• Home
  • HIPAA
    • HIPAA Made Easy
  • Assessments
  • Incident Response
    • Consult
  • Blog
  • About
  • PURCHASE
    • Cyber Security Assessment - Small
    • HIPAA Compliance Package 1
Tandem Cyber Solutions
  • Home
  • HIPAA
    • HIPAA Made Easy
  • Assessments
  • Incident Response
    • Consult
  • Blog
  • About
  • PURCHASE
    • Cyber Security Assessment - Small
    • HIPAA Compliance Package 1

Blog

Update - Complying With the South Carolina Insurance Data Security Act

2/20/2019

0 Comments

 
Picture

​Update
​​On January 1, 2019, parts of the South Carolina Insurance Data Security Act (SCIDSA) became effective. Over the next 17 months, other key parts of the SCIDSA will be phased in until the act is fully in effect on July1, 2020.
Let’s review who the SCIDSA applies to and what requirements are active now and when the other requirements will be phased in.

Read More
0 Comments

IDSA - Bulletin 2018-09

9/6/2018

0 Comments

 
Today, the South Carolina Department of Insurance released Bulletin 2018-09 Cybersecurity Event Reporting Form. Why should you read it? This bulletin focuses on how the Department of Insurance defines a reportable cybersecurity event and the notification procedures. The three main take aways from the bulletin are:
  1. Encrypting data can prevent an Insurance licensee from declaring a cybersecurity event.
  2. Loss of paper documents does not constitute a cybersecurity event.
  3. Licensees have 72 hours to notify DOI of a cyber security event, unless they are considered a “non-domicile entity”.
If you are a South Carolina licensee who falls under the provisions of the Information Data Security Act, Tandem Cyber Solutions can help you with the required security assessments and develop a comprehensive Information Security  strategy to meet regulatory obligations and protect your client’s data.

Follow this link to view the latest bulletin from the DOI. For your convenience we have attached both the bulletin and the updated event report form below. You may also want to review previous blogs about the IDSA and how you too can sign up for IDSA update notices  from the DOI.

If you have any questions on SC Insurance Data Security Act compliance, Call Tandem Cyber Solutions today!
​

(843)309-3508

doi_cyberevent_report_form.pdf
File Size: 872 kb
File Type: pdf
Download File

doi_bulletin_2018-09.pdf
File Size: 344 kb
File Type: pdf
Download File

0 Comments

IDSA - Update from the Department of Insurance

8/15/2018

0 Comments

 
Keith Small
Co-Founder + Forensic Expert
​Linkedin
​My trip to Columbia, SC was a great opportunity to sit down with others in the insurance sector and get some clarification from the Department of Insurance (DOI) about the Insurance Data Security Act (IDSA).   Melissa Manning and Kendall Buchanan, DOI Representatives, provided answers to questions submitted by insurance professionals and gave attendees tips on how to stay informed of the latest information. Below are important details shared with attendees during this meeting.

Inclusion & Exclusion

The Insurance Data Security Act (IDSA) specifies those in the insurance sector whom fall into the classification of a “Licensed Excess”, “Surplus Line Carrier”, and “Captive Agents”. More definitely, inclusion starts at ten or more employees for the insurance entity and can be avoided if any of the above parties were fully covered under a parent company’s Information Security Plan(ISP).
​
For those agencies that are covered by HIPAA , IDSA compliance is inherent because the Health Act is more stringent. The Department of Insurance is drafting a to certify organizational exclusion from the Insurance Data Security Act.

Access & Encryption ​

Security fundamentals dictate that organizations should take a “least privileged” approach to user access and the IDSA has not strayed far from that approach. In fact, under the guidelines of the Insurance Data Security Act, companies should restrict access to Non-public Information to those employees or third-party entities who have a legit need to access it.

​Encryption
is unfortunately a topic where IDSA diverges from common information security practices. The security act does not require that companies encrypt any of their data or information. However, a company should still implement encryption because having data locked away could save the organization millions in fines and costs from a breach. Encryption protects the data and in the case of theft is not considered a reportable event by the Department of Insurance unless the key is also stolen.

Third-party Services Providers

If third-party service providers have access to non-public information, insurance companies will need to continually assess their relationship with the service provider. As a reminder on non-public information, the data is defined in broad terms as sensitive business-related information of the licensee or the private information of the client. I encourage any entity covered by this act to truly understand non-public information as defined by DOI because those whom have access to it, must meet the requirements of this act. Furthermore, this forces insurance companies or licensees to take responsibility for ensuring third-party services providers are compliant.
​
A little unclear at this time are the ramifications when a third-party service provider fails to cooperate with the insurance licensee to develop a comprehensive information security plan. Does an insurance licensee have to find a new provider or move the services back within their control? Hopefully as this act matures like HIPAA, these questions will be answered.

Risk Assessments 

Insurance companies must conduct an annual risk assessment, which is akin to a standard information security assessment. While this act does not specifically lay out the steps required to be completed during the risk assessment, it does define tangible steps or activities needed based on the results.

Additionally, the thoroughness of the risk assessment depends upon the complexity of the entity’s operational and information systems but should include all facets of the business operations and information security. Each licensee will have to evaluate the scope of their operation and make sure the security measure is commensurate. 
​
Licensees may conduct the risk assessment in house if they have the expertise, such as qualified cyber security professionally. However, if the assessment is handed off to a third-party service provider, the provider must meet the requirements of this act if they have access to the non-public information. Either way the Information Security Plan (ISP) will be based on the outcome of the assessment. Currently a format for the assessment report is defined and the reports must be kept by the licensee for five years.

Cyber Security Event

​A cyber security event as defined by IDSA includes the compromise of unencrypted non-public information. The Department of Insurance expects notification even when law enforcement may restrict notification of the public. To aid in reporting, the Department of Insurance is developing an online reporting system for cybersecurity events which is expected to be completed by September 18, 2018. 

More IDSA Info

Signing up for Notifications
The Department of Insurance encourages licensees and third-party service providers to sign up for bulletins and press releases on their website at  www.doi.sc.gov . Once on the website, click the button for “Notification Subscriptions”. 

Upcoming Events
The Department of Insurance hopes to have a live webinar/seminar on this topic on September 10, 2018. Updated information on this event will be pushed out through their notification system.

Prior Blogs
https://www.tandemcybersolutions.com/blog/the-sc-insurance-data-security-act-seminar-takeaways
https://www.tandemcybersolutions.com/blog/a-guide-to-a-scidsa-compliant-information-security-program
https://www.tandemcybersolutions.com/blog/an-explanation-of-south-carolina-insurance-data-security-act-standards
​https://www.tandemcybersolutions.com/blog/are-you-impacted-by-the-south-carolina-insurance-datasecurity-act
0 Comments

The SC Insurance Data Security Act Seminar Takeaways

8/2/2018

0 Comments

 

Opening Remarks

On July 26, 2018, I attended the seminar about the South Carolina Insurance Data Security Act (IDSA) in Columbia, SC at the Capital Center Conference Room. The event was hosted by the South Carolina Insurance Association and the National Association of Mutual Insurance Companies (NAMIC).

Russ Dubisky, executive director of the SC Insurance Association welcomed everyone for coming and then made a few opening remarks about the seminar. Dubisky introduced the Director of the SC Department of Insurance (DOI) Raymond G. Farmer.
​
Director Farmer gave a legislative overview of the process that it took to get the IDSA passed as a law. Director Farmer explained that the DOI would be having a webinar in September to better inform the insurance community about the IDSA. Director Farmer advised that he also had representatives from DOI present to answer questions firsthand for the attendees at the end of the seminar. 

First Speaker

Alex Hageli, Director of Policy, Research, International for the Property Casualty Insurers Association of America (PCI) spoke briefly about how the South Carolina law would impact data security standards nationally. Hageli explained some of the differences between the New York Data Security Act and the Insurance Data Security Act. Lobbying efforts attempted to get the South Carolina legislature to adopt more of the language included in the New York Data Security Act but failed in the end.
​
The New York Data Security Act, also known as the SHIELD Act, does not solely focus on the insurance industry but applies to data security for all businesses handling sensitive customer information. In meetings with members of the South Carolina legislature, it became clear that they would not follow the concise language of the New York act.

Second Speaker

​The Director of Compliance for NAMIC, Geoff Baker, was the next speaker. Baker focused on the language and intent of the Insurance Data Security Act (IDSA). It was clear from Baker’s presentation that numerous areas of the IDSA will require clarification and guidance from the DOI. 

​Baker stated that compliance with the Insurance Data Security Act (IDSA) will be a continual process for insurance companies to maintain. Insurance companies with 10 or more employees in the State of South Carolina are not exempt. Independent producers and contractors with 10 or more employees must also comply with the requirements of the IDSA.

NPI Definition and Concerns

Under the Insurance Data Security Act (IDSA), the definition of non-public information (NPI) has a broader meaning than what you would generally think of with personal, financial or HIPAA information. NPI additionally includes any business information that if it were disclosed or tampered with “would cause a material adverse impact to the business, operations, or security” of the company.
​
Why is this definition important? Because if NPI is breached, then it is a reportable cyber security event that would require notification to the DOI. Should a breach only obtain encrypted data without the encryption key to access the NPI information, this would not be considered a reportable cyber security event. Additionally, if the only data taken is non-NPI, then the security event would not need to be reported.

For foreign insurers the notification requirement is triggered if the reportable cyber security event affects the NPI of more than 250 consumers in South Carolina and the event requires the insurer to notify another governmental/regulatory agency (other than SC). Alternatively notification is required if there is reasonable likelihood of material harm to a SC consumer or insurer’s operation with more than 250 SC consumers affected.​

Third-Party Service Providers

There was a lot of discussion about third-party service providers (TPSP) and how to ensure that they are compliant with the requires of the Insurance Data Security Act (IDSA). The IDSA states only that the licensee uses due diligence to confirm compliance. Can the TPSP just sign a contractual guarantee of their compliance with the IDSA or does the licensee have to do more? Will licensees have to audit TPSP or terminate contracts or appointments with agencies that are non-compliant? This is an area where the Department of Insurance (DOI) will need to provide further guidance.

Information Security Program

The Insurance Data Security Act (IDSA) clearly requires a written Information Security Program (ISP). You can find specific guidance on drafting the ISP by reviewing the language in the IDSA statute 38-99-20 (D) (2). Your ISP should be driven from the information uncovered during the risk assessment, not done independently. Other issues such as who drafts the ISP or approves the final draft is a little less apparent in the language of the IDSA.

​During a Risk Assessment, you should be reviewing network infrastructure cyber security monitoring and controls, current cyber security policies and procedures, non-public information (NPI) governance and retention schedules, software development practices, existing cyber security training, NPI access methodologies, use of NPI, and the utilization of TPSPs. The Risk Assessment will be an important step in the process and should involve a team approach utilizing insight from the CISO, compliance lead, department heads, key user representatives, and cyber security experts.
​
Additionally, licensee’s need to have a written incident response plan defining a plan to handle cyber-attacks on NPI or the licensee’s information system. This response plan should also include guidance for business operations during disaster recovery.

Oversight

The Insurance Data Security Act (IDSA) requires oversight of the process by the board of directors (or committee) to develop, implement, and maintain the ISP. An annual written report must be sent to the board defining the results of the Risk Assessment, risk management, TPSPs, testing results, cyber security events and responses, and recommendations for changes.

Where you can find more Information

As you can see the seminar covered a lot of important information and the hosting associations have been working hard to find answers for their members. Geoff Baker from NAMIC was kind enough to send me his slide presentation so that others could review the information in its entirety. 
 
I will cover some of the questions answered by DOI representatives in another blog along with steps to sign up for information on their site. I encourage you to sign up on the DOI’s website to be forwarded bulletins and information about the IDSA. The DOI will be pushing out further guidance and hosting webinars on this topic soon.

​Please pass this information along to other people you know in the insurance business. There are still smaller agencies who are unaware of the requirements of this law. Also tap into the resources provided by the NAMIC and the South Carolina Insurance Association. I have provided the links for you. 
isda_slide_presentation_by_namic.pdf
File Size: 1122 kb
File Type: pdf
Download File


KEITH SMALL

Co-Founder + Forensic Expert
​Linkedin
0 Comments

A Guide to a SCIDSA Compliant Information Security Program

7/21/2018

0 Comments

 
As the roll out of the South Carolina Insurance Data Security Act (“SCIDSA”) begins to unfold, insurance companies' are tweaking their existing information security program or building a new program from scratch to the endeavor of meeting the new security requirements. Information security programs are designed to be comprehensive in nature, using the concept of “defense in depth” by implementing three layers of safeguards to protect key data. 

Data in Transit

​For businesses, data exists in a few states known as the “three states of digital data”, one of which is “Data in Transit.” As the information moves from business to business, business to client, employee to employee and so on, a complexity to securing the data begins to arise. When these transfers of information are looked at from a business model perspective, hundreds to thousands of transactions occur on a daily basis to meet business needs. Added to this process is the burden of having detailed procedures in place to handle the data as it flows through the other two states, with access, collection, storage, processing, use, and disposal. Policies and procedures are one of the daunting tasks required by SCIDSA as the documents must be in-line with the business model and enforced.

​Questions to Answer

​But wait there is more!  Complexity emerges when we dig deeper into the policy. What kind of hardware, software or technical systems will you employ to safely collect, transmit, access and store this data? How will you update, monitor, or audit this software and equipment? Will you hire an outside firm to handle any of these issues? Will you use multi-factor authentication for all users and additionally what type of data encryption will you select for the various types of electronic data that are handled?
 
Additionally, companies need to consider the physical safeguards for buildings, equipment and electronic information systems. How do you protect the information from natural and workplace hazards? How about protection from unauthorized intrusion? Is there a business continuity plan or a disaster recovery plan in place? What backup schedule is in place to ensure recovery is possible in a timely manner?
 
Finally, consider incident response and planning. Who will you assign to identify foreseeable internal or external threats? These resources should be able to evaluate the risk by taking into account the likelihood and potential damage of each threat in a Security Risk Assessment. As the threatscape evolves, current policies, procedure, and technologies need to be reassessed to ensure adequacy of the security program. 

​Event Reminder

​Hopefully these ideas will help motivate businesses to use their time wisely and develop a comprehensive information security program before SCIDSA is fully enforced. I also hope that you will join me at the South Carolina Insurance Association's seminar on July 26, 2018 in Columbia, SC to help answer these questions and more. Please check out my prior blog on July 6, 2018, https://www.tandemcybersolutions.com/blog/scia-educational-seminar-on-sc-insurance-data-security-act for the complete details and links.
 
I will be sure to take good notes and pass along some of the valuable tips and resources in my next blog.

Keith Small

Co-Founder + Forensic Expert
​Linkedin

0 Comments
<<Previous

    Archives

    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018

    Categories

    All
    Cyber Security Basics
    HIPAA
    Information Security
    Insurance
    Insurance Data Security Act
    Monitoring
    Penetration Testing
    SC
    SCIDSA

    RSS Feed

Picture

​Contact Us 

843-309-3058
info@tandemcybersolutions.com
Picture
Picture
Picture
Picture
Tandem Cyber Solutions LLC 6650 Rivers Ave Ste 105 #74137 North Charleston, SC 29406 (843) 309-3058​
  • Home
  • HIPAA
    • HIPAA Made Easy
  • Assessments
  • Incident Response
    • Consult
  • Blog
  • About
  • PURCHASE
    • Cyber Security Assessment - Small
    • HIPAA Compliance Package 1