Have you ever heard of the New York State Department of Financial Services regulation requiring financial services companies to adopt cybersecurity measures that “match relevant risks and keep pace with technological advancements” (23 NYCRR 500)? If you haven’t, you should take a look, even if you don’t do business in the State of New York. This regulation is having a snowball effect that is affecting financial institutions across the nation.
One sector affected indirectly by this regulation is the insurance industry. In sync with this reg, the National Association of Insurance Commissioners drafted the Insurance Data Security Model Law. This law requires Licensees to implement an information security program adequate to protect the security and confidentiality of non-public information and the Licensees’ information system. It also mandates risk assessment, periodic review of data retention schedules, enterprise-level risk management processes, adequate incident response measures, oversight of third-party service provider arrangements, investigation of cybersecurity events and swift notification of the Commission if cybersecurity incidents occur (within 72 hours of recognition).
So, what does this have to do with Ohio SB 723? This bill is modeled after the Insurance Data Security Model Law, and has become effective as of last week (March 20, 2019). If you are an insurance company authorized to do business in the State of Ohio, you are now subject to this law (unless you have fewer than 20 employees, intake less than $5,000,000 in gross annual revenue, or are deemed a HIPAA-compliant insurer).
One interesting point of Ohio SB 723 is the Safe Harbor section. This section states that insurers that have implemented a cybersecurity program that “reasonably conforms to an industry-recognized cybersecurity framework” are entitled to affirmative defense against tort lawsuits that allege “failure to implement reasonable information security controls resulting in a data breach concerning personal information or restricted information,” and that are brought under Ohio law or in Ohio courts.
This is the same Safe Harbor offered in the Ohio Data Protection Act which came into effect last August (see the blog from January 17, 2019 for more information). As with that act, an area of concern in SB 273 is the use of the term “reasonably conforms.” Exactly what that means is not well defined under these acts. To me, this means that businesses that are actually interested in attaining Safe Harbor need to be able to be able to demonstrate reasonable compliance with one of the following cybersecurity frameworks:
- NIST Cybersecurity Framework or Special Publications 800-53, 800-53A or 800-71.
- CIS-CSC or,
- ISO/IEC 27000 series.
That means your company should have a fully documented information security program that is regularly tested and adjusted, that is overseen by the Board of Directors and that has the full support of company management. We at MicroSolved have decades of experience in providing financial organizations with such services as risk assessment, compliance gap assessment, cybersecurity program and policy development, vulnerability and penetration testing, application security testing and many other information security services. Contact us if your company needs help in attaining not only compliance with regulation, but real cutting-edge information security as well. We are here to serve your needs.