Ohio joins South Carolina and Michigan to create cybersecurity legislation modeled after the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law.
Rather than start from scratch and spend a material amount of time and taxpayer’s money on crafting a new cybersecurity law, states are beginning to instead look to the NAIC’s Insurance Data Security Model Law as the basis for their own legislation. While the NAIC “Law” isn’t actual legislation, it is written as such to meet the very need previously outlined. It provides details around data to be protected, risk assessments, oversight, incident response, investigations, notifications, and more.
With Ohio joining the pack in enacting cybersecurity regulations for insurance companies, credence is given to the NAIC’s model law. This elevates the credibility of the model law when other states begin their own task of crafting similar legislation.
Mandate to include Security Awareness Training
One aspect that we here at KnowBe4 are particularly happy to see included in NAIC’s model law is the mandate to include Security Awareness Training as part of Risk Assessment and Risk Management initiatives. A critical part of the security strategy, this training heightens the employees understanding of the need for security as part of their daily routine to help protect the organization from phishing attacks, social engineering, data breaches, ransomware and more.
And while the current legislation is focused on the insurance industry, the tide is moving towards more personal data protection laws. So, expect to see both more regulated industries having similar legislation and/or personal data laws that cover every industry.