All licensees are required to develop, implement, and maintain a comprehensive information security program based on a risk assessment (O.R.C. Chapter 3965.02). This program should reflect the size and complexity of the organization. There are exemptions to having an information security program that can be found in O.R.C. Chapter 3965.07.
Only domestic insurers are required to certify to the existence of an information security program or file a notice of exemption.
- Multi-State Domestic Insurer – Annually by February 15th, beginning in 2021
- Single-State Domestic Insurer –
- Beginning June 1, 2020, as part of its corporate governance disclosure; OR,
- Annually thereafter beginning February 15th each year but no later than June 1st as part of its corporate governance disclosure
Note: Electronic filing will be available by June 1, 2020, for those insurers who elect to file early. All insurers are required to file annually beginning in 2021.
How do I file? Certifications and Exemption Notices can be filed online through the ODI Gateway by clicking the "Launch" button at the top/right corner of this page. For instructions on how to create a Gateway account click here.
Send all questions to INSINFOSEC@insurance.ohio.gov.