My focus over my last few blogs has been the South Carolina Insurance Data Security Act (IDSA) and its impact on the insurance agency in SC. In this blog I want to talk about the next phase and some tips to help you prepare as a business owner. Section 38-99-20 of the SC IDSA will require companies to have an information security plan in place by July of this year. For those of you who haven’t heard of a security plan or aren’t sure how to get started, check out these 5 elements of a good IDSA information security plan.
As defined by the SC IDSA, an information security plan is “the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.” Basically, they mean your plan covers how your company protects nonpublic information.
Here are 5 major things that a security plan entails.
Your plan should be a reflection of your company’s size and complexity. For instance, the scope of an information security plan for a company with 1,000 employees may include a full-time security team. But, a company with a staff of 20 employees may include outsourcing IT security. Typically, the more complex a plan is, the higher the cost is to the business.
Data Retention Guidelines
IDSA is meant to protect sensitive data from unauthorized eyes. Ensuring you know where all your information is stored and establishing rules for retention of non-public information will limit the risk of unintended information leakage. Additionally, be sure to destroy any documents or data that are no longer required.
Designate a qualified person to oversee the security plan.
Determining who should be responsible for the security plan is multi-faceted. The person must be familiar with IDSA, have a background in information security, and be prepared to take the burden of being responsible should something happen. This person can be an employee, an affiliate, or an outside vendor (like Tandem). The important thing to remember is that the person must be qualified. People like Joe the janitor is not qualified to protect your business and neither is Sally the receptionist. In fact, IDSA has encouraged executives to truly care about who is protecting the organization. According to IDSA, the Board of Directors is “directly accountable for the oversight of the cybersecurity program and all its activities and results.” If it were me, I would choose this person wisely.
Risk Assessment and Incident Response Plan
While your company is forming its information security plan is a great time to have cyber security risk assessment done. This will lay the foundation for you to understand the security risks to your company’s operations, functions, reputation, and assets. Ultimately enabling you to better identify and prioritize the risks to your company.
I would also suggest developing an incident response plan. Like the security plans, these also need to be realistic and tailored to your business. The rule of thumb is, it’s not a question of if but when an incident will occur. Having these policies and procedures in place will make that stressful event easier to manage. Also, use these documents to set your expectations and have these conversations ahead of time. Because you and your employees can’t be expected to follow protocol if there isn’t one.
Board of Directors Notification Plan
Your plan should also lay out the steps you will use to keep your board of directors updated on the overall status of the information security plan. These guys are responsible for the digital well being of the company, ensuring they stay in the loop is only fair.
While this may seem like a daunting task to accomplish in just a few months, it will ultimately set your company up to be better protected against cyber-attacks and help keep your nonpublic information from risk, threats and unauthorized access. Keep in mind, the average cost of a cyber-attack is over $1 million when you factor in lost revenue, fines, and investigation costs. Having a good security plan not only stops attacks but can add up to millions in costs savings. If you’re still unsure of where to begin, reach out to us for help setting up the plan, doing risk assessments, and training for your employees.
For more information…
For more information on the South Carolina Insurance Data Security Act stay tuned in to our blogs and keep an eye on the official Department of Insurance website for updates. Reach out to us within specific questions on how this new act may affect your business.
VP of Operations + CO-Founder
Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cyber criminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors.