Russ Dubisky, executive director of the SC Insurance Association welcomed everyone for coming and then made a few opening remarks about the seminar. Dubisky introduced the Director of the SC Department of Insurance (DOI) Raymond G. Farmer.
Director Farmer gave a legislative overview of the process that it took to get the IDSA passed as a law. Director Farmer explained that the DOI would be having a webinar in September to better inform the insurance community about the IDSA. Director Farmer advised that he also had representatives from DOI present to answer questions firsthand for the attendees at the end of the seminar.
The New York Data Security Act, also known as the SHIELD Act, does not solely focus on the insurance industry but applies to data security for all businesses handling sensitive customer information. In meetings with members of the South Carolina legislature, it became clear that they would not follow the concise language of the New York act.
Baker stated that compliance with the Insurance Data Security Act (IDSA) will be a continual process for insurance companies to maintain. Insurance companies with 10 or more employees in the State of South Carolina are not exempt. Independent producers and contractors with 10 or more employees must also comply with the requirements of the IDSA.
NPI Definition and Concerns
Why is this definition important? Because if NPI is breached, then it is a reportable cyber security event that would require notification to the DOI. Should a breach only obtain encrypted data without the encryption key to access the NPI information, this would not be considered a reportable cyber security event. Additionally, if the only data taken is non-NPI, then the security event would not need to be reported.
For foreign insurers the notification requirement is triggered if the reportable cyber security event affects the NPI of more than 250 consumers in South Carolina and the event requires the insurer to notify another governmental/regulatory agency (other than SC). Alternatively notification is required if there is reasonable likelihood of material harm to a SC consumer or insurer’s operation with more than 250 SC consumers affected.
Third-Party Service Providers
Information Security Program
During a Risk Assessment, you should be reviewing network infrastructure cyber security monitoring and controls, current cyber security policies and procedures, non-public information (NPI) governance and retention schedules, software development practices, existing cyber security training, NPI access methodologies, use of NPI, and the utilization of TPSPs. The Risk Assessment will be an important step in the process and should involve a team approach utilizing insight from the CISO, compliance lead, department heads, key user representatives, and cyber security experts.
Additionally, licensee’s need to have a written incident response plan defining a plan to handle cyber-attacks on NPI or the licensee’s information system. This response plan should also include guidance for business operations during disaster recovery.
Where you can find more Information
I will cover some of the questions answered by DOI representatives in another blog along with steps to sign up for information on their site. I encourage you to sign up on the DOI’s website to be forwarded bulletins and information about the IDSA. The DOI will be pushing out further guidance and hosting webinars on this topic soon.
Please pass this information along to other people you know in the insurance business. There are still smaller agencies who are unaware of the requirements of this law. Also tap into the resources provided by the NAMIC and the South Carolina Insurance Association. I have provided the links for you.
Co-Founder + Forensic Expert