South Carolina Governor Henry McMaster signed into law the South Carolina Insurance Data Security Act on May 14, 2018. The Act is similar to the Insurance Data Security Model law that the National Association of Insurance Commissioners (NAIC) drafted in 2017. South Carolina has become the very first state to have a cybersecurity law that covers the insurance industry.
The South Carolina Data Security Act will be implemented starting January 1, 2019. All licensees of the South Carolina Department of Insurance must comply with the Act. All insurers, agents and licensed entities must have a comprehensive written information security program within six months from compliance date. In developing a cybersecurity program, the size and complexity of the company, the nature and scope of its activities and the sensitivity of non-public information used or stored by the company must be considered.
The cybersecurity program should include an initial comprehensive risk analysis to identify and mitigate all risks. Though there’s no specific safeguard that the Act requires to be implemented, what is important is to have administrative, technical and physical controls appropriate to the risk level and making sure of the confidentiality and security of data.
The cybersecurity program should
- Protect the security and confidentiality of non-public information
- Protect the integrity of information against threats or hazards
- Protect against unauthorized access
- Define a schedule for the retention of data
- Define a mechanism for destroying data when no longer needed.
- Have a designated individual, a third party or an affiliate responsible for the security program.
The cybersecurity program must implement different types of controls including access controls, authentication controls and physical controls to prevent unauthorized access. Using multi-factor authentication prevents unauthorized access to nonpublic information. Encryption or an alternative technique of equivalent measure can secure portable electronic devices or data transmission over an external network.
Licensees must be able to identify and manage devices connecting to a network. There must be secure development practices adopted for in-house applications. Regularly test and monitor systems to stop attacks, maintain audit trails and maintain measures that prevent the loss of nonpublic information. Licensees must remain up-to-date to know emerging threats and vulnerabilities.
The security program must have the board of directors as overseer. Executive management needs to submit reports on the program status including matters like risk assessment, test results, third party service provider arrangements and annual cybersecurity events.
A written cybersecurity response plan is required by the Act to be able to respond quickly to a cybersecurity incident. The Act defined a cybersecurity event as “an event resulting in unauthorized access to or disruption or misuse of an information system or information stored on an information system.” The Director of the Department of Insurance should know about the occurrence of a cybersecurity incident within 72 hours of discovery if the licensee is from South Carolina and the incident impacts more than 250 people in South Carolina.