Cybersecurity is critically important to the insurance industry because insurance companies, agencies and agents collect highly sensitive consumer financial and health information, which is an especially alluring target for cyber criminals. Recognizing this risk, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (NAIC Model Law) in October 2017 to encourage states to establish a legal framework for requiring insurance organizations to implement comprehensive cybersecurity programs.
Specifically, the NAIC Model Law requires licensees to:
- protect consumer data by safeguarding insurance policyholders’ personal information;
- establish data security standards to mitigate the potential damage from a breach;
- develop, implement and maintain a secure information security program; and
- investigate cybersecurity events and notify the state insurance commissioner of such events immediately.
On December 19, 2018, then Ohio Governor John Kasich signed Senate Bill 273, Ohio’s version of the NAIC Model Law, which requires Ohio licensees (individuals or non-governmental entities required to be authorized, registered or licensed pursuant to the state’s insurance laws) to implement plans to safeguard business and personal information from cyberattacks and develop response plans in the event a cyberattack does occur. As part of that plan, licensees are required to investigate the incident, report the event and other relevant information to the Department of Insurance, and notify those impacted by the event. In addition, compliance with the requirements set forth in Senate Bill 273 provides licensees with an affirmative defense to certain Ohio tort actions. The signing of Senate Bill 273 makes Ohio one of the first states in the country to implement cybersecurity requirements specific to the insurance industry.
Ohio’s Modifications to the NAIC Model Law
Ohio is one of the earlier states to adopt a version of the NAIC Model Law. Though Senate Bill 273 largely tracks the NAIC Model Law, there are notable differences, and insurance companies, agencies and agents should carefully consider all applicable state requirements when creating their cybersecurity policies. Specifically, some of the Ohio modifications include:
- An affirmative defense for compliant licensees to certain tort actions after the occurrence of a cybersecurity event, as defined below.
- An expansion of the categories of licensees exempted from all but the bill’s reporting requirements.
- Streamlined reporting requirements that allow a licensee writing only in Ohio to file its certification of compliance along with its corporate governance annual disclosure.
- Language stating that the Superintendent of Insurance is the exclusive regulator of cybersecurity compliance for licensees and newly created Chapter 3965 of the Ohio Revised Code is the exclusive compliance standard.
- Language that requires the Department of Insurance to consider the licensee’s nature, scale and complexity in “administering the chapter and adopting rules pursuant to this chapter,” as further discussed below.
Information Security Program Requirements
By March 19, 2020, an Ohio licensee must conduct a risk assessment designed to examine the nature and likelihood of any threats posed to the nonpublic information it holds and develop, implement and maintain a comprehensive written information security program (WISP) based on the results of that assessment. Senate Bill 273 defines information security program as “the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.” Compliant WISPs must be commensurate with the licensee’s size and complexity, the nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information it uses or has in its possession, custody or control.
Additionally, if a licensee has a board of directors, the board must require the licensee’s executive management or its delegates to develop, implement and maintain a WISP and submit a written report on the established WISP to the board at least annually. The report must cover the WISP’s overall status and the licensee’s compliance with Senate Bill 273’s requirements as well as material matters related to the WISP, including cybersecurity events, violations of the WISP and recommendations for changes.
Licensees must exercise due diligence in selecting third-party service providers (parties that contract with a licensee to maintain, process or store nonpublic information, or are otherwise permitted access to nonpublic information through the provision of services to the licensee) and, by March 19, 2021, must require such providers to implement appropriate measures to protect and secure their information systems and the nonpublic information they maintain. Vendor management is a significant aspect of any cybersecurity program and may involve several internal resources (e.g., IT, procurement, contracting).
Exemptions from the Requirements
Senate Bill 273 exempts a licensee meeting any of the following criteria:
- It has fewer than 20 employees.
- It has less than $5 million in gross annual revenue.
- It has less than $10 million in assets, measured at the end of the licensee’s fiscal year.
Additionally, a licensee that is subject to and compliant with the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed to meet the bill’s requirements, except for the notice requirements mentioned under “Cybersecurity Event Response Plan” below. The bill requires such a licensee to submit a certification of its HIPAA compliance to the Superintendent of Insurance and retain all records relating to that certification for a period of five years.
Cybersecurity Event Response Plan
As part of its WISP, a licensee must establish a written plan detailing its procedure for promptly responding to and recovering from any cybersecurity event. Senate Bill 273 defines a cybersecurity event as “an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.” The licensee must conduct an investigation of each cybersecurity event and determine the scope of the breach, the nonpublic information compromised and the measures necessary to restore the security of the licensee’s information system.
Additionally, a licensee must notify the Superintendent of Insurance of a cybersecurity event as promptly as possible, but not later than three business days after it is determined that such an event has occurred, if either of the following criteria has been met:
- The licensee is domiciled in Ohio and the cybersecurity event has a reasonable likelihood of materially harming a consumer or a material part of the licensee’s normal operations.
- The licensee reasonably believesthatthenonpublic information involved relates to 250 or more Ohio consumers, and
- notice is required to any governmental body, self-regulatory agency or other supervisory body pursuant to any state or federal law; or
- the event has a reasonable likelihood of materially harming any consumer residing in Ohio or any material part of the licensee’s normal operations.
In these cases, the licensee must provide the Superintendent with specific information concerning the event’s extent and nature, as enumerated in the bill, in an electronic form as directed by the Superintendent.
Compliance Certification and Documentation
Each licensee domiciled in Ohio must submit a written statement to the Superintendent of Insurance certifying compliance with Senate Bill 273’s requirements and maintain records supporting such certification for at least five years. If a licensee has identified areas that require material improvement, it must document the identification and its remedial efforts to address these areas, and this documentation must be available for inspection by the Superintendent. Senate Bill 273 allows a licensee domiciled and licensed exclusively in Ohio to submit a written statement certifying compliance as part of its corporate governance annual disclosure.
Any documentation provided to the Superintendent, the NAIC, any vendor third-party consultant to the NAIC or any third-party service provider as part of a licensee’s compliance requirements is confidential, not public record, not subject to subpoena, and not subject to discovery or admission as evidence. However, the Superintendent is permitted to use any of the aforementioned documents in furtherance of any regulatory or legal action brought as part of its duties.
A licensee meeting all requirements set forth in Senate Bill 273 is deemed to have implemented a WISP that reasonably conforms to an industry-recognized cybersecurity framework and may assert compliance as an affirmative defense to any Ohio tort action alleging that the failure to implement reasonable information security controls resulted in a data breach involving personal or restricted information. The bill also specifies that this affirmative defense does not limit any other affirmative defense available to a licensee.
New York Requirements
A licensee that is subject to New York’s insurance laws, either as a covered entity (insurer, reinsurer or producer) or as a service provider to a covered entity, also must comply with New York Insurance Regulation 500 (23 NYCRR 500) (Reg 500), including filing a cybersecurity program with the Department of Financial Services (DFS) or obtaining an exemption from filing such a program. Reg 500, including the standards for exemption from filing, differs from Ohio Senate Bill 273 in several material terms, including:
- the extent of the cybersecurity program, including testing, risk assessment and audit trail requirements;
- personnel training and monitoring requirements;
- the standards and timing for notice to affected consumers and the DFS;
- requirement for a chief information security officer;
- the absence of an affirmative defense for compliance; and
- the standards for exemption.
Cyberattacks against the private sector, including insurance organizations, continue to increase in scope and sophistication. As states adopt cybersecurity legislation based on the NAIC Model Law, insurance companies, agencies and agents must ensure they have protections in place to comply with Ohio Senate Bill 273 and requirements in New York and many other jurisdictions.