OK| The Revised Bulletin 2024-10 outlines new requirements under Oklahoma’s Insurance Data Security Act, effective July 1, 2024, for entities licensed by the Insurance Commissioner. The Act establishes exclusive state standards for data security, cybersecurity event investigation, and notification, with specific exemptions and phased compliance deadlines. Key obligations include annual reporting to boards of directors, attestation of compliance for domestic insurers, and prompt notification of cybersecurity events to the Commissioner, along with detailed documentation and consumer notification requirements.
- Certain entities, such as those with less than $5 million in annual revenue and those compliant with HIPAA or the Gramm-Leach-Bliley Act, are exempt from some or all requirements.
- Domestic insurers must annually attest to compliance and maintain supporting records for five years, with the first attestation due July 1, 2025.
- Licensees must notify the Commissioner within three business days of qualifying cybersecurity events and provide comprehensive incident details, while also complying with Oklahoma’s Security Breach Notification Act.