On May 14, 2018, South Carolina Governor Henry McMaster the South Carolina Insurance Data Security Act was enacted into law. The Act closely adheres to the Insurance Data Security Model law drafted by the National Association of Insurance Commissioners (NAIC) in 2017. South Carolina is the first state to put in place a comprehensive cybersecurity law covering the insurance sector.
From January 1, 2019, when the South Carolina Insurance Data Security Act is enforceable, all licensees of the South Carolina Department of Insurance will be required to adhere with the Act.
The Act requires all insurers, agents, and other licensed groups to develop a thoroughly written information security program within six months of the compliance date. The cybersecurity program should reflect with the size and complexity of the company, the nature and scope of its activities, and the sensitivity of nonpublic information used/held by the company.
The cybersecurity program should be guided by a thorough risk analysis and should mitigate all risks discovered by that risk analysis. The Act does not specify the security measures that should be implemented to ensure the confidentiality and security of data, but the safeguards must reflect the level of risk and should include administrative, technical, and physical controls.
The cybersecurity program must enhance the security and confidentiality of nonpublic information, protect against threats or hazards to the security or integrity of data, safeguard against unauthorized access, and define a schedule for the retention of data and a mechanism for its secure destruction when data are no longer necessary. Licensees must designate a person, third party, or affiliate who is responsible for the information security program.
The range of controls that must be implemented include: Access controls, authentication controls, physical controls to stop access to nonpublic information, encryption (or an alternative, equivalent measure) to safeguard data stored on portable electronic devices and for data sent using an external network. Licensees must also identify and manage devices that link to the network
Licensees must implement secure development practices for in-house applications, use multi-factor authentication to stop unauthorized accessing of nonpublic information, regularly test and monitor systems for actual and possible attacks, maintain audit trails, and implement measures to stop the unauthorized destruction or loss of nonpublic information. Licensees are also required to keep current on emerging threats and flaws.
The Act also obligates boards of directors to oversee the security program, with executive management filing reports on the status of the program and material matters such as risk assessments, third-part service provider arrangements, test results, and cybersecurity events at least on a yearly basis.
The Act requires an official cybersecurity response plan to be developed to ensure a quick response is possible in the event of a cybersecurity incident. A cybersecurity event is classified as “an event resulting in unauthorized access to or disruption or misuse of an information system or information stored on an information system.”
There are also requirements for reviewing cybersecurity incidents swiftly. The Director of the Department of Insurance must be notified about cybersecurity incidents within 72 hours of discovery if the licensee is located in South Carolina or the incident affects more than 250 South Carolina residents.