South Carolina Insurer Data Security Law Should Be Nationwide Role Model
In October 2017, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Bill, also known as the NAIC “Model Law.”
NAIC’s “Model Law” seeks to establish a guiding framework that provides actionable expectations to regulated entities so they can develop and establish the operation of a comprehensive cybersecurity program. Among many other things, the Model Law requires 1.) planned cybersecurity testing, 2.) board-level involvement with a company’s information security program and 3.) incident response plans for specific breach notification procedures.
South Carolina’s legislature became the first to adopt its version of the NAIC Model Law on May 1, 2018, and it issued the call for the adoption of reasonably similar legislation across the nation.
Now, the race is on for South Carolina companies to comply with the state’s version of the Model Law. Regulated entities based in or doing business with South Carolina have until Jan. 1, 2019, to be in full compliance of the law, which expects more of regulated entities than ever before.
Having drawn inspiration from the New York Department of Financial Services (NY DFS), which initiated the cybersecurity-focused regulatory process for the entirety of the U.S. financial sector, South Carolina’s Model Law is expected to have a similar impact on the insurance industry.
The new law provides guidance for addressing cybersecurity concerns starting above even a regulated entity’s corporate executives. It holds a company’s board of directors directly accountable for the oversight of the cybersecurity program and all its activities and results. Executive leadership and senior management are made solely responsible for all program governance activities and compliance reporting, including yearly attestation as to the program’s maintenance, compliance status and any “material matters related to the Information Security program.”
The law insists on implicitly identifying who holds final accountability for each regulated entity’s cybersecurity posture, and though the Board and executive leadership may delegate these responsibilities, there is no mistaking whom the law holds accountable. This pragmatic approach to accountability is long overdue and offers benefit in the form of increased awareness to the corporate citizenry.
The law also promotes a cultural change on how a cybersecurity narrative is required to come through leadership. The law mandates all employees to take cybersecurity awareness training and that trainings must be regularly updated to reflect risks identified during risk analysis efforts.
For most regulated entities, the biggest cybersecurity cultural challenge will be cultivating an environment of openness amongst employees. Under the new law, employees are encouraged to report suspicious behavior, supposed phishing attempts, or other anomalies without fear of reprimand.
Also, the law mandates regulated entities to stay informed of emerging cybersecurity threats and vulnerabilities, which should have a marked impact on the quality of cybersecurity programs.
The penultimate expectation of the new law is its focus on regular comprehensive assessment of cyber risk that requires companies to identify all cyber risks that may have an impact on that regulated entity or its ability to conduct business.
South Carolina’s Department of Insurance requires compliance with the risk assessment clause through 1.) written attestation, 2.) annual submission to the director of Insurance and for 3.) proof of compliance to be maintained for five years.
Additionally, South Carolina’s law requires that if an event is believed to have occurred, the entity must investigate and determine if one did, the nature and scope of the event, identification of nonpublic information related to the event and the carrying out of reasonable measures to restore security to affected systems. SCDOI must be notified within 72 hours of the event if a combination of criteria is also true, and all related records must be kept for five years after.
Although the NAIC Model Law cannot be enforced at a national level and no state or territory can be compelled into adopting it, NAIC is strongly encouraging states to enact the Model Law and has set a goal of having it passed by the majority of states within three years.
With South Carolina’s excellent guidance from the NAIC Model Law, case studies from NY DFS and assistance from cybersecurity experts, we should soon see better corporate cybersecurity hygiene driven by real cultural changes in how people view cybersecurity in the state.