Ohio Rev. Code Ann. § 3965.02
(B) The information security program shall contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system and shall be designed to do all of the following:
(C) The licensee shall do all of the following:
(4) Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats described in division (C)(2) of this section, including consideration of such threats in each relevant area of the licensee's operations, including all of the following:
(D) Based on its risk assessment, the licensee shall do all of the following:
(2) Determine which of the following security measures are appropriate and implement such security measures:
(E) If the licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, do all of the following:
(2) Require the licensee's executive management or its delegates to report in writing at least annually, all of the following information:
(F)
(G) The licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with all of the following:
(H)
(2) The incident response plan described in division (H) (1) of this section shall address all of the following areas:
(I)