Section 56.210 - Reportable Incidents(a) Definitions. For purposes of this section, the following definitions apply, unless the context clearly indicates otherwise: (1) "Catastrophic event" means an event, other than a security event, that is unforeseen and results in extraordinary levels of damage or disruption to operations (e.g., the destruction of a principal office or data center). (2) "Reportable incident" means an incident or situation that presents a material risk, financial or otherwise, to a mortgage company's operations or its customers. A reportable incident includes the following items, provided, it presents a material risk: (A) a "catastrophic event" as defined by this subsection; or(B) a "security event" as defined by this subsection.(3) "Root cause analysis report" means a written report concerning the results or findings of an audit or investigation to determine the origin or root cause of a security event, identify strategic measures to effectively contain and limit the impact of a security event, and to prevent a future security event.(4) "Security event" means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form. It includes information that is encrypted, if the person with unauthorized access to the information can decrypt the data.(b) Incident Report. Except as provided by subsection (c) of this section, a mortgage company must submit a written report to SML concerning any reportable incident within 30 days after the date the mortgage company becomes aware of the reportable incident. The report must include: (1) a detailed description of the nature and circumstances of the reportable incident; (2) the number of Texas residents affected or potentially affected by the reportable incident;(3) the measures taken by the mortgage company to resolve or address the reportable incident;(4) the measures the mortgage company plans to take to resolve or address the reportable incident; and(5) the point of contact designated by the mortgage company for inquires by SML about the reportable incident.(c) Incidents Reported to Other Agencies. A mortgage company must provide SML with a copy of the following notifications sent to other agencies at the time it makes the notification. Except as provided by subsection (d) of this section, a notification provided to SML under this subsection satisfies the requirement to file a report under subsection (b) of this section: (1) the notification to the Federal Trade Commission (FTC) required by Section 314.4(j) of the FTC's Standards for Safeguarding Customer Information rules (16 C.F.R. § 314.4(j)); and(2) the notification to the Office of the Attorney General of Texas required by Business and Commerce Code §521.053(i).(d) Root Cause Analysis for Security Events. For any security event triggering a notification described by subsection (c) of this section, the mortgage company must provide SML with a root cause analysis report within 120 days after the date the mortgage company becomes aware that the security event occurred. (e) Supplemental Information. SML may require additional, clarifying, or supplemental information or documentation related to a reportable incident as SML deems necessary or appropriate.(f) Confidentiality. Information reported under this section is deemed to be confidential information obtained by SML during an examination, investigation, or inspection, as provided by Finance Code §156.301 and §56.302 of this title (relating to Confidentiality of Examination, Investigation, and Inspection Information).7 Tex. Admin. Code § 56.210
Adopted by Texas Register, Volume 49, Number 46, November 15, 2024, TexReg 9210, eff. 11/23/2024