Skoda Minotti’s Risk Advisory Services Group and Insurance Services Group are working closely with insurance industry licensees to meet the considerable requirements under the Ohio cybersecurity law. This presentation provides more detailed information about the law, and assists you with your understanding and implementation of the requirements.
2. 2
Introduction
Christopher Shaffer, CISSP, CISA, CCSFP, QSA
• Senior Manager in the Risk Advisory Services group
• 18 years of information technology security, operations, and
consulting experience with clients
• Leads the HITRUST CSF assessor program
• Specializes in leading engagements for:
SSAE 18 (SOC 1)
SOC 2
PCI-DSS
HIPAA
HITRUST
NIST
ISO
IT general computing controls for private and public businesses across a
variety of industries
cshaffer@skodaminotti.com
linkedin.com/in/cpshaffer1/
440-449-6800
3. 3
Introduction
Jeremy Long, CPA/MBA
• Principal managing the firm’s Insurance Services group
• Specializes in providing accounting, attestation and advisory
services
• Works with clients throughout the U.S. in the following
industries:
Insurance
Financial services
Software
Health services
jlong@skodaminotti.com
linkedin.com/in/jeremylongcpa/
440-449-6800
4. 4
Agenda
• Background
• Applicability
• Important Dates
• Data Security Requirements
• Cybersecurity Plan
• Implement Safeguards
• Risk Assessments
• Incident Response
• How Can Skoda Minotti Help?
• Our Assessment Methodology
5. 5
Background
NAIC Model Law (October 2017)
• Protect consumer data by
safeguarding insurance policyholders’
personal information;
• Establish data security standards to
mitigate the potential damage from a
breach;
• Develop, implement and maintain a
secure information security program;
and
• Investigate cybersecurity events and
notify the state insurance
commissioner of such events
immediately.
Ohio Modifications (December 2018)
• Expanded exempt licensees
• Superintendent of Insurance is
exclusive regulator of cybersecurity
compliance for licensees
• Provides for DOI to consider
licensee’s nature, scale, and
complexity in administering
compliance
• Provides affirmative defensive for
compliant licenses to certain tort
actions
6. 6
Applicability
• O.R.C. § 3965.01(M) - Licensee
“any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered
pursuant to the insurance laws of this state”
Includes all insurers, agencies, and brokers doing business in Ohio
Excludes reinsurers, RRGs, and purchasing groups domiciled or chartered and licensed in another state
• Exemptions
< 20 employees
< $5 million in gross annual revenue
< $10 million in assets (at end of fiscal year)
HIPAA-compliant licensees but must provide a certificate of compliance to the superintendent
An employee, agent, representative, or independent contractor of a licensee, who is also a licensee, but covered
by cybersecurity program of the licensee
7. 7
Important Dates
• March 20, 2019 - O.R.C. § 3965 became law
Reporting cybersecurity events is now effective
• February 15, 2020 - Submission of first written statement certifying that the insurer is in
compliance with the parts of the law that are effective
If your program requires material improvement, updating, or redesign, must also submit plan of remediation
• March 20, 2020 - Required to implement most of the written cybersecurity program
requirements
• March 20, 2021 - Required to implement remaining third-party vendor due diligence and
oversight requirements
• June 1, 2021 - Insurers domiciled in Ohio and only authorized to do business in Ohio submit
statement certifying compliance along with their Corporate Governance Annual Disclosure
8. 8
Data Security Requirements
• The Ohio Cybersecurity Law requires each licensee to implement:
• Develop a written cybersecurity plan, customized for the size and complexity of the licensee
• Implement administrative, technical and physical safeguards to protect nonpublic information
• Conduct risk assessments for internal and external threats, and assess the sufficiency of
policies and procedures in place
• Address vulnerabilities based on these risk assessments and prioritize which security
measures must be implemented
• Establish, maintain and implement a written incident response plan to recover from a
cybersecurity event, with clear roles and responsibilities defined
• Require their third-party service providers to implement security measures to protect and
secure any information systems and personal information within two years of the effective
date of the Act;
• Report cybersecurity events to the Ohio Department of Insurance within 3 business days
9. 9
Cybersecurity Plan
The scale and scope of a covered entity's
cybersecurity program should be based on
all of the following factors:
• The size and complexity of the organization
• The nature and scope of the activities of the
organization
• The sensitivity of the information to be
protected
• The resources available to the covered
entity.
10. 10
Cybersecurity Plan (cont.)
Adopting a published framework provides key benefits over developing your own:
• Compliance with contractual requirements
• Achieving measurable security improvements
• Improved maturity and effectiveness of security operations
• Ability to report security readiness to management.
Risk Management Frameworks could include:
• National Institute of Standards and Technology (NIST) Special Publications:
Cybersecurity Framework, 800-53, 800-53a, or 800-171
• International Organization for Standardization (ISO) 27000 Family - Information
Security Management Systems (ISMS)
• Payment Card Industry – Data Security Standards (PCI-DSS) v 3.2.1
11. 11
Cybersecurity Plan – Confidentiality
Written cybersecurity plan and annual submission in the control or possession of
the Department of Insurance:
• Shall be confidential by law and privileged
• Are not public records and shall not be released
• Shall not be subject to subpoena
• Shall not be subject to discovery or admissible in evidence in any private civil
action
• *Confidentiality provision excludes state, federal and international regulatory
agencies and law enforcement & NAIC
• *Can be used by the Superintendent in furtherance of any regulatory or legal
action brought by the Department
12. 12
Implement Safeguards
Implement administrative, technical and
physical safeguards to protect nonpublic
information
• Provided within your chosen risk management
framework
• Some frameworks have differing levels of
implementation based upon your organization’s
scope and complexity
• Internal controls derived from risk assessment
mitigating actions
• Vendor best practices
• Research organizations such as CERT, SANS,
etc.
13. 13
Risk Assessments
According to NIST, the goal of a risk assessment is for an organization to understand “the
cybersecurity risk to organizational operations (including mission, functions, image, or
reputation), organizational assets, and individuals.”
NIST 800-30 - Guide for Conducting Risk Assessments
Step 1 System Characterization (Section 3.1)
Step 2 Threat Identification (Section 3.2)
Step 3 Vulnerability Identification (Section 3.3)
Step 4 Control Analysis (Section 3.4)
Step 5 Likelihood Determination (Section 3.5)
Step 6 Impact Analysis (Section 3.6)
Step 7 Risk Determination (Section 3.7)
Step 8 Control Recommendations (Section 3.8)
Step 9 Results Documentation (Section 3.9).
14. 14
Risk Assessments (cont.)
• The risk assessment will generate a list
of vulnerabilities from which to
implement security measures (mitigating
actions/controls).
• Prioritization of measures can be based
on metrics the organization defines, but
may consider the following:
Residual risk score
The resources available to the organization
15. 15
Incident Response
• Licensees are required to investigate the incident and report the event to the
Superintendent of Insurance, within three days of the event.
• An Incident Response Plan should contain the following:
Roles, responsibilities, and communication and contact strategies in the event of a data
breach including notification of the Superintendent of Insurance and affected parties, at a
minimum
Determine whether a cybersecurity event has occurred
Identify any nonpublic information that may have been involved in the cybersecurity event
Restore security operations to compromised systems to prevent further data breach
disclosures.
Hold your third party providers accountable and ensure their incident response plan aligns
to your requirements and is followed.
Maintain cybersecurity event records for a period of 5 years
16. 16
Incident Response (cont.)
Why?
Protect your data
‒ Avoid ransomware hostages, data loss, or disclosure of confidential data
Protect Your Reputation & Customer Trust
‒ Public relations nightmare and IDC notes 78% of consumers would take business elsewhere if
they were affected by a data breach.
Protect Your Revenue
‒ Ponemon’s 2018 study put the average cost of a data breach at $3.86 million. Up 6.4% from the
previous year.
‒ National Cyber Security Alliance estimates that 60% of small to medium-sized businesses go out
of business within 6 months of a breach.
‒ Equifax ($430 million and growing), Target (10% stock price loss), Home Depot ($62 million)
17. 17
How Can Skoda Minotti Help?
• We can help an organization select and
implement a Risk Management
Framework to meet the Chapter 3965
• Perform a readiness assessment and
help develop remediation plans to
effectively implement a Cybersecurity
program.
• Provide a formal assessment for you to
show ongoing compliance to measure
your program’s effectiveness on an
annual basis.
Cybersecurity is critically important to the insurance industry because insurance companies, agencies and agents collect highly sensitive consumer financial and health information, which is an especially alluring target for cyber criminals. Recognizing this risk, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (NAIC Model Law) in October 2017 to encourage states to establish a legal framework for requiring insurance organizations to implement comprehensive cybersecurity programs.
Ohio was second state to adopt the NAIC Model Law (South Carolina was first and Michigan adopted in in late 2018). Connecticut and New York have enacted cybersecurity regulations for insurance companies without specifically adopting the NAIC Model Law
The entire law applies to Licensee’s
If you are exempt, you do not have to comply with the cybersecurity program chapter but you do still need to comply with the chapters surrounding “investigation of events” and “notification to superintendent”
Once you fail to qualify as exempt, you have 180 days to enact the law
Non-public information means information that is not publicly available information and is one of the following:
(1) Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee;
(2) Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one or more of the following data elements:
(a) Social security number;
(b) Driver's license, commercial driver's license, or state identification card number;
(c) Account, credit card, or debit card number;
(d) Any security code, access code, or password that would permit access to the consumer's financial account;
(e) Biometric records.
(3) Any information or data, except age or gender, that is in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:
(a) The past, present, or future physical, mental, or behavioral health or condition of the consumer or a member of the consumer's family;
(b) The provision of health care to the consumer;
(c) Payment for the provision of health care to the consumer.
The program shall be commensurate with
the size and complexity of the licensee,
the nature and scope of the licensee's activities including its use of third-party service providers,
and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control.
(D) Based on its risk assessment, the licensee shall do all of the following:
(1) Design its information security program to mitigate the identified risks in a way that is commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control;
(2) Determine which of the following security measures are appropriate and implement such security measures:
(a) Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals, to protect against the unauthorized acquisition of nonpublic information;
(b) Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy;
(c) Restrict access at physical locations containing nonpublic information to authorized individuals;
(d) Protect by encryption or other appropriate means all nonpublic information while such information is being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media;
(e) Adopt secure development practices for in-house developed applications utilized by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the licensee;
(f) Modify the information system in accordance with the licensee's information security program;
(g) Utilize effective controls, which may include multifactor authentication procedures for accessing nonpublic information;
(h) Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems;
(i) Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;
(j) Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;
(k) Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format.
(3) Include cybersecurity risks in the licensee's enterprise risk management process;
(4) Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared;
(5) Provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.
Each licensee shall notify the superintendent of insurance as promptly as possible after a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, but in no event later than three business days after that determination, when either of the following criteria has been met: