Oklahoma Domestic Insurer Data Security Attestation Form

Pursuant to 36 O.S. § 673(I), by July 1, 2025, and by April 15^th of each subsequent year, Oklahoma domiciled insurers shall file with the Insurance Commissioner the attestation form available at this link: https://www.oid.ok.gov/regulated-entities/financial/market-conduct-regulation/. The Data Security Attestation form shall be filed by emailing the completed form to OIDRegulatoryReporting@oid.ok.gov.

Each Oklahoma domestic insurer is required to maintain the following documentation for at least five (5) years and to produce such documentation to the Oklahoma Insurance Commissioner upon request.

• All records, schedules, and data supporting this attestation; and
• All documentation regarding any areas, systems, or processes that insurer has identified as needing material improvement, updating, or redesign, and regarding any remedial efforts planned and underway to address the same.

Oklahoma domestic insurers who consider themselves exempt from the Act, and/or Section 673 of the Act, shall fill out the Data Security Attestation Form by selecting “Not applicable,” selecting the applicable exemption, and then filing the Form with the Insurance Commissioner in accordance with the instructions above.

Annual Report to Board of Directors

Section 673(E) applies to each licensee with a board of directors and requires the licensee’s executive management, or its delegates, to report to the board of directors, at least annually, the following information:

• The overall status of the information security program and the compliance of the licensee with this act; and
• Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and responses of the management to those events or violations, and recommendations for changes in the information security program.

The Act does not define the term “board of directors.” Under Oklahoma law, statutory terms are to be given their plain meaning. The term “board of directors,” is generally defined to mean to the group of people who manage or direct the business entity.

Pursuant to Section 678, the following licensees are not required to comply with 36 O.S. § 673:

• A licensee subject to the Health Insurance Portability and Accountability Act, Pub. L. 104–191, 110 Stat. 1936, as amended, that has established and maintains an information security program pursuant to such statutes, rules, regulations, procedures, or guidelines established thereunder; and
• A licensee subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 (15 U.S.C. Sections 6801-6809 and 6821-6827) that has established and maintains an information security program pursuant to such, statutes, rules, regulations, procedures, or guidelines established thereunder.

Licensees utilizing these exemptions shall provide to the Insurance Commissioner, upon request, a written statement, in the manner and form prescribed by the Insurance Commissioner, certifying their compliance with the applicable Federal Act.

Cybersecurity Event Notification

Pursuant to 36 O.S. § 675(A) and (B), every non-exempt licensee shall notify the Oklahoma Insurance Commissioner without unreasonable delay, but not later than three business days, from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met:

• This state is the state of domicile of the licensee, in the case of an insurer, or this state is the home state of the licensee, in the case of a producer, and the cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operations of the licensee or any consumer residing in this state; or
• The licensee reasonably believes that the nonpublic information involved is of two hundred fifty (250) or more consumers residing in this state and is either of the following:
  • a cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law, or
  • a cybersecurity event that has a reasonable likelihood of materially harming:
    • any consumer residing in this state, or
    • any material part of the normal operation or operations of the licensee.

The licensee making the notification shall provide as much of the following information as possible, electronically in the manner and form prescribed by the Commissioner, along with any applicable fees:

• Date of the cybersecurity event;
• Description of how the information was exposed, lost, stolen, or breached including, but not limited to, the specific roles and responsibilities of third-party service providers, if any;
• How the cybersecurity event was discovered;
• Whether any lost, stolen, or breached information has been recovered and, if so, how this was done;
• The identity of the source of the cybersecurity event;
• Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided;
• Description of the specific types of information acquired without authorization. The term “specific types of information” means particular data elements including, but not limited to, types of medical information, financial information, or information allowing identification of the consumer;
• The period during which the information system was compromised by the cybersecurity event;
• The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section;
• The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
• Description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur;
• A copy of the privacy policy of the licensee and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
• Name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

The Cybersecurity Event Notification form can be found on the Oklahoma Insurance Department website at: https://www.oid.ok.gov/regulated-entities/financial/market-conduct-regulation/.