SCIDSA has been around for a year now. Enough time that agencies everywhere should be just about fully implemented. Unfortunately, this is not the case. More often than not, we see that local agencies are not anywhere near compliant. This list covers the 5 biggest mistakes we have seen at Tandem over the last year.
1. Business owners are unaware of the law
Agency owners are just not aware of the law. This is a big mistake for obvious reasons; if you don’t know the law exists or haven’t heard much about it, then chances are, you are violating the law. Think about it like this. If you don’t know the rules of the road, you will be pulled for violation by law enforcement.
Get familiar with the law. Tandem Cyber Solutions, the Department of Insurance(DoI), and the Association for Independent Insurance Agents are all putting out excellent information on the topic of SCIDSA. Start here.
Independent Insurance Agents & Brokers of SC – What we know so far
SC Department of Insurance – Cybersecurity Page
Tandem Cyber Solutions – SCIDSA Blogs
2. No Cyber Liability insurance
Doing your best to secure your business is great. In fact, you should be doing everything that is reasonable to do just that. But, things happen.
Even the most well-protected organizations fall victim to cyber-attacks. We in the cybersecurity field work on the assumption that everyone has been hacked and we just don’t know it yet. This belief isn’t far off from the truth and is heavily supported by many industry statistics.
Get insurance to cover the outrageous costs of cyber event. Costs could range from 10’s of thousands of dollars to 100’s of thousands depending on the size of the organization and the severity of the event.
A good insurance plan will cover these costs, those of business restoration, legal fees, lost revenue, and the costs of finding your security holes and closing them up.
If the price tag of a breach isn’t enough to worry about, realize that 60% of businesses who have a cyber event go out of business within 6 months.
3. No risk assessment
For those who haven’t read the law, I don’t blame you. I know it’s not the most riveting literature, out there.
I’ll save you the time. Most of the requirements are built around your risk assessment. What this means is that somebody has taken a hard look at your technology, physical security, business practices, and employees to determine which attacks are most likely to be successful and how likely they are to happen.
With this being said, your defensive measures and your policies should be written in a way to limit the risk of these findings. Whether that is adding antivirus software or encryption to your business process, your assessment should help you understand what you need.
The risk assessment comes into play when a cyber event occurs. The Department of Insurance will look to see if you did everything reasonable to avoid and prepare for the event. If you don’t have a risk assessment, that is a big red flag for an auditor.
On the other hand, if you did a risk assessment and ignored the findings, that’s also a red flag.
4. No Continuous Employee Training
Another big issue we see across all industries and probably one of the most impactful to an organization’s overall security is employee training. An employee with bad security practices can circumvent the most advanced technological security measures, especially those of a small to medium-sized business.
Train your employees. They will be the ones targeted by phishing emails. They will be the ones answering the phones. Teach them about the latest techniques so they can avoid opening that malicious file which will cause a cyber event or leaving their passwords lying around so that anyone can see them on their desk.
Trust me. This is the best money you will spend on cybersecurity.
If you don’t know where to start, there are many free resources, or you can ask us at Tandem Cyber Solutions about our training platform for employees. We teach employees to recognize phishing emails and how to integrate security into their everyday habits.
Here is a free resource from the FTC to get you started.
FTC – Small Business Tips
5. No documentation
I know documentation is no fun. Unfortunately, this is what will save you when the DoI is knocking on your door about a Cyber Event.
Document everything you do related to SCIDSA and cybersecurity. These tasks could include policy updates, new security measures, training, event investigations, assessments, to name just a few.
With a trail of documents, you can show that your organization did everything reasonable to protect your customers and most of all, you can prove it.
Have your Security Officer manage these documents in a way that they can be easily accessed when needed. If you don’t have a Security Officer, count that as a number 6 on our list and get one. P.S. Tandem can help with this too. If you choose to assign one internally, make sure they are qualified with information technology, information security, and are familiar with the SCIDSA law.
If you have none of the issues highlighted in this blog, you are one of the few agencies well on your way to successful SCIDSA compliance. If on the other hand, some of these issues are affecting your organization, reach out to your agency association for more information, read some of Tandem’s blogs, or just give us an old fashion call.
We can help clarify the law and do a mini audit to see where your organization stands today with SCIDSA.
Co-founder + Ethical Hacker
Micheal has over 13 years of combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cybersecurity, he volunteers to help entrepreneurs, veterans, and recent graduates.
Tandem Cyber Solutions