South Carolina’s New Cybersecurity Law Covers the Insurance Industry


Carolina Insurance Data Security Act on May 14, 2018. The law is comparable to the Insurance Data Security Model law which the National Association of Insurance Commissioners (NAIC) created in 2017. South Carolina is the first state to enjoy a cybersecurity law which addresses the needs of the insurance market.

The South Carolina Data Security Act is going to be enforced beginning January 1, 2019. All entities licensed by the South Carolina Department of Insurance need to adhere to the Act. All insurance companies, agents and licensed agencies should have an all-inclusive written information security plan in 6 months from the date of compliance. In making a cybersecurity plan, the size and complex nature of the company, the type and extent of its activities as well as the sensitivity of private information employed or kept by the organization should be taken into account.

The cybersecurity plan must go through a detailed risk analysis to spot and offset all problems. Although there is no particular security that the Act mandates to be executed, the most important thing is to employ administrative, physical and technical controls suitable to the risk level ensuring the privacy and protection of data.

The cybersecurity plan must

  • Prevent unauthorized access
  • Keep the security and privacy of non-public data
  • Safeguard the integrity of data versus risks or hazards
  • Establish a system for eliminating data when not needed anymore
  • Specify a schedule for data retention
  • Have a chosen person, third party or affiliate in charge of the security plan

The cybersecurity plan should have various types of control such as: access controls; authentication controls which use multi-factor authentication to inhibit unauthorized access to private information; physical controls which stop unauthorized access; and encryption or a substitute which is of equal measure to protect mobile electronic devices or to protect data transmission through an external network.

Licensees should detect and manage devices linking to a network. There needs to be secure development procedures followed for in-house applications. Routinely test and keep track of systems to prevent attacks, preserve audit trails retain measures that prevent the losing private info. Licensees should stay updated to know surfacing risks and vulnerabilities.

The security plan should assign the board of directors as overseer. Executive management should submit reports about the program status which include risk evaluation, test results, third party vendor agreements and yearly cybersecurity activities.

A written cybersecurity response strategy is mandated by the Act in order to respond immediately to a cybersecurity incident. The Act defined a cybersecurity event as an event causing unauthorized access to or interruption or wrong use of the information system or the data kept in an information system. The Department of Insurance Director ought to know about the cybersecurity incident in 72 hours of it taking place if the licensee comes from South Carolina and the event effects over 250 persons in South Carolina.