Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 11 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

Los Angeles

Minneapolis

New York

Silicon Valley

Washington, D.C.

core/separator

core/heading

core/list

Cybersecurity is critically important to the insurance industry because insurance companies, agencies and agents collect highly sensitive consumer financial and health information, which is an especially alluring target for cyber criminals. Recognizing this risk, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (NAIC Model Law) in October 2017 to encourage states to establish a legal framework for requiring insurance organizations to implement comprehensive cybersecurity programs.

contentpilot/introduction

Specifically, the NAIC Model Law requires licensees to:

core/paragraph

On December 19, 2018, then Ohio Governor John Kasich signed Senate Bill 273, Ohio’s version of the NAIC Model Law, which requires Ohio licensees (individuals or non-governmental entities required to be authorized, registered or licensed pursuant to the state’s insurance laws) to implement plans to safeguard business and personal information from cyberattacks and develop response plans in the event a cyberattack does occur. As part of that plan, licensees are required to investigate the incident, report the event and other relevant information to the Department of Insurance, and notify those impacted by the event. In addition, compliance with the requirements set forth in Senate Bill 273 provides licensees with an affirmative defense to certain Ohio tort actions. The signing of Senate Bill 273 makes Ohio one of the first states in the country to implement cybersecurity requirements specific to the insurance industry.

Ohio’s Modifications to the NAIC Model Law

Ohio is one of the earlier states to adopt a version of the NAIC Model Law. Though Senate Bill 273 largely tracks the NAIC Model Law, there are notable differences, and insurance companies, agencies and agents should carefully consider all applicable state requirements when creating their cybersecurity policies. Specifically, some of the Ohio modifications include:

Information Security Program Requirements

By March 19, 2020, an Ohio licensee must conduct a risk assessment designed to examine the nature and likelihood of any threats posed to the nonpublic information it holds and develop, implement and maintain a comprehensive written information security program (WISP) based on the results of that assessment. Senate Bill 273 defines information security program as “the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.” Compliant WISPs must be commensurate with the licensee’s size and complexity, the nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information it uses or has in its possession, custody or control.

Additionally, if a licensee has a board of directors, the board must require the licensee’s executive management or its delegates to develop, implement and maintain a WISP and submit a written report on the established WISP to the board at least annually. The report must cover the WISP’s overall status and the licensee’s compliance with Senate Bill 273’s requirements as well as material matters related to the WISP, including cybersecurity events, violations of the WISP and recommendations for changes.

Licensees must exercise due diligence in selecting third-party service providers (parties that contract with a licensee to maintain, process or store nonpublic information, or are otherwise permitted access to nonpublic information through the provision of services to the licensee) and, by March 19, 2021, must require such providers to implement appropriate measures to protect and secure their information systems and the nonpublic information they maintain. Vendor management is a significant aspect of any cybersecurity program and may involve several internal resources (e.g., IT, procurement, contracting).

Senate Bill 273 exempts a licensee meeting any of the following criteria:

Additionally, a licensee that is subject to and compliant with the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed to meet the bill’s requirements, except for the notice requirements mentioned under “Cybersecurity Event Response Plan” below. The bill requires such a licensee to submit a certification of its HIPAA compliance to the Superintendent of Insurance and retain all records relating to that certification for a period of five years.

As part of its WISP, a licensee must establish a written plan detailing its procedure for promptly responding to and recovering from any cybersecurity event. Senate Bill 273 defines a cybersecurity event as “an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.” The licensee must conduct an investigation of each cybersecurity event and determine the scope of the breach, the nonpublic information compromised and the measures necessary to restore the security of the licensee’s information system.

Additionally, a licensee must notify the Superintendent of Insurance of a cybersecurity event as promptly as possible, but not later than three business days after it is determined that such an event has occurred, if either of the following criteria has been met:

In these cases, the licensee must provide the Superintendent with specific information concerning the event’s extent and nature, as enumerated in the bill, in an electronic form as directed by the Superintendent.

Compliance Certification and Documentation

Each licensee domiciled in Ohio must submit a written statement to the Superintendent of Insurance certifying compliance with Senate Bill 273’s requirements and maintain records supporting such certification for at least five years. If a licensee has identified areas that require material improvement, it must document the identification and its remedial efforts to address these areas, and this documentation must be available for inspection by the Superintendent. Senate Bill 273 allows a licensee domiciled and licensed exclusively in Ohio to submit a written statement certifying compliance as part of its corporate governance annual disclosure.

Any documentation provided to the Superintendent, the NAIC, any vendor third-party consultant to the NAIC or any third-party service provider as part of a licensee’s compliance requirements is confidential, not public record, not subject to subpoena, and not subject to discovery or admission as evidence. However, the Superintendent is permitted to use any of the aforementioned documents in furtherance of any regulatory or legal action brought as part of its duties.

A licensee meeting all requirements set forth in Senate Bill 273 is deemed to have implemented a WISP that reasonably conforms to an industry-recognized cybersecurity framework and may assert compliance as an affirmative defense to any Ohio tort action alleging that the failure to implement reasonable information security controls resulted in a data breach involving personal or restricted information. The bill also specifies that this affirmative defense does not limit any other affirmative defense available to a licensee.

A licensee that is subject to New York’s insurance laws, either as a covered entity (insurer, reinsurer or producer) or as a service provider to a covered entity, also must comply with New York Insurance Regulation 500 (23 NYCRR 500) (Reg 500), including filing a cybersecurity program with the Department of Financial Services (DFS) or obtaining an exemption from filing such a program. Reg 500, including the standards for exemption from filing, differs from Ohio Senate Bill 273 in several material terms, including:

Cyberattacks against the private sector, including insurance organizations, continue to increase in scope and sophistication. As states adopt cybersecurity legislation based on the NAIC Model Law, insurance companies, agencies and agents must ensure they have protections in place to comply with Ohio Senate Bill 273 and requirements in New York and many other jurisdictions.

Robert Ansehl 212.908.3996 <a href="mailto:Robert.Ansehl@ThompsonHine.com">Robert.Ansehl@ThompsonHine.com</a>

Alan F. Berliner 614.469.3268 <a href="mailto:Alan.Berliner@ThompsonHine.com">Alan.Berliner@ThompsonHine.com</a>

Kelsey J. Mullen 614.469.3293 <a href="mailto:Kelsey.Mullen@ThompsonHine.com">Kelsey.Mullen@ThompsonHine.com</a>

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/04/Privacy__Cybersecurity_Update_-_Ohios_New_Cybersecurity_Requirements_for_Insurance_Companies_Agencies_and_Agents.pdf

Ohio’s New Cybersecurity Requirements for Insurance Companies, Agencies and Agents

Services