New cybersecurity requirements for insurance companies operating in Ohio
Published January 23, 2019
Last month, Ohio Governor John Kasich signed Senate Bill 273 to “establish standards for data security and for the investigation of and notification to the Superintendent of Insurance of a cybersecurity event.” The Bill, which takes effect March 19, 2019, puts in place new obligations for insurance companies authorized to do business in Ohio. These include the following:
- Implement and maintain an information security program based on the results of a risk assessment to safeguard nonpublic business and personal information.
- Develop a formal incident response plan to respond to a cybersecurity event as defined.
- Certify compliance to the Superintendent of Insurance (“Superintendent”) by submitting a written statement.
- Investigate and assess the nature and scope of a cybersecurity event. This obligation extends to outside vendors or service providers acting on behalf of the insurance company.
- Notify the Superintendent of a cybersecurity event, no later than 3 business days after the determination that the incident occurred, and certain residence, potential harm, and other requirements are met. There are additional notification requirements for affected consumers and the insurance authority of other states.
The new law also makes an insurance company’s board of directors directly accountable for the oversight of the cybersecurity program. It makes the executive management solely responsible for all program governance activities and compliance reporting.
Cybersecurity remains critically important across industries and new laws to protect the privacy of consumers are being passed in multiple states. There are several more likely to pass similar legislation in the next few years, making it more important than ever to ensure your company, and its board of directors, understand these requirements.