Skip to main content
Back To Top Top Back To Top
The Legislative Service Commission staff updates the Revised Code on an ongoing basis, as it completes its act review of enacted legislation. Updates may be slower during some times of the year, depending on the volume of enacted legislation.

Chapter 3965 | Cybersecurity Requirements For Insurance Companies

 
 
 
Section
Section 3965.01 | Definitions.
 

As used in this chapter:

(A) "Assuming insurer" has the same meaning as in section 3901.61 of the Revised Code.

(B) "Authorized individual" means an individual authorized by the licensee to access nonpublic information held by the licensee and its information systems.

(C) "Ceding insurer" has the same meaning as in section 3901.61 of the Revised Code.

(D) "Consumer" means an individual who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control. "Consumer" includes an applicant, policyholder, insured, beneficiary, claimant, and certificate holder.

(E) "Cybersecurity event" means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee. "Cybersecurity event" does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. "Cybersecurity event" does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

(F) "Encrypted" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.

(G) "Family" means an individual's spouse, child, stepchild, foster child, parent, stepparent, foster parent, grandparent, grandchild, sibling, half sibling, stepsibling, parent-in-law, brother-in-law, or sister-in-law.

(H) "HIPAA" means the "Health Insurance Portability and Accountability Act of 1996," Pub. L. No. 104-191, 110 Stat. 1936, as amended.

(I) "Independent insurance agent" has the same meaning as in section 3905.49 of the Revised Code.

(J) "Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

(K) "Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information, as well as any specialized system such as industrial and process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

(L) "Insurer" has the same meaning as in section 3901.32 of the Revised Code.

(M) "Licensee" means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state. "Licensee" includes an insurer. "Licensee" does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

(N) "Multifactor authentication" means authentication through verification of at least two of the following types of authentication factors:

(1) Knowledge factors, such as a password;

(2) Possession factors, such as a token or text message on a mobile phone;

(3) Inherence factors, such as a biometric characteristic.

(O) "Nonpublic information" means information that is not publicly available information and is one of the following:

(1) Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee;

(2) Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one or more of the following data elements:

(a) Social security number;

(b) Driver's license, commercial driver's license, or state identification card number;

(c) Account, credit card, or debit card number;

(d) Any security code, access code, or password that would permit access to the consumer's financial account;

(e) Biometric records.

(3) Any information or data, except age or gender, that is in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:

(a) The past, present, or future physical, mental, or behavioral health or condition of the consumer or a member of the consumer's family;

(b) The provision of health care to the consumer;

(c) Payment for the provision of health care to the consumer.

(P) "Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law.

For the purposes of this chapter, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine both of the following:

(1) That the information is of the type that is available to the general public;

(2) Whether a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.

(Q) "Risk assessment" means the risk assessment that each licensee is required to conduct under division (C) of section 3965.02 of the Revised Code.

(R) "Third-party service provider" means a person other than a licensee that:

(1) Contracts with a licensee to maintain, process, or store nonpublic information through its provision of services to the licensee;

(2) Otherwise is permitted access to nonpublic information through its provision of services to the licensee.

Section 3965.02 | Information security program.
 

(A) Each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment. The program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control.

(B) The information security program shall contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system and shall be designed to do all of the following:

(1) Protect the security and confidentiality of nonpublic information and the security of the information system;

(2) Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;

(3) Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer;

(4) Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.

(C) The licensee shall do all of the following:

(1) Designate one or more persons or entities to act on behalf of the licensee and be responsible for the information security program;

(2) Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including threats to the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers;

(3) Assess the likelihood and potential damage of the threats described in division (C)(2) of this section, taking into consideration the sensitivity of the nonpublic information;

(4) Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats described in division (C)(2) of this section, including consideration of such threats in each relevant area of the licensee's operations, including all of the following:

(a) Employee training and management;

(b) Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal;

(c) Detecting, preventing, and responding to attacks, intrusions, or other systems failures.

(5) Implement information safeguards to manage the threats identified in its ongoing assessment;

(6) Not less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures.

(D) Based on its risk assessment, the licensee shall do all of the following:

(1) Design its information security program to mitigate the identified risks in a way that is commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control;

(2) Determine which of the following security measures are appropriate and implement such security measures:

(a) Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals, to protect against the unauthorized acquisition of nonpublic information;

(b) Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy;

(c) Restrict access at physical locations containing nonpublic information to authorized individuals;

(d) Protect by encryption or other appropriate means all nonpublic information while such information is being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media;

(e) Adopt secure development practices for in-house developed applications utilized by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the licensee;

(f) Modify the information system in accordance with the licensee's information security program;

(g) Utilize effective controls, which may include multifactor authentication procedures for accessing nonpublic information;

(h) Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems;

(i) Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;

(j) Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;

(k) Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format.

(3) Include cybersecurity risks in the licensee's enterprise risk management process;

(4) Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared;

(5) Provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.

(E) If the licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, do all of the following:

(1) Require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program;

(2) Require the licensee's executive management or its delegates to report in writing at least annually, all of the following information:

(a) The overall status of the information security program and the licensee's compliance with this chapter;

(b) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management's responses thereto, and recommendations for changes in the information security program.

(3) If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and shall require the delegates to submit a report that complies with the requirements of division (E)(2) of this section.

(F)(1) A licensee shall exercise due diligence in selecting its third-party service provider.

(2) A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

(G) The licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with all of the following:

(1) Any relevant changes in technology;

(2) The sensitivity of its nonpublic information;

(3) Internal or external threats to information;

(4) The licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

(H)(1) As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations.

(2) The incident response plan described in division (H) (1) of this section shall address all of the following areas:

(a) The internal process for responding to a cybersecurity event;

(b) The goals of the incident response plan;

(c) The definition of clear roles, responsibilities, and levels of decision-making authority;

(d) External and internal communications and information sharing;

(e) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

(f) Documentation and reporting regarding cybersecurity events and related incident response activities;

(g) The evaluation and revision as necessary of the incident response plan following a cybersecurity event.

(I)(1) By the fifteenth day of February of each year, unless otherwise permitted to file on the first day of June in division (I)(2) of this section, each insurer domiciled in this state shall submit to the superintendent of insurance a written statement certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department of insurance all records, schedules, and data supporting this certificate for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the superintendent.

(2) Notwithstanding division (I)(1) of this section, an insurer domiciled in this state and licensed exclusively to conduct business in this state and no other state shall be permitted to submit to the superintendent of insurance a written statement certifying that the insurer is in compliance with the requirements set forth in this section as part of the insurer's corporate governance annual disclosure required by section 3901.073 of the Revised Code.

(J) A licensee that meets the requirements of this chapter shall be deemed to have implemented a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework for the purposes of Chapter 1354. of the Revised Code.

Section 3965.03 | Investigation of events.
 

(A) If a licensee learns that a cybersecurity event has or may have occurred, the licensee or an outside vendor or service provider designated to act on behalf of the licensee shall conduct a prompt investigation.

(B) During the investigation, the licensee or an outside vendor or service provider designated to act on behalf of the licensee shall, at a minimum, do as much of the following as possible:

(1) Determine whether a cybersecurity event has occurred;

(2) Assess the nature and scope of the cybersecurity event;

(3) Identify any nonpublic information that may have been involved in the cybersecurity event;

(4) Perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee's possession, custody, or control.

(C) If the licensee learns that a cybersecurity event has or may have occurred in a system maintained by a third-party service provider, the licensee shall take the actions described in division (B) of this section or make reasonable efforts to confirm and document that the third-party service provider has taken those actions.

(D) The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the superintendent of insurance.

Section 3965.04 | Notification to superintendent.
 

(A) Each licensee shall notify the superintendent of insurance as promptly as possible after a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, but in no event later than three business days after that determination, when either of the following criteria has been met:

(1) Both of the following apply:

(a) This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of an independent insurance agent.

(b) The cybersecurity event has a reasonable likelihood of materially harming a consumer or a material part of the normal operations of the licensee.

(2) The licensee reasonably believes that the nonpublic information involved relates to two hundred fifty or more consumers residing in this state and the cybersecurity event is either of the following:

(a) A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self- regulatory agency, or any other supervisory body pursuant to any state or federal law;

(b) A cybersecurity event that has a reasonable likelihood of materially harming either of the following:

(i) Any consumer residing in this state;

(ii) Any material part of the normal operations of the licensee.

(B)(1) In providing the notification described in division (A) of this section, the licensee shall provide as much of the following information as possible:

(a) The date of the cybersecurity event;

(b) A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers;

(c) How the cybersecurity event was discovered;

(d) Whether any lost, stolen, or breached information has been recovered and if so, how this was done;

(e) The identity of the source of the cybersecurity event;

(f) Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided;

(g) A description of the specific types of information acquired without authorization. "Specific types of information" means particular data elements, including types of medical information, types of financial information, or types of information allowing identification of the consumer.

(h) The period during which the information system was compromised by the cybersecurity event;

(i) The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the superintendent and update this estimate with each subsequent report to the superintendent pursuant to this section.

(j) The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;

(k) A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;

(l) A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event;

(m) The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

(2) The licensee shall provide the information in electronic form as directed by the superintendent. The licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the superintendent regarding material developments relating to the cybersecurity event.

(C) A licensee shall comply with section 1349.19 of the Revised Code as applicable and provide a copy of the notice sent to consumers under that section to the superintendent, when the licensee is required to notify the superintendent under division (A) of this section.

(D)(1) If a licensee becomes aware of a cybersecurity event in a system maintained by a third-party service provider, the licensee shall treat the event as it would under division (A) of this section.

(2) The computation of the licensee's deadlines specified in this section shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

(3) Nothing in this chapter shall prevent or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party to fulfill any of the investigation requirements imposed under section 3965.03 of the Revised Code or notice requirements imposed under this section.

(E)(1) In the case of a cybersecurity event involving nonpublic information that is used by or in the possession, custody, or control of a licensee that is acting as an assuming insurer, including an assuming insurer that is domiciled in another state or jurisdiction, and that does not have a direct contractual relationship with the affected consumers, both of the following apply:

(a) The assuming insurer shall notify its affected ceding insurers and the insurance commissioner of its state or jurisdiction of domicile within three business days of making the determination that a cybersecurity event has occurred.

(b) The ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under section 1349.19 of the Revised Code and any other notification requirements relating to a cybersecurity event imposed under this section.

(2) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee's third-party service provider, when the licensee is acting as an assuming insurer, including an assuming insurer that is domiciled in another state or jurisdiction, both of the following apply:

(a) The assuming insurer shall notify its affected ceding insurers and the insurance commissioner of its state or jurisdiction of domicile within three business days of receiving notice from its third-party service provider that a cybersecurity event has occurred.

(b) The ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under section 1349.19 of the Revised Code and any other notification requirements relating to a cybersecurity event imposed under this section.

(3) Any licensee acting as an assuming insurer shall have no other notice obligations relating to a cybersecurity event or other data breach under division (A) of this section.

(F) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider, that was obtained by the insurer from a consumer accessing the insurer's services through an independent insurance agent, and for which disclosure or notice is required under section 1349.19 of the Revised Code, the insurer shall notify the independent insurance agents of record of all affected consumers.

The insurer is excused from this obligation for any independent insurance agents who are not authorized by law or contract to sell, solicit, or negotiate on behalf of the insurer, and for those instances in which the insurer does not have the current independent insurance agent of record information for an individual consumer.

Section 3965.05 | Powers of superintendent.
 

(A) The superintendent of insurance shall have power to examine and investigate into the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of this chapter. This power is in addition to the powers that the superintendent has under Title XXXIX and Chapters 1739. and 1751. of the Revised Code.

(B) Whenever the superintendent has reason to believe that a licensee has been or is engaged in conduct in this state that violates this chapter, the superintendent may take any necessary or appropriate action to enforce the provisions of this chapter.

Section 3965.06 | Confidentiality.
 

(A)(1) Any documents, materials, or other information in the control or possession of the department of insurance that are furnished pursuant to divisions (H)(1) and (I) of section 3965.02 and divisions (B)(1)(b), (c), (d), (e), (h), (j), and (k) of section 3965.04 of the Revised Code, or that are obtained by, created by, or disclosed to the superintendent of insurance in an investigation or examination pursuant to section 3965.05 of the Revised Code:

(a) Shall be confidential by law and privileged;

(b) Are not public records for the purposes of section 149.43 of the Revised Code and shall not be released;

(c) Shall not be subject to subpoena;

(d) Shall not be subject to discovery or admissible in evidence in any private civil action.

(2) Notwithstanding division (A)(1) of this section, the superintendent may use the documents, materials, or other information described in division (A) of this section in furtherance of any regulatory or legal action brought as a part of the superintendent's duties.

(B) Neither the superintendent nor any person who received documents, materials, or other information described in division (A) of this section while acting under the authority of the superintendent shall be permitted or required to testify in any private civil action concerning any documents, materials, or information subject to division (A) of this section.

(C) In order to assist in the performance of the superintendent's duties under this chapter, the superintendent may do any of the following:

(1) Notwithstanding division (A) of this section, share documents, materials, or other information, including those subject to division (A) of this section, with all of the following if the recipient agrees in writing to maintain the confidentiality and privileged status of the document, material, or other information:

(a) Other state, federal, and international regulatory agencies;

(b) The national association of insurance commissioners and its affiliates and subsidiaries;

(c) State, federal, and international law enforcement authorities.

(2) Receive documents, materials, or information, including otherwise confidential and privileged documents, materials, or information, from the national association of insurance commissioners and its affiliates and subsidiaries, and from regulatory and law enforcement officials of other foreign or domestic jurisdictions. The superintendent shall maintain as confidential or privileged any document, material, or information received with notice or the understanding that it is confidential or privileged under the laws of the jurisdiction that is the source of the document, material, or information.

(3) Share documents, materials, or other information subject to division (A) of this section with a third-party consultant or vendor if the consultant or vendor agrees in writing to maintain the confidentiality and privileged status of the document, material, or other information;

(4) Enter into agreements governing sharing and use of information consistent with this section.

(D) No waiver of any applicable privilege or claim of confidentiality in the documents, materials, or information shall occur as a result of disclosure to the superintendent under this section or as a result of sharing as authorized in division (C) of this section.

(E) Nothing in this chapter shall prohibit the superintendent from releasing decisions related to final, adjudicated actions that are open to public inspection pursuant to section 149.43 of the Revised Code to a database or other clearinghouse service maintained by the national association of insurance commissioners or its affiliates or subsidiaries.

(F) Any documents, materials, or other information described in division (A) of this section that are in the possession or control of the national association of insurance commissioners, or any vendor, third-party consultant to the national association of insurance commissioners, or a third- party service provider:

(1) Shall be confidential by law and privileged;

(2) Are not public records for the purposes of section 149.43 of the Revised Code and shall not be released;

(3) Shall not be subject to subpoena;

(4) Shall not be subject to discovery or admissible in evidence in any private civil action.

Section 3965.07 | Exemptions.
 

(A) A licensee is exempt from the requirements of section 3965.02 of the Revised Code if it meets any of the following criteria:

(1) The licensee has fewer than twenty employees.

(2) The licensee has less than five million dollars in gross annual revenue.

(3) The licensee has less than ten million dollars in assets, measured at the end of the licensee's fiscal year.

(B)(1) A licensee subject to and in compliance with the privacy and security rules of 45 C.F.R. Parts 160 and 164 shall be deemed to meet the requirements of this chapter, except those pertaining to notification under section 3965.04 of the Revised Code. The licensee shall submit a written statement to the superintendent certifying its compliance with 45 C.F.R. Parts 160 and 164. The information furnished by a licensee pursuant to section 3965.04 of the Revised Code shall be confidential in accordance with section 3965.06 of the Revised Code.

Each licensee shall maintain for examination by the superintendent all records, schedules, and data supporting the certificate of compliance for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation shall be available for inspection by the department.

(2) Notwithstanding any other provision of this chapter, a licensee subject to HIPAA shall comply with the requirements of any subsequent amendments to HIPAA in the timeframe established in the applicable amendments to HIPAA.

(C) An employee, agent, representative, independent contractor, or designee of a licensee, who is also a licensee, is exempt from section 3965.02 of the Revised Code and need not develop its own information security program to the extent that the employee, agent, representative, independent contractor, or designee is covered by the information security program of the other licensee.

(D) If a licensee ceases to qualify for an exemption, the licensee shall have one hundred eighty days after the date it ceases to qualify to comply with this chapter.

Section 3965.08 | Affirmative defense.
 

(A) A licensee that satisfies the provisions of this chapter shall be entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning nonpublic information.

(B) The affirmative defenses permitted under this section shall not limit any other affirmative defenses available to a licensee.

Section 3965.09 | Applicability and scope of chapter.
 

Notwithstanding any other provision of law, the provisions of this chapter and any rules adopted pursuant to this chapter constitute the exclusive state standards and requirements applicable to licensees regarding cybersecurity events, the security of nonpublic information, data security, investigation of cybersecurity events, and notification to the superintendent of cybersecurity events.

Section 3965.10 | Adoption of rules.
 

The superintendent of insurance, pursuant to Chapter 119. of the Revised Code, may adopt rules as necessary to carry out the provisions of this chapter.

Section 3965.11 | Administration.
 

The superintendent of insurance shall consider the nature, scale, and complexity of licensees in administering this chapter and adopting rules pursuant to this chapter.