New Ohio Cybersecurity Law Calls for Insurers to Take Action
By Christopher Shaffer, Director, Risk Advisory Services
Ohio became the second state in the U.S. to adopt the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law, and to enact cybersecurity laws specifically for insurers. The Ohio cybersecurity law, which becomes effective on March 20, 2019, gives licensees one year to comply with the new requirements. Only New York, Connecticut, South Carolina and Michigan have similar laws. With more than 270 insurers and 1,600 insurance companies, Ohio is the sixth largest insurance market in the nation.
The intent of the new law is to safeguard business and personal information from cyberattacks, better protect Ohio consumers and provide a level playing field for Ohio Insurers. The law applies to insurance companies – including health insurance providers – and any organization under Ohio’s insurance laws that is licensed, authorized or registered to operate, or required to be licensed, authorized or registered to operate in the state of Ohio.
Based on National Model
Like other industry sectors that store highly sensitive consumer data, the insurance industry has struggled with a rampant increase in cyberattacks, such as those occurring at Anthem and Premera Blue Cross. With some modifications, Ohio’s new law is based on the model provided by the National Association of Insurance Commissioners through its Insurance Data Security Model Law, a framework that provided a structure of standards, guidelines and practices to manage cyber risks.
Data Security Requirements
The Ohio cybersecurity law imposes standards for investigating and reporting data security incidents. Among other requirements, licensees will be required to:
- Develop a written cybersecurity plan, customized for the size and complexity of the licensee
- Implement administrative, technical and physical safeguards to protect nonpublic information
- Conduct risk assessments for internal and external threats, and assess the sufficiency of policies and procedures in place
- Address vulnerabilities based on these risk assessments and prioritize which security measures must be implemented
- Establish, maintain and implement a written incident response plan to recover from a cybersecurity event, with clear roles and responsibilities defined
- Report cybersecurity events to the Ohio Department of Insurance
Each of these requirements includes very detailed criteria which must be met to satisfy the law’s requirements. Every licensee must understand each step to comply with the law.
Marcum’s Risk Advisory Group is skilled at working with insurance organizations of all sizes to help them develop a plan and implement the safeguards required to show compliance with the Ohio cybersecurity law. We can work with your team and perform external risk assessments to help you identify and address vulnerabilities found, and discuss ways you can implement corrective actions.
Compliance: Next Steps
Every Ohio insurance company must certify annually, in writing, on or before February 15 (beginning in 2020), that it is in compliance with the Ohio cybersecurity law. However, licensees who are covered by the security program of another licensee will not need a separate program of their own. Licensees must have their IT, corporate governance and legal teams develop a customized approach to meet these significant requirements.
Marcum’s Risk Advisory Services Group and Insurance Services Group will work closely with insurance industry licensees to meet the considerable requirements under the Ohio cybersecurity law. We can assist you with your understanding of the law and implementation of the requirements.
Do you have questions about complying with the new Ohio cybersecurity law? Please contact Christopher Shaffer, Director, Risk Advisory Services.