Ohio Law Requires Insurers to Adopt NAIC Cyber Security Model; More States Expected to Follow
Ohio has enacted a new cyber security law requiring insurance companies (including health insurers) to develop detailed plans to safeguard the vast amounts of personal and business data they collect. That includes health care data, financial information and Social Security numbers.
The law requires insurers to create a comprehensive cyber security plan that’s based on their risk profile; designate someone to be responsible for the program; and develop an incident response plan in case of a breach.
The law is based on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law and is the second such law in the country after South Carolina.
What the Law Says
There are a number of specific requirements under the law, which are laid out in great detail by the National Law Review. Here are some things of note:
- Create a written cyber security plan based on size and risk profile
- Identify reasonably foreseeable internal or external threats that could compromise data
- Assess the likelihood and potential damage of cyber security threats on an annual basis
- Implement administrative, technical and physical safeguards to protect data
- Report any cyber security incidents to the Ohio Department of Insurance in great detail
- Insure that all vendors have adequate security protocols
No Perfect Answer for Cyber
The law is based on taking a risk management approach to cyber security. But cyber threats are constantly changing and there’s no uniform answer for solving the problem. That’ll make it hard for insurers to always be in compliance with the law.
Writing about similar regulations in South Carolina and New York, Christopher M. Brubaker, an attorney with Clark Hill in Philadelphia, wrote in the Legal Intelligencer: “What is still very much in question is the ability of regulations of this type to actually improve cyber security.
“As both the Data Security Act and New York cyber rules tacitly acknowledge, there is no perfect answer or approach to cyber security. Security measures that would be commonplace for large companies will often not fit smaller companies and vice versa. Examples include the frequency and sophistication of penetration and other testing methods and the scope and intensity of employee training. Given that it is widely understood by security experts that everybody is vulnerable, even those with the most robust cyber security, it still remains to be seen what impact these regulations will have.”
Directors and Officers Beware?
The Ohio law could mean fresh worries for directors and officers.
That was certainly the feeling across the industry in 2017, when New York passed similar regulations aimed at the financial industry. Back then, Risk & Insurance® took a deep dive into the implications, writing: “The responsibility for cyber security will now fall squarely on the board and senior management actively overseeing the entity’s overall program. Some experts fear that the D&O insurance market is far from prepared to absorb this risk.”
In addition to New York and Ohio, few states have these kinds of laws in place, including Connecticut, South Carolina and Michigan. With more than 270 insurers and 1,600 insurance companies, Ohio is the sixth largest insurance market in the nation. The law came into effect on March 20, 2019, and it gave licensees one year to comply with the new requirements.
But whether you’re in Ohio or not, it’s smart to make sure you’re cyber risk management protocols are up to snuff. Here are a number of recent articles we’ve written that can help you accomplish that goal: