- Feature Links
- Cybersecurity
Cybersecurity
Quick Links:
On May 3, 2018, Governor Henry McMaster signed into law the South Carolina Insurance Data Security Act (the "Act"). The Act became effective on January 1, 2019. South Carolina was the first state in the nation to pass this important and timely legislation which was modeled after the NAIC Insurance Data Security Model Law.
The Act is codified in Title 38, Chapter 99 of the South Carolina Code of Laws. The Act defines the requirements applicable to a "licensee" and establishes standards for data security and standards for the investigation of and notification to the Director of a cybersecurity event.
Contact us via EMAIL with questions.
Key Implementation Dates:
January 1, 2019
: South Carolina Insurance Data Security Act becomes effective. This requires, among other things, that a licensee notify the Director no later than 72 hours after determining that a cybersecurity event has occurred when certain criteria are met.July 1, 2019
: Licensees must have implemented Section 38-99-20 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2019.February 15, 2020
: Beginning on this date, each insurer domiciled in South Carolina must annually submit to the Director a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38-99-20. Domestic insurers required to submit a written statement will be contacted directly by the Financial Regulation & Solvency Division with further instructions prior to the February 15th deadline.July 1, 2020
: Licensees must have implemented Section 38-99-20(F) by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.
The Department has issued a series of bulletins regarding the implementation of this legislation and each has been copied below for your ease of reference.
View a PDF copy of the "Report a Cybersecurity Event" form. This form is used by licensees to fulfill the notification requirements under Section 38-99-40 (licensees must notify the Department no later than 72 hours after determining that a cybersecurity event has occurred).
- Bulletin 2018-02. South Carolina Insurance Data Security Act. This bulletin provides answers to questions such as to whom does the Act apply, what does the legislation do, and when will the legislation be effective.
- Bulletin 2018-09. Cybersecurity Event Reporting Form. This bulletin addresses the process for reporting a cybersecurity event and provides guidance regarding what constitutes a cybersecurity event.
- Bulletin 2018-12. Insurance Data Security Act Exemptions. The bulletin provides more information on exemptions from the Act's information security program requirements. Please be reminded that licensees qualifying for an exemption must still comply with other provisions of the Act.
- Bulletin 2020-04. Third-Party Service Provider Deadline. This bulletin outlines issues that licensees should consider when reviewing the use of third-party service providers as part of a licensee's broader information security program.
View a PDF copy of the "Report a Cybersecurity Event" form. This form is used by licensees to fulfill the notification requirements under Section 38-99-40 (licensees must notify the Department no later than 72 hours after determining that a cybersecurity event has occurred).
The following two documents were developed in conjunction with Bulletin 2020-04. These additional resources do not contain any new requirements but are intended to be viewed by those licensees seeking additional guidance on cybersecurity issues that they should consider when dealing with third-party service providers. The information contained in these documents does not constitute legal advice. It is recommended that you contact your attorney for legal advice on issues related to the implementation of your information security program.
- General Third-Party Service Provider Due Diligence Guidance and Considerations. This document contains additional considerations licensees consider when incorporating appropriate third-party service provider oversight into their broader information security program.
- Sample Third-Party Service Provider Due Diligence Checklist. Service providers often access, process, or host sensitive and confidential nonpublic information. Due diligence processes should be informed by your risk assessment and may vary by the size and complexity of your business. This document contains general information that should be considered when performing your TPSP due diligence.
| Organization | Additional Materials |
|---|---|
| Federal Deposit Insurance Corporation (FDIC) |
Guidance For Managing Third-Party Risk |
| Office of the Comptroller of the Currency |
Risk Management Guidance, OCC-Bulletin-2013-29 |
| National Institute of Standards and Technology (NIST) |
Cybersecurity Framework and NIST Special Publication 800-53 |
| Federal Reserve |
Guidance on Managing Outsourcing Risk, Board of Governors, Federal Reserve System, December 5, 2013 |
| Consumer Financial Protection Bureau |
CFPB Bulletin 2012-13, Service Providers (April 13, 2012) |
| Federal Financial Institutions Examination Council |
FFIEC Guidance on IT Service Providers (October 2012) |
| Securities and Exchange Commission |
Guidance Update No. 2015-02, Cybersecurity Guidance (April 2015) |
| American Bar Association |
Vendor Contracting Project: Cybersecurity Checklist, Cybersecurity Legal Task Force (October 2016) |
The Department also held an information session on September 10, 2018, entitled "Complying with the S.C. Insurance Data Security Act." If you were unable to attend in-person, please click on one of the links below to view the PowerPoint slides or watch a video of the presentation: