90 Days to the SC Insurance Data Security Act
What is the SCIDSA?
The SCIDSA is a new law that changes the way licensees in South Carolina manage business and consumer data. Much of the SCIDSA builds on rules set by existing security and privacy regulations, such as the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Gramm-Leach-Bliley Act (GLBA), and Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The SCIDSA is based on the National Association of Insurance Commissioner’s Data Security Model Law, developed by the NAIC Cybersecurity Working Group under the supervision of South Carolina’s Department of Insurance Executive Director, Raymond Farmer. South Carolina was the first state to adopt the Model Law.
The SCIDSA was signed into law on May 3, 2018 by Governor McMaster and became effective on January 1, 2019.
Key SCIDSA requirements in the next 90 days
Under the SCIDSA, by July 1, 2019, all licensees operating in South Carolina must have the following in place:
Assign a Chief Information Security Officer (CISO)
Conduct a Risk Assessment based on credible internal and external threats
Develop and implement a comprehensive Written Information Security Program
Implement Administrative, Physical and Technical safeguards
Develop an actionable Incident Response Plan
How to Prepare
Appoint a CISO to take ownership and drive the vision of your security and privacy program
Create an inventory of all information assets to get a granular understanding of what data you have, where it is, and who can access it
Define your risk appetite and tolerance
Conduct a Risk Assessment by identifying the weak points within your business, processes, and systems
Calculate the impacts and likelihood of a risk occurring
Determine if a risk exceeds your appetite
Remove avoidable risks from your business
Identify security controls and solutions to mitigate remaining risks
Questions to ask while preparing
Do I have a proper security team in place?
Where is all my data stored?
Who has access to my data?
How can I secure my IT Infrastructure?
Do we have a system for reporting and proving compliance?
What should my Information Security Program look like?
A comprehensive Information Security Program should be actionable and based on the risks and capabilities within your business. While policy templates available online are a great starting point, if they are not operationalized they provide little to no impact in protecting your business.
The danger of publishing an unactionable policy is the business is liable to meet the requirements laid out within the policy. In the event of a security incident resulting in a data breach, this could result in establishing lack of due diligence by the business to properly safeguard the data they maintain.
The Information Security Program should address:
Awareness and Training
Audit and Assessments
Physical and Environmental Protection
Supply Chain and Procurement
Information Security Plan
The Information Security Plan is the backbone of the Information Security Program, containing all documentation supporting the implementation of policies and procedures. At minimum, the Information Security Plan should address:
Legal and Regulatory
Metrics and Reporting
Risk Management Strategy
Roles and Responsibilities
Supply Chain Management
In the event of a regulatory investigation or class action lawsuit, the Information Security Plan’s level of thoroughness will likely play a distinct factor in the matter’s final decision.
Information Security Policy
The Information Security Policy establishes governance of privacy and security activities and is a living document that is continually updated to adapt with evolving business and IT requirements to preserve the confidentiality, integrity and availability of the business systems and data.
The Information Security Policy applies to all functions within the business, not just IT. The controls established within it are implemented within each business unit’s data, facilities, Line of Business applications, personnel and systems.
Information Security Procedures
Information Security procedures are detailed step-by-step instructions on how to implement, enable, or enforce each security control from your Information Security Policy. Security procedures should cover the all hardware and software components supporting business processes to ensure consistency.
What tools do I need?
There is no right answer for this and will be dictated by your Risk Management Process. A business with strong managerial control will require less investment in technical safeguards, while a business without will require more. Some security tools your business may require include:
Data Loss Prevention (DLP)
Intrustion Detection and Prevention Systems (IDS/IPS)
Mobile Device Management (MDM) solution
Multi-Factor Authentication (MFA)Physical
Security Incident and Event Monitoring (SIEM) Tool
Unified Threat Management (UTM) device
Virtual Private Network (VPN)
View the SCIDSA as an opportunity, not an Obstacle
Finding ways to avoid the SCIDSA will only prove to be time consuming and unproductive. Instead of viewing the SCIDSA as an obstacle, take the opportunity to enhance your security and privacy posture.
The SCIDSA gives the business units an opportunity to review their processes and identify service delaying choke points and inefficiencies which can be streamlined through new procedures or technology.
Dragoon Security Group’s consultants bring decades of experience in guiding businesses in the development of full scope security and privacy programs. Our engagement plan allows us to swiftly gain an understanding of how your business operates, identify issues, and establish requirements with minimal impact to your operations.
To schedule an appointment to discuss your path to protect your customer’s data, contact us at 803-298-4500 or email info@DragoonSecurityGroup.com.