What does it mean for my Third-party service providers?
Hopefully by now, you have completed your company’s risk assessment and used all that helpful data to update or create a comprehensive Information Security Plan. Wait a minute, what about your third-party service providers? Do they comply with the requirements of the South Carolina Insurance Data Security Act (SCIDSA)? I know what you are doing. You are procrastinating on straightening out that mess because you have over 14 months left before that part of the law becomes effective.
You are right, the deadline to have in place your third-party service provider (TPSP) program as outlined in Section 38-99-20(F) of the SCIDSA is July 1, 2020. If you are wondering why I am writing about this now when you have so much time left, it is because you will need all the time you have to properly vet your current TPSP and meet the requirements of the SCIDSA or find someone to replace them. Now is the time to start asking specific question and getting the answers and documentation you will need to move forward.
Let’s first look at who the SCIDSA defines as a third-party service provider. No need to go through this process with all your vendors, just those you are required too. A third-party service provider is a person or business entity that has access to, processes, stores or maintains your electronic data files or information systems connected to your nonpublic information (NPI). Third-party service providers are parties you entrust to provide a service for you but are not your direct employees. From some of my earlier blogs, I hope you remember that NPI is defined as the unauthorized disclosure of business-related information that would have a material adverse impact on your business or the personal identifiable information of your clients and their accounts or health information.
Once you have identified who qualifies as a third-party service provider, you have an obligation under the SCIDSA to ensure that they have appropriate administrative, technical and physical measures in place to protect your information systems and NPI they are entrusted with. Let’s explore the type of information you may want to acquire or consider about your third-party service providers during your process of due diligence.
What is the reputation of your third-party service provider and how willing are they to cooperate with your search for answers? You will need a third-party service provider who is willing to answer your question but also provide documentation and proof of their claims. You will need this to protect yourself should there be an incident going forward.
Do they have a written information security plan and are they willing to provide you with a copy? This is important because you will need to evaluate it from the perspective of whether it meets the requirements of the SCIDSA and known best practices for cybersecurity. Should they not have an information security plan or a proper one, are they willing to develop one in time to meet your deadline and your specific needs? If not, then this responsibility falls on you to do and monitor to ensure that they are meeting the standard.
Will your third-party service provider agree to an independent security assessment exploring the potential risk associated to your information systems and NPI data because of your business association with them? You will need to understand this risk in order to properly complete your information security plan and mitigate the risk.
Do you have a written third-party service provider agreement with your TPSP that defines the terms of your agreement and guaranteeing such things as the ability for oversight and auditing? Does your agreement mandate that they must meet the standards of the SCIDSA and report all violations to you? These are just a few of the topics that need to be established in this agreement.
My intention with this blog was not to cover all the questions to ask your third-party service provider but to get you to realize two important facts. First, 14 months is not that long for the task you have at hand and second to start asking the hard questions now and gathering the data you need to prove your due diligence in selecting your third-party service provider and fulfill your SCIDSA compliance mandate.