Ohio has become the third state to adopt insurance-specific legislation pertaining to data security.
Prior to Ohio, South Carolina adopted a cyber security model law for the insurance industry, similar to the Insurance Data Security Model Law approved by the National Association of Insurance Commissioners (NAIC) in late 2017. The state of New York moved even quicker, establishing cybersecurity regulations that became effective in March 2017.
The adoption of a cyber law in Ohio did not come as a surprise, as discussions had been taking place between the carriers, OIA and ODI for several months as a result of this issue being addressed in other states.
WHAT THIS MEANS TO YOU
OIA was able to make several improvements to Ohio’s cyber bill for agents, beyond what exists in the national model legislation and cyber bills that have passed in other states.
Notably, the majority of Ohio agencies will have a large burden alleviated, as they will be exempt from a requirement to develop a comprehensive written cyber plan and exercise due diligence in selecting third-party service providers.
This is a big win, as the NAIC Data Security Model Law sets the exemption at agencies with fewer than ten employees, including independent contractors.
Additionally, Ohio’s cyber law has language added that states that the superintendent of insurance shall consider the nature, scale, and complexity of licensees (i.e. insurers and agencies) in administering the cyber law and adopting any rules necessary to implement the law. In other words, the ability of agencies to comply with the complexity of the law needs to be taken into consideration and any further rules developed should be “right-sized.”
Below are the highlights of the cyber requirements included in Senate Bill 273 that impact agencies:
Investigation and Breach Requirements
All agencies, regardless of size, will be required to comply with requirements to conduct a prompt investigation should they learn that a cybersecurity event has or may have occurred.
In addition, in certain instances, notification of a breach may be required to the Ohio Department of Insurance.
Written Cyber Plan and Third-Party Service Provider Due Diligence Requirements
Agencies are exempt from the requirement to develop and maintain a comprehensive written cybersecurity plan and exercise due diligence requirements over third-party service providers if they meet any of the following criteria:
(1) Have fewer than twenty employees.
(2) Have less than five million dollars in gross annual revenue.
(3) Have less than ten million dollars in assets, measured at the end of the agency’s fiscal year.
Agencies not exempt from these requirements have plenty of time to get ready to comply, as the requirements for a written cybersecurity plan are delayed for one year following the effective date of the bill, and the due diligence requirements for third- party service providers have a two-year delay.
An effective date is not yet available for Senate Bill 273, but it will likely be around mid-March.
With the staggered effective dates for the various requirements of the bill, the investigation and breach notification requirements will be the only portion of the cybersecurity requirements that take effect on the bill’s effective date.
WHAT YOU NEED TO DO RIGHT NOW
At this time, there is nothing you need to do. This article is merely to keep you informed before the law takes effect.
Stay tuned — OIA will continue to keep you informed on these new cyber requirements as more information becomes available regarding effective dates and the development of rules that will help carry out certain provisions of the bill.
NEED CYBER INSURANCE?
We can help! Click below to learn more about OIA's cyber coverage options!