting, processing, maintaining, using, sharing, disseminating or disposing of electronic information, which is maintained by the dealer, investment adviser, an affiliate, or a third party at the dealer’s or investment adviser’s direction.

A "triggering event" is a cybersecurity incident pertaining to the information system a dealer or investment adviser maintains (or that is maintained on the dealer’s or investment adviser’s behalf). The triggering event requires the dealer or investment adviser to either submit a notice to a state or federal agency, law enforcement or self-regulatory body, or send a data breach notification to the dealer’s customers or to the investment adviser’s clients under applicable state or federal law, including Texas Business and Commerce Code Section 521.053 (or a similar law of another state).

Notice filing. A dealer or investment adviser must file a notice with the Texas Securities Commissioner when a triggering event occurs that does or may affect the dealer’s Texas-located customers or that does or may affect the investment adviser’s Texas-located clients. The dealer or investment adviser must specifically forward to the Securities Commissioner a copy of the above-mentioned "triggering event notice or notification" or a substantially similar document containing the same information. The dealer or investment adviser must include with the "notice document" the number of Texas-located customers or clients affected by the triggering event (if this information is available).