SlideShare a Scribd company logo

New Ohio Cybersecurity Law Requirements

Download as PPTX, PDF
Skoda Minotti
Skoda Minotti

Skoda Minotti’s Risk Advisory Services Group and Insurance Services Group are working closely with insurance industry licensees to meet the considerable requirements under the Ohio cybersecurity law. This presentation provides more detailed information about the law, and assists you with your understanding and implementation of the requirements.

Technology
1 of 19
New Ohio Cybersecurity Law Requirements Christopher Shaffer and Jeremy Long
2 Introduction Christopher Shaffer, CISSP, CISA, CCSFP, QSA • Senior Manager in the Risk Advisory Services group • 18 years of information technology security, operations, and consulting experience with clients • Leads the HITRUST CSF assessor program • Specializes in leading engagements for:  SSAE 18 (SOC 1)  SOC 2  PCI-DSS  HIPAA  HITRUST  NIST  ISO  IT general computing controls for private and public businesses across a variety of industries cshaffer@skodaminotti.com linkedin.com/in/cpshaffer1/ 440-449-6800
3 Introduction Jeremy Long, CPA/MBA • Principal managing the firm’s Insurance Services group • Specializes in providing accounting, attestation and advisory services • Works with clients throughout the U.S. in the following industries:  Insurance  Financial services  Software  Health services jlong@skodaminotti.com linkedin.com/in/jeremylongcpa/ 440-449-6800
4 Agenda • Background • Applicability • Important Dates • Data Security Requirements • Cybersecurity Plan • Implement Safeguards • Risk Assessments • Incident Response • How Can Skoda Minotti Help? • Our Assessment Methodology
5 Background NAIC Model Law (October 2017) • Protect consumer data by safeguarding insurance policyholders’ personal information; • Establish data security standards to mitigate the potential damage from a breach; • Develop, implement and maintain a secure information security program; and • Investigate cybersecurity events and notify the state insurance commissioner of such events immediately. Ohio Modifications (December 2018) • Expanded exempt licensees • Superintendent of Insurance is exclusive regulator of cybersecurity compliance for licensees • Provides for DOI to consider licensee’s nature, scale, and complexity in administering compliance • Provides affirmative defensive for compliant licenses to certain tort actions
6 Applicability • O.R.C. § 3965.01(M) - Licensee  “any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state”  Includes all insurers, agencies, and brokers doing business in Ohio  Excludes reinsurers, RRGs, and purchasing groups domiciled or chartered and licensed in another state • Exemptions  < 20 employees  < $5 million in gross annual revenue  < $10 million in assets (at end of fiscal year)  HIPAA-compliant licensees but must provide a certificate of compliance to the superintendent  An employee, agent, representative, or independent contractor of a licensee, who is also a licensee, but covered by cybersecurity program of the licensee
7 Important Dates • March 20, 2019 - O.R.C. § 3965 became law  Reporting cybersecurity events is now effective • February 15, 2020 - Submission of first written statement certifying that the insurer is in compliance with the parts of the law that are effective  If your program requires material improvement, updating, or redesign, must also submit plan of remediation • March 20, 2020 - Required to implement most of the written cybersecurity program requirements • March 20, 2021 - Required to implement remaining third-party vendor due diligence and oversight requirements • June 1, 2021 - Insurers domiciled in Ohio and only authorized to do business in Ohio submit statement certifying compliance along with their Corporate Governance Annual Disclosure
8 Data Security Requirements • The Ohio Cybersecurity Law requires each licensee to implement: • Develop a written cybersecurity plan, customized for the size and complexity of the licensee • Implement administrative, technical and physical safeguards to protect nonpublic information • Conduct risk assessments for internal and external threats, and assess the sufficiency of policies and procedures in place • Address vulnerabilities based on these risk assessments and prioritize which security measures must be implemented • Establish, maintain and implement a written incident response plan to recover from a cybersecurity event, with clear roles and responsibilities defined • Require their third-party service providers to implement security measures to protect and secure any information systems and personal information within two years of the effective date of the Act; • Report cybersecurity events to the Ohio Department of Insurance within 3 business days
9 Cybersecurity Plan The scale and scope of a covered entity's cybersecurity program should be based on all of the following factors: • The size and complexity of the organization • The nature and scope of the activities of the organization • The sensitivity of the information to be protected • The resources available to the covered entity.
10 Cybersecurity Plan (cont.) Adopting a published framework provides key benefits over developing your own: • Compliance with contractual requirements • Achieving measurable security improvements • Improved maturity and effectiveness of security operations • Ability to report security readiness to management. Risk Management Frameworks could include: • National Institute of Standards and Technology (NIST) Special Publications: Cybersecurity Framework, 800-53, 800-53a, or 800-171 • International Organization for Standardization (ISO) 27000 Family - Information Security Management Systems (ISMS) • Payment Card Industry – Data Security Standards (PCI-DSS) v 3.2.1
11 Cybersecurity Plan – Confidentiality Written cybersecurity plan and annual submission in the control or possession of the Department of Insurance: • Shall be confidential by law and privileged • Are not public records and shall not be released • Shall not be subject to subpoena • Shall not be subject to discovery or admissible in evidence in any private civil action • *Confidentiality provision excludes state, federal and international regulatory agencies and law enforcement & NAIC • *Can be used by the Superintendent in furtherance of any regulatory or legal action brought by the Department
12 Implement Safeguards Implement administrative, technical and physical safeguards to protect nonpublic information • Provided within your chosen risk management framework • Some frameworks have differing levels of implementation based upon your organization’s scope and complexity • Internal controls derived from risk assessment mitigating actions • Vendor best practices • Research organizations such as CERT, SANS, etc.
13 Risk Assessments According to NIST, the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.” NIST 800-30 - Guide for Conducting Risk Assessments Step 1 System Characterization (Section 3.1) Step 2 Threat Identification (Section 3.2) Step 3 Vulnerability Identification (Section 3.3) Step 4 Control Analysis (Section 3.4) Step 5 Likelihood Determination (Section 3.5) Step 6 Impact Analysis (Section 3.6) Step 7 Risk Determination (Section 3.7) Step 8 Control Recommendations (Section 3.8) Step 9 Results Documentation (Section 3.9).
14 Risk Assessments (cont.) • The risk assessment will generate a list of vulnerabilities from which to implement security measures (mitigating actions/controls). • Prioritization of measures can be based on metrics the organization defines, but may consider the following:  Residual risk score  The resources available to the organization
15 Incident Response • Licensees are required to investigate the incident and report the event to the Superintendent of Insurance, within three days of the event. • An Incident Response Plan should contain the following:  Roles, responsibilities, and communication and contact strategies in the event of a data breach including notification of the Superintendent of Insurance and affected parties, at a minimum  Determine whether a cybersecurity event has occurred  Identify any nonpublic information that may have been involved in the cybersecurity event  Restore security operations to compromised systems to prevent further data breach disclosures.  Hold your third party providers accountable and ensure their incident response plan aligns to your requirements and is followed.  Maintain cybersecurity event records for a period of 5 years
16 Incident Response (cont.) Why?  Protect your data ‒ Avoid ransomware hostages, data loss, or disclosure of confidential data  Protect Your Reputation & Customer Trust ‒ Public relations nightmare and IDC notes 78% of consumers would take business elsewhere if they were affected by a data breach.  Protect Your Revenue ‒ Ponemon’s 2018 study put the average cost of a data breach at $3.86 million. Up 6.4% from the previous year. ‒ National Cyber Security Alliance estimates that 60% of small to medium-sized businesses go out of business within 6 months of a breach. ‒ Equifax ($430 million and growing), Target (10% stock price loss), Home Depot ($62 million)
17 How Can Skoda Minotti Help? • We can help an organization select and implement a Risk Management Framework to meet the Chapter 3965 • Perform a readiness assessment and help develop remediation plans to effectively implement a Cybersecurity program. • Provide a formal assessment for you to show ongoing compliance to measure your program’s effectiveness on an annual basis.
18 Our Assessment Methodology Scope Plan FieldworkReport Submit
19 Questions?

Recommended

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity Regulations
Jon Bosco
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
Health IT Conference – iHT2
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 

Recommended

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity Regulations
Jon Bosco
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
Health IT Conference – iHT2
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity Requirements
Kyle Brown
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
Donald E. Hester
 
Cisa 2013 ch0
Cisa 2013 ch0Cisa 2013 ch0
Cisa 2013 ch0
Aladdin Dandis
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813
Kinetic Potential
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
PECB
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 
Nist 800 53 deep dive 20210813
Nist 800 53 deep dive 20210813Nist 800 53 deep dive 20210813
Nist 800 53 deep dive 20210813
Kinetic Potential
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
Shaun Sloan
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
How to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanHow to Audit Your Incident Response Plan
How to Audit Your Incident Response Plan
Resilient Systems
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
Cohesive Networks
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
Kenneth Dorado, CISA, HCISPP
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
Manuel Guillen
 

More Related Content

What's hot

Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
Shaun Sloan
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 

What's hot (20)

Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity Requirements
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 
Cisa 2013 ch0
Cisa 2013 ch0Cisa 2013 ch0
Cisa 2013 ch0
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Nist 800 53 deep dive 20210813
Nist 800 53 deep dive 20210813Nist 800 53 deep dive 20210813
Nist 800 53 deep dive 20210813
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
How to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanHow to Audit Your Incident Response Plan
How to Audit Your Incident Response Plan
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
 

Similar to New Ohio Cybersecurity Law Requirements

How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 

Similar to New Ohio Cybersecurity Law Requirements (20)

IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
 
Strategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdfStrategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdf
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
Choosing the Right Cybersecurity Services: A Guide for Businesses
Choosing the Right Cybersecurity Services: A Guide for BusinessesChoosing the Right Cybersecurity Services: A Guide for Businesses
Choosing the Right Cybersecurity Services: A Guide for Businesses
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Solvency II Offering
Solvency II Offering Solvency II Offering
Solvency II Offering
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
SEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure GuidelinesSEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure Guidelines
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 

More from Skoda Minotti

More from Skoda Minotti (20)

Navigating Tomorrow's Tax Landscape - 2020
Navigating Tomorrow's Tax Landscape - 2020Navigating Tomorrow's Tax Landscape - 2020
Navigating Tomorrow's Tax Landscape - 2020
 
Elevate 2019: Business Leader Slides
Elevate 2019: Business Leader SlidesElevate 2019: Business Leader Slides
Elevate 2019: Business Leader Slides
 
Elevate 2019: Financial Professional Slides
Elevate 2019: Financial Professional SlidesElevate 2019: Financial Professional Slides
Elevate 2019: Financial Professional Slides
 
Smart Manufacturing Workshop: An Interactive Improv Session
Smart Manufacturing Workshop: An Interactive Improv SessionSmart Manufacturing Workshop: An Interactive Improv Session
Smart Manufacturing Workshop: An Interactive Improv Session
 
Managing Risk
Managing RiskManaging Risk
Managing Risk
 
Navigating the Tax and Accounting Implications of Cryptocurrencies
Navigating the Tax and Accounting Implications of CryptocurrenciesNavigating the Tax and Accounting Implications of Cryptocurrencies
Navigating the Tax and Accounting Implications of Cryptocurrencies
 
Performance and Rewards
Performance and RewardsPerformance and Rewards
Performance and Rewards
 
Non-Qualified Deferred Compensation Programs for Private Companies
Non-Qualified Deferred Compensation Programs for Private CompaniesNon-Qualified Deferred Compensation Programs for Private Companies
Non-Qualified Deferred Compensation Programs for Private Companies
 
ABC Presents: Interviewing Skills
ABC Presents: Interviewing SkillsABC Presents: Interviewing Skills
ABC Presents: Interviewing Skills
 
Valuation Issues in Developing and Executing Buy-Sell Agreements
Valuation Issues in Developing and Executing Buy-Sell AgreementsValuation Issues in Developing and Executing Buy-Sell Agreements
Valuation Issues in Developing and Executing Buy-Sell Agreements
 
ABC Presents: Recruiting and Retaining Top Talent
ABC Presents: Recruiting and Retaining Top TalentABC Presents: Recruiting and Retaining Top Talent
ABC Presents: Recruiting and Retaining Top Talent
 
State and Local Tax Nexus Issues and the Impact on Mergers and Acquisitions
State and Local Tax Nexus Issues and the Impact on Mergers and AcquisitionsState and Local Tax Nexus Issues and the Impact on Mergers and Acquisitions
State and Local Tax Nexus Issues and the Impact on Mergers and Acquisitions
 
Future-Proofing Your Business with Technology
Future-Proofing Your Business with TechnologyFuture-Proofing Your Business with Technology
Future-Proofing Your Business with Technology
 
Manufacturing in Northeast Ohio: Where We Stand, Where We’re Headed
Manufacturing in Northeast Ohio: Where We Stand, Where We’re HeadedManufacturing in Northeast Ohio: Where We Stand, Where We’re Headed
Manufacturing in Northeast Ohio: Where We Stand, Where We’re Headed
 
Recruiting and Retaining Top Talent
Recruiting and Retaining Top TalentRecruiting and Retaining Top Talent
Recruiting and Retaining Top Talent
 
Understanding Medicare
Understanding MedicareUnderstanding Medicare
Understanding Medicare
 
Five Digital Marketing Trends Your Company Needs to Know in 2019
Five Digital Marketing Trends Your Company Needs to Know in 2019Five Digital Marketing Trends Your Company Needs to Know in 2019
Five Digital Marketing Trends Your Company Needs to Know in 2019
 
Business Valuation Basics
Business Valuation BasicsBusiness Valuation Basics
Business Valuation Basics
 
The Importance of State and Local Tax Nexus
The Importance of State and Local Tax NexusThe Importance of State and Local Tax Nexus
The Importance of State and Local Tax Nexus
 
Using a Forensic CPA for Lawyers
Using a Forensic CPA for LawyersUsing a Forensic CPA for Lawyers
Using a Forensic CPA for Lawyers
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

New Ohio Cybersecurity Law Requirements

  • 1. New Ohio Cybersecurity Law Requirements Christopher Shaffer and Jeremy Long
  • 2. 2 Introduction Christopher Shaffer, CISSP, CISA, CCSFP, QSA • Senior Manager in the Risk Advisory Services group • 18 years of information technology security, operations, and consulting experience with clients • Leads the HITRUST CSF assessor program • Specializes in leading engagements for:  SSAE 18 (SOC 1)  SOC 2  PCI-DSS  HIPAA  HITRUST  NIST  ISO  IT general computing controls for private and public businesses across a variety of industries cshaffer@skodaminotti.com linkedin.com/in/cpshaffer1/ 440-449-6800
  • 3. 3 Introduction Jeremy Long, CPA/MBA • Principal managing the firm’s Insurance Services group • Specializes in providing accounting, attestation and advisory services • Works with clients throughout the U.S. in the following industries:  Insurance  Financial services  Software  Health services jlong@skodaminotti.com linkedin.com/in/jeremylongcpa/ 440-449-6800
  • 4. 4 Agenda • Background • Applicability • Important Dates • Data Security Requirements • Cybersecurity Plan • Implement Safeguards • Risk Assessments • Incident Response • How Can Skoda Minotti Help? • Our Assessment Methodology
  • 5. 5 Background NAIC Model Law (October 2017) • Protect consumer data by safeguarding insurance policyholders’ personal information; • Establish data security standards to mitigate the potential damage from a breach; • Develop, implement and maintain a secure information security program; and • Investigate cybersecurity events and notify the state insurance commissioner of such events immediately. Ohio Modifications (December 2018) • Expanded exempt licensees • Superintendent of Insurance is exclusive regulator of cybersecurity compliance for licensees • Provides for DOI to consider licensee’s nature, scale, and complexity in administering compliance • Provides affirmative defensive for compliant licenses to certain tort actions
  • 6. 6 Applicability • O.R.C. § 3965.01(M) - Licensee  “any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state”  Includes all insurers, agencies, and brokers doing business in Ohio  Excludes reinsurers, RRGs, and purchasing groups domiciled or chartered and licensed in another state • Exemptions  < 20 employees  < $5 million in gross annual revenue  < $10 million in assets (at end of fiscal year)  HIPAA-compliant licensees but must provide a certificate of compliance to the superintendent  An employee, agent, representative, or independent contractor of a licensee, who is also a licensee, but covered by cybersecurity program of the licensee
  • 7. 7 Important Dates • March 20, 2019 - O.R.C. § 3965 became law  Reporting cybersecurity events is now effective • February 15, 2020 - Submission of first written statement certifying that the insurer is in compliance with the parts of the law that are effective  If your program requires material improvement, updating, or redesign, must also submit plan of remediation • March 20, 2020 - Required to implement most of the written cybersecurity program requirements • March 20, 2021 - Required to implement remaining third-party vendor due diligence and oversight requirements • June 1, 2021 - Insurers domiciled in Ohio and only authorized to do business in Ohio submit statement certifying compliance along with their Corporate Governance Annual Disclosure
  • 8. 8 Data Security Requirements • The Ohio Cybersecurity Law requires each licensee to implement: • Develop a written cybersecurity plan, customized for the size and complexity of the licensee • Implement administrative, technical and physical safeguards to protect nonpublic information • Conduct risk assessments for internal and external threats, and assess the sufficiency of policies and procedures in place • Address vulnerabilities based on these risk assessments and prioritize which security measures must be implemented • Establish, maintain and implement a written incident response plan to recover from a cybersecurity event, with clear roles and responsibilities defined • Require their third-party service providers to implement security measures to protect and secure any information systems and personal information within two years of the effective date of the Act; • Report cybersecurity events to the Ohio Department of Insurance within 3 business days
  • 9. 9 Cybersecurity Plan The scale and scope of a covered entity's cybersecurity program should be based on all of the following factors: • The size and complexity of the organization • The nature and scope of the activities of the organization • The sensitivity of the information to be protected • The resources available to the covered entity.
  • 10. 10 Cybersecurity Plan (cont.) Adopting a published framework provides key benefits over developing your own: • Compliance with contractual requirements • Achieving measurable security improvements • Improved maturity and effectiveness of security operations • Ability to report security readiness to management. Risk Management Frameworks could include: • National Institute of Standards and Technology (NIST) Special Publications: Cybersecurity Framework, 800-53, 800-53a, or 800-171 • International Organization for Standardization (ISO) 27000 Family - Information Security Management Systems (ISMS) • Payment Card Industry – Data Security Standards (PCI-DSS) v 3.2.1
  • 11. 11 Cybersecurity Plan – Confidentiality Written cybersecurity plan and annual submission in the control or possession of the Department of Insurance: • Shall be confidential by law and privileged • Are not public records and shall not be released • Shall not be subject to subpoena • Shall not be subject to discovery or admissible in evidence in any private civil action • *Confidentiality provision excludes state, federal and international regulatory agencies and law enforcement & NAIC • *Can be used by the Superintendent in furtherance of any regulatory or legal action brought by the Department
  • 12. 12 Implement Safeguards Implement administrative, technical and physical safeguards to protect nonpublic information • Provided within your chosen risk management framework • Some frameworks have differing levels of implementation based upon your organization’s scope and complexity • Internal controls derived from risk assessment mitigating actions • Vendor best practices • Research organizations such as CERT, SANS, etc.
  • 13. 13 Risk Assessments According to NIST, the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.” NIST 800-30 - Guide for Conducting Risk Assessments Step 1 System Characterization (Section 3.1) Step 2 Threat Identification (Section 3.2) Step 3 Vulnerability Identification (Section 3.3) Step 4 Control Analysis (Section 3.4) Step 5 Likelihood Determination (Section 3.5) Step 6 Impact Analysis (Section 3.6) Step 7 Risk Determination (Section 3.7) Step 8 Control Recommendations (Section 3.8) Step 9 Results Documentation (Section 3.9).
  • 14. 14 Risk Assessments (cont.) • The risk assessment will generate a list of vulnerabilities from which to implement security measures (mitigating actions/controls). • Prioritization of measures can be based on metrics the organization defines, but may consider the following:  Residual risk score  The resources available to the organization
  • 15. 15 Incident Response • Licensees are required to investigate the incident and report the event to the Superintendent of Insurance, within three days of the event. • An Incident Response Plan should contain the following:  Roles, responsibilities, and communication and contact strategies in the event of a data breach including notification of the Superintendent of Insurance and affected parties, at a minimum  Determine whether a cybersecurity event has occurred  Identify any nonpublic information that may have been involved in the cybersecurity event  Restore security operations to compromised systems to prevent further data breach disclosures.  Hold your third party providers accountable and ensure their incident response plan aligns to your requirements and is followed.  Maintain cybersecurity event records for a period of 5 years
  • 16. 16 Incident Response (cont.) Why?  Protect your data ‒ Avoid ransomware hostages, data loss, or disclosure of confidential data  Protect Your Reputation & Customer Trust ‒ Public relations nightmare and IDC notes 78% of consumers would take business elsewhere if they were affected by a data breach.  Protect Your Revenue ‒ Ponemon’s 2018 study put the average cost of a data breach at $3.86 million. Up 6.4% from the previous year. ‒ National Cyber Security Alliance estimates that 60% of small to medium-sized businesses go out of business within 6 months of a breach. ‒ Equifax ($430 million and growing), Target (10% stock price loss), Home Depot ($62 million)
  • 17. 17 How Can Skoda Minotti Help? • We can help an organization select and implement a Risk Management Framework to meet the Chapter 3965 • Perform a readiness assessment and help develop remediation plans to effectively implement a Cybersecurity program. • Provide a formal assessment for you to show ongoing compliance to measure your program’s effectiveness on an annual basis.

Editor's Notes

  1. Cybersecurity is critically important to the insurance industry because insurance companies, agencies and agents collect highly sensitive consumer financial and health information, which is an especially alluring target for cyber criminals. Recognizing this risk, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (NAIC Model Law) in October 2017 to encourage states to establish a legal framework for requiring insurance organizations to implement comprehensive cybersecurity programs. Ohio was second state to adopt the NAIC Model Law (South Carolina was first and Michigan adopted in in late 2018). Connecticut and New York have enacted cybersecurity regulations for insurance companies without specifically adopting the NAIC Model Law
  2. The entire law applies to Licensee’s If you are exempt, you do not have to comply with the cybersecurity program chapter but you do still need to comply with the chapters surrounding “investigation of events” and “notification to superintendent” Once you fail to qualify as exempt, you have 180 days to enact the law
  3. Non-public information means information that is not publicly available information and is one of the following: (1) Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee; (2) Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one or more of the following data elements: (a) Social security number; (b) Driver's license, commercial driver's license, or state identification card number; (c) Account, credit card, or debit card number; (d) Any security code, access code, or password that would permit access to the consumer's financial account; (e) Biometric records. (3) Any information or data, except age or gender, that is in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following: (a) The past, present, or future physical, mental, or behavioral health or condition of the consumer or a member of the consumer's family; (b) The provision of health care to the consumer; (c) Payment for the provision of health care to the consumer.
  4. The program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control.
  5. (D) Based on its risk assessment, the licensee shall do all of the following: (1) Design its information security program to mitigate the identified risks in a way that is commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control; (2) Determine which of the following security measures are appropriate and implement such security measures: (a) Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals, to protect against the unauthorized acquisition of nonpublic information; (b) Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (c) Restrict access at physical locations containing nonpublic information to authorized individuals; (d) Protect by encryption or other appropriate means all nonpublic information while such information is being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (e) Adopt secure development practices for in-house developed applications utilized by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the licensee; (f) Modify the information system in accordance with the licensee's information security program; (g) Utilize effective controls, which may include multifactor authentication procedures for accessing nonpublic information; (h) Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (i) Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (j) Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; (k) Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format. (3) Include cybersecurity risks in the licensee's enterprise risk management process; (4) Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; (5) Provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.
  6.  Each licensee shall notify the superintendent of insurance as promptly as possible after a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, but in no event later than three business days after that determination, when either of the following criteria has been met: