• An affirmative defense for compliant licensees to certain tort actions after the occurrence of a cybersecurity event, as defined below.
• An expansion of the categories of licensees exempted from all but the bill’s reporting requirements.
• Streamlined reporting requirements that allow a licensee writing only in Ohio to file its certification of compliance along with its corporate governance annual disclosure.
• Language stating that the Superintendent of Insurance is the exclusive regulator of cybersecurity compliance for licensees and newly created Chapter 3965 of the Ohio Revised Code is the exclusive compliance standard.
• Language that requires the Department of Insurance to consider the licensee’s nature, scale and complexity in “administering the chapter and adopting rules pursuant to this chapter,” as further discussed below.
Information Security Program Requirements
By March 19, 2020, an Ohio licensee must conduct a risk assessment designed to examine the nature and likelihood of any threats posed to the nonpublic information it holds and develop, implement and maintain a comprehensive written information security program (WISP) based on the results of that assessment. Senate Bill 273 defines information security program as “the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.” Compliant WISPs must be commensurate with the licensee’s size and complexity, the nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information it uses or has in its possession, custody or control.
Additionally, if a licensee has a board of directors, the board must require the licensee’s executive management or its delegates to develop, implement and maintain a WISP and submit a written report on the established WISP to the board at least annually. The report must cover the WISP’s overall status and the licensee’s compliance with Senate Bill 273’s requirements as well as material matters related to the WISP, including cybersecurity events, violations of the WISP and recommendations for changes.
Licensees must exercise due diligence in selecting third-party service providers (parties that contract with a licensee to maintain, process or store nonpublic information, or are otherwise permitted access to nonpublic information through the provision of services to the licensee) and, by March 19, 2021, must require such providers to implement appropriate measures to protect and secure their information systems and the nonpublic information they maintain. Vendor management is a significant aspect of any cybersecurity program and may involve several internal resources (e.g., IT, procurement, contracting).
Exemptions from the Requirements
Senate Bill 273 exempts a licensee meeting any of the following criteria:
• It has fewer than 20 employees.
• It has less than $5 million in gross annual revenue.
• It has less than $10 million in assets, measured at the end of the licensee’s fiscal year.
Additionally, a licensee that is subject to and compliant with the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed to meet the bill’s requirements, except for the notice requirements mentioned under “Cybersecurity Event Response Plan” below. The bill requires such a licensee to submit a certification of its HIPAA compliance to the Superintendent of Insurance and retain all records relating to that certification for a period of five years.
Cybersecurity Event Response Plan
As part of its WISP, a licensee must establish a written plan detailing its procedure for promptly responding to and recovering from any cybersecurity event. Senate Bill 273 defines a cybersecurity event as “an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.” The licensee must conduct an investigation of each cybersecurity event and determine the scope of the breach, the nonpublic information compromised and the measures necessary to restore the security of the licensee’s information system.
Additionally, a licensee must notify the Superintendent of Insurance of a cybersecurity event as promptly as possible, but not later than three business days after it is determined that such an event has occurred, if either of the following criteria has been met:
• The licensee is domiciled in Ohio and the cybersecurity event has a reasonable likelihood of materially harming a consumer or a material part of the licensee’s normal operations.
• The licensee reasonably believes that the nonpublic information involved relates to 250 or more Ohio consumers, and
notice is required to any governmental body, self-regulatory agency or other supervisory body pursuant to any state or federal law; or
the event has a reasonable likelihood of materially harming any consumer residing in Ohio or any material part of the licensee’s normal operations.
In these cases, the licensee must provide the Superintendent with specific information concerning the event’s extent and nature, as enumerated in the bill, in an electronic form as directed by the Superintendent.
Compliance Certification and Documentation
Each licensee domiciled in Ohio must submit a written statement to the Superintendent of Insurance certifying compliance with Senate Bill 273’s requirements and maintain records supporting such certification for at least five years. If a licensee has identified areas that require material improvement, it must document the identification and its remedial efforts to address these areas, and this documentation must be available for inspection by the Superintendent. Senate Bill 273 allows a licensee domiciled and licensed exclusively in Ohio to submit a written statement certifying compliance as part of its corporate governance annual disclosure.
Any documentation provided to the Superintendent, the NAIC, any vendor third-party consultant to the NAIC or any third-party service provider as part of a licensee’s compliance requirements is confidential, not public record, not subject to subpoena, and not subject to discovery or admission as evidence. However, the Superintendent is permitted to use any of the aforementioned documents in furtherance of any regulatory or legal action brought as part of its duties.
A licensee meeting all requirements set forth in Senate Bill 273 is deemed to have implemented a WISP that reasonably conforms to an industry-recognized cybersecurity framework and may assert compliance as an affirmative defense to any Ohio tort action alleging that the failure to implement reasonable information security controls resulted in a data breach involving personal or restricted information. The bill also specifies that this affirmative defense does not limit any other affirmative defense available to a licensee.
New York Requirements
A licensee that is subject to New York’s insurance laws, either as a covered entity (insurer, reinsurer or producer) or as a service provider to a covered entity, also must comply with New York Insurance Regulation 500 (23 NYCRR 500) (Reg 500), including filing a cybersecurity program with the Department of Financial Services (DFS) or obtaining an exemption from filing such a program. Reg 500, including the standards for exemption from filing, differs from Ohio Senate Bill 273 in several material terms, including:
• the extent of the cybersecurity program, including testing, risk assessment and audit trail requirements;
• personnel training and monitoring requirements;
• the standards and timing for notice to affected consumers and the DFS;
• requirement for a chief information security officer;
• the absence of an affirmative defense for compliance; and
• the standards for exemption.
Cyberattacks against the private sector, including insurance organizations, continue to increase in scope and sophistication. As states adopt cybersecurity legislation based on the NAIC Model Law, insurance companies, agencies and agents must ensure they have protections in place to comply with Ohio Senate Bill 273 and requirements in New York and many other jurisdictions.