On May 3, 2018, South Carolina Governor McMaster signed into law the South Carolina Department of Insurance Data Security Act. The Act intends to protect personal information managed by insurance agencies, brokers, and carriers in South Carolina from cybersecurity threats. South Carolina is the first state to implement a comprehensive cybersecurity law covering the insurance industry following 2017’s NAIC Insurance Data Security Model Law.
The Insurance Data Security Act goes into effect on January 1, 2019, and requires all insurers, agents, and other licensed entities to develop a comprehensive written information security program within six months of the compliance date, July 1, 2019. The law implements rules for South Carolina insurance agencies, brokers, and carriers on how they manage and secure personal information. This law also applies to ANY insurance-related company writing business in South Carolina, even if they are no not physically located in South Carolina. Georgia and North Carolina businesses should take special notice.
The Act is highly detailed and requires for insurance-related entities to prepare for any cybersecurity threats in the future. Just a few examples of the requirements stated in the Insurance Data Security Act include:
- Maintain an information security program based on ongoing risk assessment;
- Perform risk assessment based on threats combined with likelihood and magnitude of harm;
- Implement an information security program to mitigate risks identified;
- Develop, implement and maintain a secure information security program;
- Investigate any cybersecurity activities and notify the Department of Insurance of those activities within 72 hours;
- Conduct annual testing of effectiveness and safeguards and report findings annually;
- Develop a written Incident Response Plan; and
- Provide adequate staff training and awareness on cybersecurity and how to mitigate risks.
Corsica Technologies recommends that all South Carolina insurers, agents, and other licensed entities impacted by the Insurance Data Security Act begin reviewing their existing information security programs to see how it aligns with the new law. If your organization does not have an information security program, now is the perfect time to develop one. Aside from complying with the new law, implementing best practices now will protect an organization from the increasing threat of cybercrime.
Corsica Technologies has analyzed the South Carolina Department of Insurance’s Insurance Data Security Act with our certified, and qualified professionals who are prepared to assist in any way necessary. We provide the components to help you manage and build the required security program or simply audit the program you currently have in place and provide next steps to complete the state requirements in-house.