In 2018, the NAIC created the Insurance Data Security Act. The Act is codified in Title 38, Chapter 99 of the South Carolina Code of Laws. The Act’s purpose is to establish standards for data security and standards for the investigation and notification to the Director of a cyber security event applicable to licenses of the South Carolina Department of Insurance. South Carolina is the first state to direct implementation of the procedures of the Act.

The Act pertains to any individual or non-governmental entity licensed, authorized to operate or registered or required to be licensed, authorized or registered under the state insurance laws. However, there are a few exceptions to this Act:

• Organizations that employ less than 10 employees

• Organizations that are covered by the information security program of another licensee

• Organizations that are subject to HIPAA that submit annual certification of compliance with HIPAA

• Organizations that certify with the New York Cyber Security Regulation annually

A few other exceptions are as follows:

• Organizations that do not have electronic information

• Organizations that do not have NPI (Non-Public Information)

• Organization that only have NPI (Non-Public Information) of their parent or affiliates

• Risk retention groups chartered in other states

• Assuming insurers in other states

One of the main components of the Data Security Act is to perform a Risk Assessment. This component is recommended to be performed by a 3rd party security consultant. This requirement is to be in place by July 1, 2019 and is to be performed annually by July 1st. 

JSCM Group can provide the necessary testing for compliance with the Act. We specialize in Testing, Training so you can be better prepared for any threats that try to get into your environment. Please contact one of our Account Managers to talk further about how we can help.