Share this article on:
On May 14, 2018, South Carolina Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law. The Act closely follows the Insurance Data Security Model law drafted by the National Association of Insurance Commissioners (NAIC) in 2017. South Carolina is the first state to implement a comprehensive cybersecurity law covering the insurance industry.
From January 1, 2019, when the South Carolina Insurance Data Security Act becomes effective, all licensees of the South Carolina Department of Insurance will be required to comply with the Act.
The Act requires all insurers, agents, and other licensed entities to develop a comprehensive written information security program within six months of the compliance date. The cybersecurity program should be commensurate with the size and complexity of the company, the nature and scope of its activities, and the sensitivity of nonpublic information used/stored by the company.
The cybersecurity program should be guided by a comprehensive risk analysis and should mitigate all risks identified by that risk analysis. The Act does not specify the safeguards that should be implemented to ensure the confidentiality and security of data, but the safeguards must be appropriate to the level of risk and should include administrative, technical, and physical controls.
The cybersecurity program must protect the security and confidentiality of nonpublic information, protect against threats or hazards to the security or integrity of information, protect against unauthorized access, and define a schedule for the retention of data and a mechanism for its secure destruction when data are no longer required. Licensees must designate an individual, third party, or affiliate who is responsible for the information security program.
The types of controls that must be implemented include: Access controls, authentication controls, physical controls to prevent access to nonpublic information, encryption (or an alternative, equivalent measure) to secure data stored on portable electronic devices and for data transmitted over an external network. Licensees must also identify and manage devices that connect to the network
Licensees must adopt secure development practices for in-house applications, use multi-factor authentication to prevent unauthorized accessing of nonpublic information, regularly test and monitor systems for actual and attempted attacks, maintain audit trails, and implement measures to prevent the unauthorized destruction or loss of nonpublic information. Licensees are also required to keep up to date on emerging threats and vulnerabilities.
The Act also requires boards of directors to oversee the security program, with executive management submitting reports on the status of the program and material matters such as risk assessments, third-part service provider arrangements, test results, and cybersecurity events at least annually.
The Act requires a written cybersecurity response plan to be developed to ensure a rapid response is possible in the event of a cybersecurity incident. A cybersecurity event is defined as “an event resulting in unauthorized access to or disruption or misuse of an information system or information stored on an information system.”
There are also requirements for investigating cybersecurity incidents promptly. The Director of the Department of Insurance must be notified about cybersecurity incidents within 72 hours of discovery if the licensee is based in South Carolina or the incident impacts more than 250 South Carolina residents.