Current through Reg. 49, No. 38; September 20, 2024
(a) Definitions. The following words and
terms, when used in this section, shall have the following meanings, unless the
context clearly indicates otherwise.
(1)
"Cybersecurity incident" means any observed occurrence in an information
system, whether maintained by the trust company or by an affiliate or third
party service provider at the direction of the trust company, that:
(A) jeopardizes the cybersecurity of the
information system or the information the system processes, stores or
transmits; or
(B) violates the
security policies, security procedures or acceptable use policies of the
information system owner to the extent such occurrence results from
unauthorized or malicious activity.
(2) "Information system" means a set of
applications, services, information technology assets or other
information-handling components organized for the collection, processing,
maintenance, use, sharing, dissemination or disposition of electronic
information, including the operating environment as well as any specialized
system such as telephone switching or exchange systems and environmental
control systems.
(b)
Notice required. A state trust company shall notify the banking commissioner
and submit the information required by subsection (c) of this section as soon
as practicable but prior to customer notification, and not later than 15 days
following the trust company's determination that a cybersecurity incident
regarding the trust company's information system will likely:
(1) require submission of a notice or report
to another state or federal regulatory agency or to a self-regulatory body
other than the notice required by this section;
(2) require sending a data breach
notification to trust company clients or beneficiaries of trusts and custodial
arrangements handled by the trust company under applicable state or federal
law, including Business and Commerce Code, §
RSA
521.053, or a similar law of another state;
or
(3) substantively impact the
ability of the state trust company to effect transactions on behalf of its
clients or beneficiaries of trusts and custodial arrangements handled by the
trust company, accurately report transactions to clients and beneficiaries, or
otherwise conduct trust company business.
(c) Content of notice. The confidential
notice required by subsection (b) of this section must include, to the extent
known at the time of submission:
(1) a brief
description of the cybersecurity incident, including the approximate date of
the incident, the date the incident was discovered, and the nature of any data
that may have been illegally obtained or accessed;
(2) subject to subsection (d) of this
section, a list of the state and federal regulatory agencies, self-regulatory
bodies, and foreign regulatory agencies to whom notice has been or will be
provided; and
(3) the name,
address, telephone number, and email address of the employee or agent of the
trust company from whom additional information may be obtained regarding the
incident.
(d) Omission
of certain information. The filing of a suspicious activity report (SAR)
related to the cybersecurity incident under applicable federal law constitutes
a notice described by subsection (b)(1) of this section. However, the trust
company should not reference or mention the filing of a SAR in the notice filed
with the commissioner.
(e) Incident
response plan. The notice requirement imposed by this section must be
incorporated into the trust company's written incident response plan,
maintained as part of the trust company's information security
program.
(f) Exemptions. This
section does not apply to a state trust company that is exempt under Finance
Code, §
RSA
182.011.
