On May 3, 2018 South Carolina Governor Henry McMaster signed into law the South Carolina Insurance Data Security Act (“The Act”), which went into effect on January 1, 2019. South Carolina is the first state in the nation to pass this important and timely legislation, which is modeled after the NAIC Insurance Data Security Model Law.
The Act is set in place to establish standards for data security, standards for investigation and standards for communications to the South Carolina Department of Insurance and to the Licensee affected by a cybersecurity event. According to the South Carolina Department of Insurance, a cybersecurity event is an event resulting in unauthorized access to, disruption or misuse of, an information system or information stored within an information system. The law was put into place to protect the data that businesses are collecting and holding. Businesses affected by the Act must certify compliance with the information security program requirements. Those certifications must be issued on or before February 15, 2020.
Who is a Licensee?
A licensee is any individual or nongovernmental entity licensed, registered and authorized to operate under the state insurance laws. Examples of a licensee include: domestic insurers, health maintenance organizations, professional and surety bondsmen and runners, Third Party Administrators (TPAs), producers, brokers, adjusters and managing general agencies. The licensee must be operating with 10 employees or more. Licensees do not include purchasing groups or risk retention groups chartered and licensed in a state other than South Carolina, or a licensee that is acting as an assuming insurer that is based in another state or jurisdiction.
Major Components of The Act
The new legislation requires licensees to develop, implement and maintain a formally documented information security program based on a comprehensive risk assessment to ensure the protection of nonpublic information and the related information systems. The information security program must be appropriate for the size and complexity of the licensee’s business and the information it collects. Other major components of The Act include:
- Risk Assessment
- Establishment and monitoring of an information security program
- Risk management, training and due diligence
- Investigation of cybersecurity event(s)
- Notification of cybersecurity event(s)
- Reporting, notices and certification of compliance
How We Can Help
Implementing the statutory requirements within the Act is an additional operating cost to each insurer (licensee) operating in South Carolina. Taking a strategic design approach, by adapting the statutory requirements to your specific operational environment while attaining compliance with the Act, will minimize costs and allow for an annual submission of a written statement certifying compliance with the requirements.
A strategic design approach starts with a risk assessment to understand your environment, creation of an Information Security Program, followed by the development of Information Security Policies designed to protect your Information Systems and nonpublic information. An Incident Response Plan for cybersecurity event investigations should be established, including a Breach Notification Plan which identifies how and when to report a cybersecurity event. We will modify the process approach based on your needs.
Smith & Howard’s Enterprise Risk Security (ERS) team can help businesses obtain the required certifications requested by the state of South Carolina. Our experienced and tested subject matter experts work with businesses to create a custom approach that is suitable for each business’s internal environment and management team. Together with our clients, our ERS team puts together a project plan that is appropriate for each business. A comprehensive plan to obtain the proper internal controls and certifications can take between one to six months, depending on the business information security infrastructure.
Contact Martha Raber by completing the contact form below of dialing 404-874-6244 to setup an initial call or meeting.
** Source: 2017-2018 Bill 4655: SC Insurance Data Security Act | Bulletin Number 2018-02