By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Back to blogs

By: Cyber Pop-up

August 22, 2023

The South Carolina Insurance Data Security Act

You’re a small insurance agency licensed in South Carolina, focused on providing your clients with the best possible service. Suddenly, you're hit with a new regulation demanding that you become a cybersecurity expert overnight.Don't worry, you're not alone in this daunting task.Cyber Pop- up is here to help! With cyber threats lurking around every corner, it's time to grab your shield and join the fight for online security. Let's explore the < a href = ""https://www.scstatehouse.gov/code/t38c099.php"" id="""">South Carolina Insurance Data Security Act (SCIDSA) and learn how to protect your business from cyber-attacks, one byte at a time!

An Introduction to SCIDSA

So what exactly is the South Carolina Insurance Data Security Act? The SCIDSA is a state law that was enacted in 2018 and became effective on January 1, 2019. The law applies to all licensed insurance entities in South Carolina, including insurers, agents, brokers, and other entities that are authorized to operate under the state’s insurance laws. No matter the size of your business, if you are an insurance entity licensed in the state of South Carolina, then SCIDSA applies to you.

According to the regulation, insurance entities must create, execute, and sustain a comprehensive written information security program, which should be grounded on their risk assessment. This program must comprise administrative, technical, and physical measures intended to shield nonpublic information (NPI) against any unauthorized access, destruction, modification, use, or disclosure. In other words, you need to complete a risk assessment, and then craft a cybersecurity program that addresses the results of the risk assessment.

The law also requires insurance entities to report certain cybersecurity events to the state’s Department of Insurance within 72 hours of discovery. These events include any act or attempted act that results in unauthorized access to, disruption of, or misuse of an insurance entity’s NPI or information systems.

Additionally, SCIDSA requires insurance entities to ensure that their third-party service providers have appropriate safeguards in place to protect NPI. This includes conducting due diligence when selecting third-party service providers and including specific provisions in contracts with those providers.

Finally, SCIDSA authorizes the state’s Department of Insurance (DOI) to examine and investigate insurance entities’ cybersecurity programs and to take enforcement action if necessary. Enforcement actions may include fines, penalties, and license revocation. Don’t let this scare you! You can avoid punitive measures by dedicating time to secure your business.

In summary, the South Carolina Insurance Data Security Act requires insurance entities to implement comprehensive information security programs that are based on risk assessments, report certain cybersecurity events to the state, ensure that third-party service providers have appropriate safeguards in place, and comply with state examinations and investigations.

Deadline for meeting requirements

The law became effective on January 1, 2019, and all insurance entities subject to the law were required to be in compliance by July 1, 2020. There is also a requirement for annual reporting, which will be explained later in this article. If you are just finding out about SCIDSA, the time to get secure is now.

It is worth noting that following SCIDSA is an ongoing process that mandates annual reporting, and insurance entities should continue to review and update their information security programs to ensure that they remain effective in light of evolving threats and risks. Insurance entities should also regularly assess and test the effectiveness of their information security programs, and review and update their incident response plans as necessary. SCIDSA is like a never-ending game of whack-a-mole! It may seem overwhelming, but it’s all for the noble cause of protecting customer NPI.

Administration and audits

As mentioned earlier, SCIDSA is enforced by the state’s Department of Insurance, and the DOI has the authority to examine and investigate insurance entities’ compliance with the law. The DOI may conduct examinations and investigations on its own initiative, or in response to complaints or other information indicating that an insurance entity may be in violation of the law.

During an examination or investigation, the DOI may review an insurance entity’s written information security program, policies and procedures, risk assessments, incident response plans, and other relevant documents. The DOI may also interview employees, review training records, and conduct vulnerability assessments and penetration testing.

If the DOI finds that an insurance entity is not in compliance with SCIDSA, it may take enforcement action. Enforcement action may include fines, penalties, and license revocation. The DOI may also require an insurance entity to take corrective action to address any deficiencies identified during an examination or investigation.

Overall, following SCIDSA requires ongoing attention and effort to ensure that your information security program is effective and up-to-date and that you are prepared to respond to cyber incidents in a timely and effective manner. 

Exemptions

As we outlined earlier, SCIDSA applies to all licensed insurance entities in the state of South Carolina. However, there are a few exemptions from the law’s requirements.

First, SCIDSA exempts certain types of entities from its requirements, including entities that are subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). These entities are already required to implement information security programs that meet the requirements of those federal laws. You may not need to worry about SCIDSA, but you still need to be cyber-secure under other legislation.

Second, SCIDSA exempts entities that are regulated by the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, as long as they are in compliance with that law.

Finally, SCIDSA provides a limited exemption for certain small insurance entities. Insurance entities that have fewer than 10 employees and less than $5 million in annual gross revenue from insurance activities are exempt from the requirement to develop a comprehensive written information security program. However, these entities are still required to have reasonable safeguards in place to protect nonpublic information, and they must follow the law’s reporting requirements and other provisions. If you meet these criteria, you aren’t off the hook entirely.

It is worth noting that while you may be exempt from some of SCIDSA’s requirements, you may still be subject to other laws and regulations related to information security and privacy, and you should take steps to ensure that you are following all applicable laws and regulations. While they may give you a headache, these regulations are vital as they exist to maintain the safety and protection of NPI.

Requirements for small businesses to be compliant

So, let's talk specifics. What exactly must you do to meet the requirements of SCIDSA?

To be compliant with SCIDSA, you should:

  1. Identify and assess the risks to the confidentiality, integrity, and availability of nonpublic information in your possession or control, including information that is received from or about customers, employees, and other individuals.
  2. Implement reasonable safeguards to protect nonpublic information from unauthorized access, use, or disclosure. Examples of reasonable safeguards include physical controls (e.g., locks, security cameras), technical controls (e.g., firewalls, anti-virus software), and administrative controls (e.g., policies and procedures, employee training).
  3. Monitor and test the effectiveness of your safeguards, and update them as necessary to address changes in the risk environment or the business environment.
  4. Develop and implement an incident response plan to address cyber incidents that may affect the confidentiality, integrity, or availability of nonpublic information.
  5. Comply with the law’s reporting requirements, which include notifying the DOI of a cybersecurity event within 72 hours of discovering the event.

To sum it up, you should take a risk-based approach to cybersecurity, focusing on the most significant risks to your business and the nonpublic information you handle. You should implement reasonable safeguards to protect nonpublic information, and be prepared to respond to cyber incidents in a timely and effective manner.

Annual reporting

The act requires annual reporting by insurance entities subject to the law. Specifically, each insurance entity must submit an annual written statement to the Director of the Department of Insurance certifying that the entity is in compliance with SCIDSA.

The annual statement must include the following information:

  1. A description of any material changes to the insurance entity’s information security program during the preceding year.
  2. A statement that the insurance entity has conducted a risk assessment of its information systems and the nonpublic information stored on those systems.
  3. A statement that the insurance entity has implemented reasonable safeguards to protect nonpublic information from unauthorized access, use, or disclosure.
  4. A summary of any cybersecurity events that occurred during the preceding year, including the number of events and a description of the nature of each event.
  5. A statement that the insurance entity has developed and implemented an incident response plan to address cyber incidents that may affect the confidentiality, integrity, or availability of nonpublic information.
  6. A statement that the insurance entity has complied with the law’s reporting requirements, including notifying the Department of Insurance of a cybersecurity event within 72 hours of discovering the event.

The annual statement must be signed by an officer of the insurance entity, and it must be submitted to the Department of Insurance by February 15 of each year.

Conclusion

Phew! There is a lot to know about the requirements, deadlines, exemptions, and reporting required by SCIDSA, but being aware of the path to security is just the first step. 

If you still feel a bit overwhelmed, no problem! Cyber Pop-up is an affordable solution for small businesses in need of cybersecurity expertise. At Cyber Pop-up, we offer on-demand cyber experts who will guide you through NIST-aligned projects that are easy to manage and bring your security program up to code. With our help, you can reduce the strain of securing your operations while accessing the cybersecurity expertise you need. Get started at www.cyberpopup.com!