Texas Administrative Code
Title 7 - BANKING AND SECURITIES
Part 4 - DEPARTMENT OF SAVINGS AND MORTGAGE LENDING
Chapter 57 - MORTGAGE BANKERS
Subchapter C - DUTIES AND RESPONSIBILITIES
Section 57.210 - Reportable Incidents

Universal Citation: 7 TX Admin Code § 57.210

Current through Reg. 50, No. 13; March 28, 2025

(a) Definitions. For purposes of this section, the following definitions apply, unless the context clearly indicates otherwise:

(1) "Catastrophic event" means an event, other than a security event, that is unforeseen and results in extraordinary levels of damage or disruption to operations (e.g., the destruction of a principal office or data center).

(2) "Reportable incident" means an incident or situation that presents a material risk, financial or otherwise, to a mortgage banker's operations or its customers. A reportable incident includes the following items, provided, it presents a material risk:
(A) a "catastrophic event" as defined by this subsection; or

(B) a "security event" as defined by this subsection.

(3) "Root cause analysis report" means a written report concerning the results or findings of an audit or investigation to determine the origin or root cause of a security event, identify strategic measures to effectively contain and limit the impact of a security event, and to prevent a future security event.

(4) "Security event" means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form. It includes information that is encrypted, if the person with unauthorized access to the information can decrypt the data.

(b) Incident Report. Except as provided by subsection (c) of this section, a mortgage banker must submit a written report to SML concerning any reportable incident within 30 days after the date the mortgage banker becomes aware of the reportable incident. The report must include:

(1) a detailed description of the nature and circumstances of the reportable incident;

(2) the number of Texas residents affected or potentially affected by the reportable incident;

(3) the measures taken by the mortgage banker to resolve or address the reportable incident;

(4) the measures the mortgage banker plans to take to resolve or address the reportable incident; and

(5) the point of contact designated by the mortgage banker for inquires by SML about the reportable incident.

(c) Incidents Reported to Other Agencies. A mortgage banker must provide SML with a copy of the following notifications sent to other agencies at the time it makes the notification. Except as provided by subsection (d) of this section, a notification provided to SML under this subsection satisfies the requirement to file a report under subsection (b) of this section:

(1) the notification to the Federal Trade Commission (FTC) required by Section 314.4(j) of the FTC's Standards for Safeguarding Customer Information rules (16 C.F.R. § 314.4(j)); and

(2) the notification to the Office of the Attorney General of Texas required by Business and Commerce Code § 521.053(i).

(d) Root Cause Analysis for Security Events. For any security event triggering a notification described by subsection (c) of this section, the mortgage banker must provide SML with a root cause analysis report within 120 days after the date the mortgage banker becomes aware that the security event occurred.

(e) Supplemental Information. SML may require additional, clarifying, or supplemental information or documentation related to a reportable incident as SML deems necessary or appropriate.

(f) Confidentiality. Information reported under this section is deemed to be confidential information obtained by SML during an examination, investigation, or inspection, as provided by Finance Code § 157.021 and § 57.302 of this title (relating to Confidentiality of Examination, Investigation, and Inspection Information).

Disclaimer: These regulations may not be the most recent version. Texas may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.