Aside from modelling it after the GDPR as announced by the Minister in October 2018, it would be great if the policy makers and regulators take a leaf from the Senate Bill 273 passed by the state of Ohio in the United States in November 2018.
In that Bill, provisions were made for cybersecurity which specifically strengthens the state's insurance market while helping to better protect the consumers in Ohio.
Essentially, the new law does NOT create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow but allows businesses to determine the appropriate framework to follow based on the individualized needs of the business.
In considering the adequacy of the cybersecurity program in question, the following are taken into consideration:
a) Size and complexity of the covered entity
b) Nature and scope of the activities of the covered entity
c) Sensitivity of the information protected
d) Cost and availability of tools to improve information security and reduce vulnerabilities
e) Resources available to the covered entity
In summary, the new law,
a) `incentivise' rather than `pushing' businesses to adopt defensive posture in accordance to the regulations currently practised widely by a lot of countries in the world, and
b) as insurers can now offer a wider variety of coverage, it created new opportunities and level the playing field for rating companies that provide assessments to insurers
Our country must also continue to evolve and adapt in order to regulate in a way that protects the consumer while fostering creativity and innovation throughout the cybersecurity industry