South Carolina Insurance Data Security Act
The South Carolina Insurance Data Security Act (SCIDSA) is a data security/compliance law targeting insurance industry-related businesses operating in South Carolina and those persons licensed to operate by the South Carolina Department of Insurance (DOI).
The SCIDSA was passed by the General Assembly on April 18, 2018, and signed into law by the Governor of South Carolina on May 3, 2018, to establish standards for data security in the insurance industry. This law requires proper investigations & timely notification of cybersecurity events.
The SCIDSA was not enacted in whole but will be phased in over 17 months and broken down into several different components. We will discuss these in more detail below.
Origin of SCIDSA
SCIDSA was modeled after the Insurance Data Security Model Law created by the National Association of Insurance Commissioners in 2017, and at the time no state had such a law focusing strictly on the insurance industry.
Status of Insurance Data Security Laws Now
South Carolina was the first state to adopt such a law in the United States to protect the data of consumers housed by insurance companies and their affiliated third-party vendors. Since the adoption by South Carolina in 2018, several other states have followed suit.
Alabama, Connecticut, Delaware, Michigan, Mississippi, Ohio, and New Hampshire have passed similar insurance data security laws as well. Much of the language and content for the insurance data security law in each state is the same, but there are minor differences on specific definitions and reporting times. Nevada now has a similar bill pending approval.
Whom SCIDSA Affects
After learning about SCIDSA, I made it my mission to uncover more details about the act and its specific requirements for individuals and businesses licensed through the Department of Insurance in South Carolina.
I began a campaign to help educate others along the way.
After speaking with numerous people in the insurance industry, it became clear that small to medium-size (SMB) independent insurance businesses were going to be hit hardest by the newly enacted law.
Specifically, I am speaking about those who are licensed by the DOI and conduct business with 10 or more employees. The SCIDSA includes any independent contractors and full time/part-time employees that you may utilize to operate your business.
If you reach the threshold of 10 employees, you must comply with every requirement of SCIDSA unless you meet one of the few exceptions allowed below.
The SCIDSA provides a partial exemption for those individuals or businesses that meet certain criteria.
If you are an entity that meets the requirements of the Health Insurance Portability and Accountability Act (HIPAA), New York Cyber Security Regulation, or are lucky enough to fall under the umbrella of a parent company or another information security program, you are exempt from establishing your own information security plan. You are also exempt from the other requirements listed under section 38-99-20 of the act.
If you are a smaller independent agency (less than 10 employees) or exempt otherwise as listed above, we can help you with your ability to monitor your network, recognizing when you are attacked, provide a security risk assessment to help you enhance your cyber security efforts, provide post-attack forensics, and help you meet the notification requirements of the act. Our experience during security audits has been that clients are normally failing to do many of the top ten security measures simply because they didn’t know them or thought their IT guy already did it.
How We Help Our Clients
As a business owner, I am fully aware of the never-ending demands we all face each day.
Speaking with other business owners and IT professionals, I have learned that there are a lot of misconceptions about IT management service packages.
Normally, IT Management vendors devote their time to keeping IT equipment functional. They make sure employees can print documents, have access to the internet and receive emails.
Matters related to security and regulatory audits are rarely included in their contracts, thus not handled.
Tandem Cyber Solutions (TCS) steps in to fill the gap within the area of network security and SCIDSA compliance.
Don’t get me wrong – IT personnel are amazing at keeping the business running but security and compliance is not their job. At TCS, we focus all our efforts on a client’s security needs by examining where they are today against industry best practices and regulatory requirements. We are experts at information security for small to medium-sized businesses. Whether these tasks include identifying their weaknesses with employee awareness training, cloud platform security, system vulnerabilities, network vulnerabilities, physical security or performing a SCIDSA compliance audit, we focus on security so the IT folks can keep the business running and your employees can continue to grow your business.
Let’s talk a little more about the assessments that TCS performs for SMB’s:
The first requirement of SCIDSA is a comprehensive risk assessment of your business. We start this process by learning more about your company and its operational habits. This information is gathered through multiple assessments that probe into areas such as employee behaviors, policies, and information systems.
The first of the assessments target employees. We start with assessing each employee on their cybersecurity awareness with practical exercises that demonstrate how they will react to real-life cyber crime situations. Using this information, we develop a tailored training plan to enhance employee security awareness and conduct on-going awareness exercises throughout the year.
Information System Assessment
The next phase tests all the information technology platforms used by the customer. These typically include computers, cloud platforms, servers, and networked devices. We look for common misconfigurations, outdated systems, easily guessable passwords, and any configurations that don’t follow industry best practices. This allows us to guide our clients towards closing security gaps, making your business a difficult target for cyber criminals.
Risk Assessment Report
After completing the assessments above, we produce a detailed report outlining the findings. The report is broken down into categories with an NPI leak risk rating score for each major section as well as customized recommendations for improving security.
The risk assessment is an integral part of the compliance process because it compares your current practices against security best practices. This knowledge ultimately helps you perfect your information security plan to fix identified security gaps and minimize risk.
Information Security Officer
For those with over 10 employees, the SCIDSA requires that you have a qualified person in charge of your information security plan. This officer will take our information and further hone their company’s information security program.
Some businesses, however, do not have an information security officer. This is typically due to size and budget constraints. For these customers, we can act as an information security officer and fulfill the duties throughout the year. We always act in the best interest of our clients, overseeing their information security program and developing appropriate policies and procedures for their business.
Information Security Program
The SCIDSA requires you to have an information security program in place that includes a strategic plan to protect your sensitive information by enacting administrative, technical, and physical safeguards to achieve this goal.
This means using a mix of policies and technology to protect client information. Businesses with an in-house information security officer almost always have a security program and use our findings to tune their current plan. We help those without an information security program to develop a plan that makes sense for their size.
Regardless of whether they have a plan, we work with our client’s current team of vendors to build the most effective information security program possible to meet your businesses’ needs.
If our clients require recommendations, we maintain a list of vetted vendor partners that are always happy to help.
Audit Policies & Procedures
Policies and procedures are not the most glamorous part of our job, but it remains one of the most important.
We review your current written policies and procedures for such things as information security governance, risk management, business continuity, compliance management, incident response, and employee training & awareness. Those sound like complex topics but ultimately, they cover all the ways your sensitive data could fall into the wrong hands.
We can provide templated policies for smaller businesses or develop custom policies for larger clients that currently have no written policies for their business.
Vetting Third-Party Vendors
Starting July 1, 2020, insurance agencies need to be more diligent with the 3rd parties they use.
Why wait until next year when you can begin the vetting process today?
Often, vendors provide an easy path for criminals into a business. If they lack security awareness and do not handle your sensitive data securely, they are putting you at risk.
The Department of Insurance realizes that vendors are a major risk for businesses and have made vetting 3rd parties an integral part of the Insurance Data Security act. Requirements include validating that they have safeguards in place to protect your customers and ensure they meet the requirements of SCIDSA.
We suggest you start now.
It will take months to complete this process properly or to figure out if your third-party service provider is willing to meet the requirements of this act.
As part of our service offering, we speak with your vendors who have access to your non-public information and evaluate whether their Information Security Program meets the requirement of SCIDSA. This process in securing third-party service provider agreements attests to their diligence in protecting your data. We will collect and maintain these documents to prove your diligence in the case of any audits.
Services That Fit Your Business
One of the main benefits that we provide SMB’s is the ability to cater to services specific to their needs and only fill in the gaps where they need help. It is not an all-or-nothing plan.
We are glad to sit down with you and do a cursory audit to see where your business stands on information security and SCIDSA compliance.
If you have a great team in place and all your security and compliance needs are fulfilled, let us do an independent risk assessment and compliance audit to validate your beliefs.
Having worked in the cyber security industry and IT Management related fields, we have seen the value of such audit services that often uncover overlooked areas or identify mislaid assumptions of services being provided by staff or vendors.
Our goal is to enhance your team’s skillset by offering our specialty services to educate and grow your information security process that gives you valuable feedback on your security and compliance fitness.
Your Cyber Insurance Needs
Many times, because of the comprehensiveness of our assessments, you can lower your cyber insurance premiums. This is because the level of your security has been verified by security experts.
Yes, I recommend all our clients and anyone else in a high-risk industry such as insurance, finance and medical have a cyber insurance policy. This is especially true if you are a small to a medium-size entity that cannot withstand the financial burdens caused catastrophic cyber-attacks.
It’s not unusual for clients to ask us to review their cyber liability policies, so that they know they have the right coverage to conduct a thorough investigation after a breach, recover their ability to conduct business, fight the burden of notification cost, avoid brand tarnishing and the loss of income during a network outage.
Being in the insurance industry, I know you understand policies better than I do but what I can offer you is a better understanding of the cyber security arena.
Attacks are complex but common. This can lead to missing coverage from your standard policy and disastrous exclusionary clauses that limit your coverage after an attack.
Wrapping it Up
In closing, I would just like to say that we have services available to match your company’s needs when it comes to SCIDSA compliance and cyber security. We focus on building a relationship with our clients to better support them whenever they have a question or need.
To see how we can help you, call us today at (843) 309-3058 and set up a meeting for your free consultation.
Tandem Cyber Solutions employees forged their experience in cyber security protecting some of the biggest networks in the United States and can bring that level of expertise at a price point even the smallest business can afford.
VP of Operations + CO-Founder
With more than 20 years of experience as an investigator, Keith Small possess skills and innate talents unlike any other cybersecurity consultant in the Lowcountry. Keith’s no-nonsense attitude and voracious appetite for legal knowledge make him a natural choice for any organization with HIPAA and IDSA compliance needs.
Inquisitive by nature, Keith’s deep understanding of criminal behavior also lends itself well to protecting businesses from predatory practices through in-depth security assessments, allowing him to shine a light on malicious activity that may go unnoticed.
When he’s not helping businesses with their compliance and security needs, he volunteers to mentor cyber security students during internships and helping young entrepreneurs.