top of page
  • Writer's pictureDragoon Security Group

90 Days to the SC Insurance Data Security Act

What is the SCIDSA?

The SCIDSA is a new law that changes the way licensees in South Carolina manage business and consumer data. Much of the SCIDSA builds on rules set by existing security and privacy regulations, such as the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Gramm-Leach-Bliley Act (GLBA), and Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The SCIDSA is based on the National Association of Insurance Commissioner’s Data Security Model Law, developed by the NAIC Cybersecurity Working Group under the supervision of South Carolina’s Department of Insurance Executive Director, Raymond Farmer. South Carolina was the first state to adopt the Model Law.

The SCIDSA was signed into law on May 3, 2018 by Governor McMaster and became effective on January 1, 2019.

Key SCIDSA requirements in the next 90 days

Under the SCIDSA, by July 1, 2019, all licensees operating in South Carolina must have the following in place:

  1. Assign a Chief Information Security Officer (CISO)

  2. Conduct a Risk Assessment based on credible internal and external threats

  3. Develop and implement a comprehensive Written Information Security Program

  4. Implement Administrative, Physical and Technical safeguards

  5. Develop an actionable Incident Response Plan

How to Prepare

  1. Appoint a CISO to take ownership and drive the vision of your security and privacy program

  2. Create an inventory of all information assets to get a granular understanding of what data you have, where it is, and who can access it

  3. Define your risk appetite and tolerance

  4. Conduct a Risk Assessment by identifying the weak points within your business, processes, and systems

  5. Calculate the impacts and likelihood of a risk occurring

  6. Determine if a risk exceeds your appetite

  7. Remove avoidable risks from your business

  8. Identify security controls and solutions to mitigate remaining risks

Questions to ask while preparing

  1. Do I have a proper security team in place?

  2. Where is all my data stored?

  3. Who has access to my data?

  4. How can I secure my IT Infrastructure?

  5. Do we have a system for reporting and proving compliance?

What should my Information Security Program look like?

A comprehensive Information Security Program should be actionable and based on the risks and capabilities within your business. While policy templates available online are a great starting point, if they are not operationalized they provide little to no impact in protecting your business. 

The danger of publishing an unactionable policy is the business is liable to meet the requirements laid out within the policy. In the event of a security incident resulting in a data breach, this could result in establishing lack of due diligence by the business to properly safeguard the data they maintain.

The Information Security Program should address:

  1. Access Control

  2. Awareness and Training

  3. Audit and Assessments

  4. Configuration Management

  5. Contingency Planning

  6. Data Protection

  7. Identity Management

  8. Incident Response

  9. Maintenance

  10. Physical and Environmental Protection

  11. Planning

  12. Personnel Security

  13. Privacy

  14. Risk Management

  15. Supply Chain and Procurement

  16. System Protection

Information Security Plan

The Information Security Plan is the backbone of the Information Security Program, containing all documentation supporting the implementation of policies and procedures. At minimum, the Information Security Plan should address:

  1. Asset Inventory

  2. Business Continuity

  3. Critical Infrastructure

  4. Data Management

  5. Disaster Recovery

  6. Enterprise Architecture

  7. Incident Response

  8. Legal and Regulatory

  9. Metrics and Reporting

  10. Privacy

  11. Risk Management Strategy

  12. Resource Management

  13. Roles and Responsibilities

  14. Supply Chain Management

  15. Vulnerability Management

In the event of a regulatory investigation or class action lawsuit, the Information Security Plan’s level of thoroughness will likely play a distinct factor in the matter’s final decision. 

Information Security Policy

The Information Security Policy establishes governance of privacy and security activities and is a living document that is continually updated to adapt with evolving business and IT requirements to preserve the confidentiality, integrity and availability of the business systems and data.

The Information Security Policy applies to all functions within the business, not just IT. The controls established within it are implemented within each business unit’s data, facilities, Line of Business applications, personnel and systems.

Information Security Procedures

Information Security procedures are detailed step-by-step instructions on how to implement, enable, or enforce each security control from your Information Security Policy. Security procedures should cover the all hardware and software components supporting business processes to ensure consistency.

What tools do I need?

There is no right answer for this and will be dictated by your Risk Management Process. A business with strong managerial control will require less investment in technical safeguards, while a business without will require more. Some security tools your business may require include:

  1. Data Backups

  2. Data Loss Prevention (DLP)

  3. Email Filtering

  4. Encryption Mechanisms

  5. Firewalls

  6. Intrustion Detection and Prevention Systems (IDS/IPS)

  7. Malware Protection

  8. Mobile Device Management (MDM) solution

  9. Multi-Factor Authentication (MFA)Physical

  10. Physical Safeguards

  11. Security Incident and Event Monitoring (SIEM) Tool

  12. Unified Threat Management (UTM) device

  13. Virtual Private Network (VPN)

  14. Vulnerability Scanner

  15. Web Filtering

View the SCIDSA as an opportunity, not an Obstacle

Finding ways to avoid the SCIDSA will only prove to be time consuming and unproductive. Instead of viewing the SCIDSA as an obstacle, take the opportunity to enhance your security and privacy posture. 

The SCIDSA gives the business units an opportunity to review their processes and identify service delaying choke points and inefficiencies which can be streamlined through new procedures or technology.

Dragoon Security Group’s consultants bring decades of experience in guiding businesses in the development of full scope security and privacy programs. Our engagement plan allows us to swiftly gain an understanding of how your business operates, identify issues, and establish requirements with minimal impact to your operations. 

To schedule an appointment to discuss your path to protect your customer’s data, contact us at 803-298-4500 or email

105 views0 comments

Recent Posts

See All

Small Town But Not Too Small To Fail

After a chaotic summer of coordinated ransomware attacks against municipal governments, resulting in disruption of critical services to citizens, some refreshing news from Rhode Island of a small town

60 Minutes on Ransomware

While I’m glad this issue is gaining national attention, this piece was very defeatist. Companies wouldn’t accept a thief walking in and taking tens of thousands of dollars from the register. Yet beca


Post: Blog2_Post
bottom of page