Let’s assume you have been keeping up with the South Carolina Insurance Data Security Act (SCIDSA) and you are aware of the last deadline that past on July 1, 2019. This milestone mandated that you have designated a qualified person or entity to run your Information Security program who will be watched by the Board of Directors. Your next question may be, what are the oversite duties for the board?
Phases of an Information Security Program
As you have progressed through the different phases of developing and implementing your Information Security Program, there were many key decisions to make, which must be monitored by your Board of Directors.
As a refresher, two of the most important phases necessary in creating an Information Security Program include:
- Selecting a qualified representative to be responsible for the development of your Information Security Program. This person’s role was to transition you from your organization’s current security status to an organization with a well-developed Information Security Plan, based on your current risk assessment. Your selection may have been a current qualified employee, a newly-hired employee specifically chosen for this position, or a third-party vendor whom you trust.
- Having the Board of Directors, your Information Security Officer, key company executives, and staff outline the specific policies and procedures needed to keep your information safe. This plan should also explain how to mitigate any vulnerabilities highlighted in your current risk assessment report.
Your Information Security Plan requires constant monitoring to account for any new changes or vulnerabilities that may be discovered and to ensure that your procedures are working as planned.
Creating and implementing an Information Security Plan is very wise, but keep in mind that your Board of Directors has oversite duties and responsibilities that must be adhered to.
Section 38-99-20 outlines that the board must maintain their oversite responsibility during all three phases (development, implementation, and maintaining) of the Information Security Program.
The final decision on the Information Security Plan rests with the Board of Directors, not the person or entity you selected as your Information Security Officer. Your Information Security Officer is responsible for preparing a comprehensive report for the board, which will provide them with the information needed to make an informed decision on the Information Security Plan that best fits the size of your company and the complexity of its operation.
What Should Be Included Your Information Security Officer’s Report?
The SCIDSA states that each year a report must be prepared for the board explaining the status of their Information Security Program and IDSA compliance.
This report must also discuss results from the risk assessment, security testing, risk management controls, third-party service provider arrangements, details of any cybersecurity events, and any violations and necessary responses for the previous year.
This report should also outline any changes or recommendations that are needed for their information security program.
Ideally, since this is the first year of regulatory compliance dictated by the SCIDSA, the first report would have been completed before July 1, 2019. This is the date mandated by law to have your Information Security Program in place.
After this year, your timing for the report may align more closely to the end of the year or annual certification date (February 15th) of compliance to the Director of Insurance. Most businesses are planning to prepare the reports at the end of the year.
Make sure you give your team plenty of time to complete this report so that you do not miss the reporting deadline on February 15th of each year.
Maintaining the Report
Maintaining all your documentation is another requirement of the act. This includes your risk assessment documentation, Information Security Plan, annual report to the board, any cybersecurity event investigations, cybersecurity event reports, cybersecurity event notifications, third-party service agreements, and so on.
The Department of Insurance does not require you to send all this information to them annually. You do, however, have to maintain the information. Should there be an investigation by the Department of Insurance, you will need to have this information ready to show.
Ideally, you should be prepared to store all the reports and documents dating back 5 years.
Vetting Thrid-Party Service Providers
The vetting of third-party service providers must be completed by July 1, 2020. While that date is still 10 months away, following the intent of the SCIDSA and using due diligence to vet the required third-party vendors takes time. Gathering needed information from outside sources is not always as easy as getting them from within your organization.
You will need time to ensure that third-party vendors have a compatible Information Security Plan for SCIDSA. If they do not, you will have to work with them to ensure they meet this standard, or have them covered in your Information Security Plan.
If you would like to read more about third-party vendors, check out my previous blog titled South Carolina Insurance Data Security Act.
While the annual report is only required if your organization has a Board of Directors, it’s important that you and your board members stay abreast of the successes and failures of the Information Security Program, as well as the quarterly reviews and testing associated it.
For more information on IDSA see our other blogs:
VP of Operations + CO-Founder
Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cyber criminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors.