Let’s assume you have been keeping up with the South Carolina Insurance Data Security Act (SCIDSA) and you are aware of the last deadline that past on July 1, 2019. This milestone mandated that you have designated a qualified person or entity to run your Information Security program who will be watched by the Board of Directors. Your next question may be, what are the oversite duties for the board?

Phases of an Information Security Program

As you have progressed through the different phases of developing and implementing your Information Security Program, there were many key decisions to make. First you had to select a qualified representative to be responsible for the development of your Information Security Program or to transition you from your current security status to a well-developed Information Security Plan based on your current risk assessment. Your selection may have been a current qualified employee, a newly hire employee specifically chosen for this position or outsourced to a qualified third-party vendor. Secondly, your Information Security Officer, key company executives, staff  and you as a member of the Board of Directors, should have developed a comprehensive Information Security Plan outlining the specific policies and procedures needed to keep your information safe and mitigate any vulnerabilities highlighted in your current risk assessment report. After completing your written Information Security Plan, it will require constant monitoring to ensure your procedures work as you have planned or to react to any new changes or vulnerabilities that come along. Although you have made a wise choice completing the above steps, the oversite responsibility of the Board of Directors does not end there. Section 38-99-20 outlines that the board must maintain their oversite responsibility during all three phases (development, implementation, and maintaining) of the Information Security Program. The final decision and responsibility rest with the Board of Directors, not the person or entity you selected as your Information Security Officer. Your Information Security officer is responsible to prepare a comprehensive overview for the board that will provide the information needed to arrive at a proper decision for a company of your size and complexity of operation.

What should be included in the report

The SCIDSA states that each year a report must be prepared for the board explaining the status of their Information Security Program and IDSA compliance. This report must also discuss results from the risk assessment, security testing, risk management controls, third-party service provider arrangements, details of any cybersecurity events, any violations and responses for the previous year. The report should also outline any changes or recommendations that are needed for their information security program. Ideally since this is the first year of regulatory compliance dictated by the SCIDSA, the first report would have been completed before July 1, 2019. This is the date mandated by law to have your Information Security Program in place. After this year, your timing for the report may align more closely to the end of the year or annual certification date (February 15th) of compliance to the Director of Insurance.  Most businesses are planning to prepare the reports at the end of the year. Just make sure you build in some breathing room so that you do not miss completing the reporting deadline on February 15th of each year.

Maintaining the report

Maintaining all your documentation is another requirement of the act. This includes your risk assessment documentation, Information Security Plan, annual report to the board, any cybersecurity event investigations, cybersecurity event reports, cybersecurity event notifications, third-party service agreements and so on. You get the idea. The Department of Insurance does not require you to send all this information to them annually but to maintain it. Should there be an investigation by the Department of Insurance, you will have to produce it. Ideally, be prepared to store all the reports and documents for five years.

Other concerns

Another area of concern that I would have you focused on now is the vetting of third-party service providers that must be completed by July 1, 2020. I know that it is 11 months away but following the intent of the SCIDSA and using due diligence to vet the required third-party vendors will take time. Gather needed information from outside sources is not always as easy as getting from within your organization. Also you will need time to ensure the third-party vendors have a compatible Information Security Plan for SCIDSA and your nonpublic information. If they do not, then you will have to work with them to ensure they meet this standard or cover them in your Information Security Plan or find a new vendor who will meet the standards of SCIDSA. If you would like to read more about third-party vendors, check out my previous blog titled South Carolina Insurance Data Security Act.

Final thoughts

While the annual report is only required if your organization has a board of directors and to be done once a year, hopefully you and your board members are staying abreast of the successes and failures of the Information Security Program and requiring quarterly reviews and testing. It is easier to adjust along the way than to make sweeping changes once a   For more information on IDSA see our other blogs: SCIDSA Blogs 5 Must-Have Elements of an IDSA Information Security Plan A Guide to a SCIDSA Compliant Information Security Program

Author

Keith Small

VP of Operations + CO-Founder Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cyber criminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors.

Keith Small

Keith Small is a retired professional law enforcement officer. Having sharpened an inquisitive mindset over almost three decades in criminal investigations and police work, he is now focused on applying his craft to protecting businesses from cyber criminals. Focusing on analysis and forensics, he relentlessly pursues knowledge in current tactics and cyber-criminal behaviors

Leave a Reply