On January 1, 2019, parts of the South Carolina Insurance Data Security Act (SCIDSA) became effective. Over the next 17 months, other key parts of the SCIDSA will be phased in until the act is fully in effect on July1, 2020.
Let’s review who the SCIDSA applies to and what requirements are active now and when the other requirements will be phased in.
Today, the South Carolina Department of Insurance released Bulletin 2018-09 Cybersecurity Event Reporting Form. Why should you read it? This bulletin focuses on how the Department of Insurance defines a reportable cybersecurity event and the notification procedures. The three main take aways from the bulletin are:
Follow this link to view the latest bulletin from the DOI. For your convenience we have attached both the bulletin and the updated event report form below. You may also want to review previous blogs about the IDSA and how you too can sign up for IDSA update notices from the DOI.
If you have any questions on SC Insurance Data Security Act compliance, Call Tandem Cyber Solutions today!
Co-Founder + Forensic Expert
My trip to Columbia, SC was a great opportunity to sit down with others in the insurance sector and get some clarification from the Department of Insurance (DOI) about the Insurance Data Security Act (IDSA). Melissa Manning and Kendall Buchanan, DOI Representatives, provided answers to questions submitted by insurance professionals and gave attendees tips on how to stay informed of the latest information. Below are important details shared with attendees during this meeting.
Inclusion & Exclusion
The Insurance Data Security Act (IDSA) specifies those in the insurance sector whom fall into the classification of a “Licensed Excess”, “Surplus Line Carrier”, and “Captive Agents”. More definitely, inclusion starts at ten or more employees for the insurance entity and can be avoided if any of the above parties were fully covered under a parent company’s Information Security Plan(ISP).
For those agencies that are covered by HIPAA , IDSA compliance is inherent because the Health Act is more stringent. The Department of Insurance is drafting a to certify organizational exclusion from the Insurance Data Security Act.
Access & Encryption
Security fundamentals dictate that organizations should take a “least privileged” approach to user access and the IDSA has not strayed far from that approach. In fact, under the guidelines of the Insurance Data Security Act, companies should restrict access to Non-public Information to those employees or third-party entities who have a legit need to access it.
Encryption is unfortunately a topic where IDSA diverges from common information security practices. The security act does not require that companies encrypt any of their data or information. However, a company should still implement encryption because having data locked away could save the organization millions in fines and costs from a breach. Encryption protects the data and in the case of theft is not considered a reportable event by the Department of Insurance unless the key is also stolen.
Third-party Services Providers
If third-party service providers have access to non-public information, insurance companies will need to continually assess their relationship with the service provider. As a reminder on non-public information, the data is defined in broad terms as sensitive business-related information of the licensee or the private information of the client. I encourage any entity covered by this act to truly understand non-public information as defined by DOI because those whom have access to it, must meet the requirements of this act. Furthermore, this forces insurance companies or licensees to take responsibility for ensuring third-party services providers are compliant.
A little unclear at this time are the ramifications when a third-party service provider fails to cooperate with the insurance licensee to develop a comprehensive information security plan. Does an insurance licensee have to find a new provider or move the services back within their control? Hopefully as this act matures like HIPAA, these questions will be answered.
Insurance companies must conduct an annual risk assessment, which is akin to a standard information security assessment. While this act does not specifically lay out the steps required to be completed during the risk assessment, it does define tangible steps or activities needed based on the results.
Additionally, the thoroughness of the risk assessment depends upon the complexity of the entity’s operational and information systems but should include all facets of the business operations and information security. Each licensee will have to evaluate the scope of their operation and make sure the security measure is commensurate.
Licensees may conduct the risk assessment in house if they have the expertise, such as qualified cyber security professionally. However, if the assessment is handed off to a third-party service provider, the provider must meet the requirements of this act if they have access to the non-public information. Either way the Information Security Plan (ISP) will be based on the outcome of the assessment. Currently a format for the assessment report is defined and the reports must be kept by the licensee for five years.
Cyber Security Event
A cyber security event as defined by IDSA includes the compromise of unencrypted non-public information. The Department of Insurance expects notification even when law enforcement may restrict notification of the public. To aid in reporting, the Department of Insurance is developing an online reporting system for cybersecurity events which is expected to be completed by September 18, 2018.
More IDSA Info
Signing up for Notifications
The Department of Insurance encourages licensees and third-party service providers to sign up for bulletins and press releases on their website at www.doi.sc.gov . Once on the website, click the button for “Notification Subscriptions”.
The Department of Insurance hopes to have a live webinar/seminar on this topic on September 10, 2018. Updated information on this event will be pushed out through their notification system.
On July 26, 2018, I attended the seminar about the South Carolina Insurance Data Security Act (IDSA) in Columbia, SC at the Capital Center Conference Room. The event was hosted by the South Carolina Insurance Association and the National Association of Mutual Insurance Companies (NAMIC).
Russ Dubisky, executive director of the SC Insurance Association welcomed everyone for coming and then made a few opening remarks about the seminar. Dubisky introduced the Director of the SC Department of Insurance (DOI) Raymond G. Farmer.
Director Farmer gave a legislative overview of the process that it took to get the IDSA passed as a law. Director Farmer explained that the DOI would be having a webinar in September to better inform the insurance community about the IDSA. Director Farmer advised that he also had representatives from DOI present to answer questions firsthand for the attendees at the end of the seminar.
Alex Hageli, Director of Policy, Research, International for the Property Casualty Insurers Association of America (PCI) spoke briefly about how the South Carolina law would impact data security standards nationally. Hageli explained some of the differences between the New York Data Security Act and the Insurance Data Security Act. Lobbying efforts attempted to get the South Carolina legislature to adopt more of the language included in the New York Data Security Act but failed in the end.
The New York Data Security Act, also known as the SHIELD Act, does not solely focus on the insurance industry but applies to data security for all businesses handling sensitive customer information. In meetings with members of the South Carolina legislature, it became clear that they would not follow the concise language of the New York act.
The Director of Compliance for NAMIC, Geoff Baker, was the next speaker. Baker focused on the language and intent of the Insurance Data Security Act (IDSA). It was clear from Baker’s presentation that numerous areas of the IDSA will require clarification and guidance from the DOI.
Baker stated that compliance with the Insurance Data Security Act (IDSA) will be a continual process for insurance companies to maintain. Insurance companies with 10 or more employees in the State of South Carolina are not exempt. Independent producers and contractors with 10 or more employees must also comply with the requirements of the IDSA.
NPI Definition and Concerns
Under the Insurance Data Security Act (IDSA), the definition of non-public information (NPI) has a broader meaning than what you would generally think of with personal, financial or HIPAA information. NPI additionally includes any business information that if it were disclosed or tampered with “would cause a material adverse impact to the business, operations, or security” of the company.
Why is this definition important? Because if NPI is breached, then it is a reportable cyber security event that would require notification to the DOI. Should a breach only obtain encrypted data without the encryption key to access the NPI information, this would not be considered a reportable cyber security event. Additionally, if the only data taken is non-NPI, then the security event would not need to be reported.
For foreign insurers the notification requirement is triggered if the reportable cyber security event affects the NPI of more than 250 consumers in South Carolina and the event requires the insurer to notify another governmental/regulatory agency (other than SC). Alternatively notification is required if there is reasonable likelihood of material harm to a SC consumer or insurer’s operation with more than 250 SC consumers affected.
Third-Party Service Providers
There was a lot of discussion about third-party service providers (TPSP) and how to ensure that they are compliant with the requires of the Insurance Data Security Act (IDSA). The IDSA states only that the licensee uses due diligence to confirm compliance. Can the TPSP just sign a contractual guarantee of their compliance with the IDSA or does the licensee have to do more? Will licensees have to audit TPSP or terminate contracts or appointments with agencies that are non-compliant? This is an area where the Department of Insurance (DOI) will need to provide further guidance.
Information Security Program
The Insurance Data Security Act (IDSA) clearly requires a written Information Security Program (ISP). You can find specific guidance on drafting the ISP by reviewing the language in the IDSA statute 38-99-20 (D) (2). Your ISP should be driven from the information uncovered during the risk assessment, not done independently. Other issues such as who drafts the ISP or approves the final draft is a little less apparent in the language of the IDSA.
During a Risk Assessment, you should be reviewing network infrastructure cyber security monitoring and controls, current cyber security policies and procedures, non-public information (NPI) governance and retention schedules, software development practices, existing cyber security training, NPI access methodologies, use of NPI, and the utilization of TPSPs. The Risk Assessment will be an important step in the process and should involve a team approach utilizing insight from the CISO, compliance lead, department heads, key user representatives, and cyber security experts.
Additionally, licensee’s need to have a written incident response plan defining a plan to handle cyber-attacks on NPI or the licensee’s information system. This response plan should also include guidance for business operations during disaster recovery.
The Insurance Data Security Act (IDSA) requires oversight of the process by the board of directors (or committee) to develop, implement, and maintain the ISP. An annual written report must be sent to the board defining the results of the Risk Assessment, risk management, TPSPs, testing results, cyber security events and responses, and recommendations for changes.
Where you can find more Information
As you can see the seminar covered a lot of important information and the hosting associations have been working hard to find answers for their members. Geoff Baker from NAMIC was kind enough to send me his slide presentation so that others could review the information in its entirety.
I will cover some of the questions answered by DOI representatives in another blog along with steps to sign up for information on their site. I encourage you to sign up on the DOI’s website to be forwarded bulletins and information about the IDSA. The DOI will be pushing out further guidance and hosting webinars on this topic soon.
Please pass this information along to other people you know in the insurance business. There are still smaller agencies who are unaware of the requirements of this law. Also tap into the resources provided by the NAMIC and the South Carolina Insurance Association. I have provided the links for you.
Co-Founder + Forensic Expert
As the roll out of the South Carolina Insurance Data Security Act (“SCIDSA”) begins to unfold, insurance companies' are tweaking their existing information security program or building a new program from scratch to the endeavor of meeting the new security requirements. Information security programs are designed to be comprehensive in nature, using the concept of “defense in depth” by implementing three layers of safeguards to protect key data.
Data in Transit
For businesses, data exists in a few states known as the “three states of digital data”, one of which is “Data in Transit.” As the information moves from business to business, business to client, employee to employee and so on, a complexity to securing the data begins to arise. When these transfers of information are looked at from a business model perspective, hundreds to thousands of transactions occur on a daily basis to meet business needs. Added to this process is the burden of having detailed procedures in place to handle the data as it flows through the other two states, with access, collection, storage, processing, use, and disposal. Policies and procedures are one of the daunting tasks required by SCIDSA as the documents must be in-line with the business model and enforced.
Questions to Answer
But wait there is more! Complexity emerges when we dig deeper into the policy. What kind of hardware, software or technical systems will you employ to safely collect, transmit, access and store this data? How will you update, monitor, or audit this software and equipment? Will you hire an outside firm to handle any of these issues? Will you use multi-factor authentication for all users and additionally what type of data encryption will you select for the various types of electronic data that are handled?
Additionally, companies need to consider the physical safeguards for buildings, equipment and electronic information systems. How do you protect the information from natural and workplace hazards? How about protection from unauthorized intrusion? Is there a business continuity plan or a disaster recovery plan in place? What backup schedule is in place to ensure recovery is possible in a timely manner?
Finally, consider incident response and planning. Who will you assign to identify foreseeable internal or external threats? These resources should be able to evaluate the risk by taking into account the likelihood and potential damage of each threat in a Security Risk Assessment. As the threatscape evolves, current policies, procedure, and technologies need to be reassessed to ensure adequacy of the security program.
Hopefully these ideas will help motivate businesses to use their time wisely and develop a comprehensive information security program before SCIDSA is fully enforced. I also hope that you will join me at the South Carolina Insurance Association's seminar on July 26, 2018 in Columbia, SC to help answer these questions and more. Please check out my prior blog on July 6, 2018, https://www.tandemcybersolutions.com/blog/scia-educational-seminar-on-sc-insurance-data-security-act for the complete details and links.
I will be sure to take good notes and pass along some of the valuable tips and resources in my next blog.
Co-Founder + Forensic Expert