In late 2018, Ohio became the third state to adopt insurance-specific legislation pertaining to data security. Fortunately, OIA was able to make several improvements to Ohio’s cyber bill for agents, beyond what exists in national model legislation and cyber bills that have passed in other states. Notably, the majority of Ohio agencies will have a large burden alleviated, as they will be exempt from a requirement to develop a comprehensive written cyber plan and exercise due diligence in selecting third-party service providers. This is a big win, as the National Associate of Insurance Commissioner (NAIC) Data Security Model Law sets the exemption at agencies with fewer than ten employees, including independent contractors.
Additionally, Ohio’s cyber law has language added that states that the superintendent of insurance shall consider the nature, scale, and complexity of licensees (i.e. insurers and agencies) in administering the cyber law and adopting any rules necessary to implement the law. In other words, the ability of agencies to comply with the complexity of the law needs to be taken into consideration and any further rules developed should be “right-sized.”
Finally, it should be noted that the legislation stipulates that all agencies are now required to take certain steps to address it if they believe that their agency may have had a cybersecurity event occur that involved nonpublic information either in their system or in a system maintained by a third-party vendor. OIA has provided information on how to comply with this requirement, which can be found here.
WRITTEN CYBER PLAN
Agencies are exempt from the requirement to develop and maintain a comprehensive written cybersecurity plan and exercise due diligence requirements over third-party service providers if they meet any of the following criteria:
(1) Have fewer than twenty employees.
(2) Have less than five million dollars in gross annual revenue.
(3) Have less than ten million dollars in assets, measured at the end of the agency’s fiscal year.
Agencies that are not exempt from these requirements should be working on implementing a written cyber plan as this requirement takes effect March 20, 2020. The Ohio Department of Insurance has created an Information Security Resource Center to help assist agencies and companies in complying with the new law. While guidance will not be issued in regard to developing a written plan, OIA recommends that agents utilize the sample cybersecurity policy created by the Agents Council for Technology (ACT) Security Issues work group in conjunction with the IIABA. This free and customizable template was created to help agencies easily comply with the requirement to have a cybersecurity policy in place. The template was developed to comply with requirements set forth by several acts, including the New York Regulation 23 NYCRR 500, and Gramm-Leach-Bliley because these regulations impose some of the most specific and demanding requirements. Notably, New York’s requirements are more onerous than Ohio’s.
While the Ohio Department of Insurance will not require plans to be submitted for their review nor will they be conducting audits to ensure a plan is in place, should a breach occur and plan is not in place when it should be, there could be repercussions for agencies.
THIRD-PARTY SERVICE PROVIDER DUE DILIGENCE REQUIREMENTS
The last portion of Ohio’s law to take effect following the implementation of the written cybersecurity plan requirement is that Ohio’s large agencies (that don’t qualify for an exemption) will be required to implement due diligence requirements for their third-party service providers. Stay tuned for more information and guidance on this requirement as it does not take effect until March 20, 2021.
Questions? Contact Carolyn Mangas.
NEED CYBER INSURANCE?