Cybersecurity

On May 3, 2018, Governor Henry McMaster signed into law the South Carolina Insurance Data Security Act (the "Act").  The Act will become effective on January 1, 2019.  South Carolina is the first state in the nation to pass this important and timely legislation which is modeled after the NAIC Insurance Data Security Model Law.  

The Act is codified in Title 38, Chapter 99 of the South Carolina Code of Laws.  The Act defines the requirements applicable to a "licensee" and establishes standards for data security and standards for the investigation of and notification to the Director of a cybersecurity event. 

Key Implementation Dates


January 1, 2019

:  South Carolina Insurance Data Security Act becomes effective.  This requires, among other things, that a licensee notify the Director no later than 72 hours after determining that a cybersecurity event has occurred when certain criteria are met.

July 1, 2019

:  Licensees must have implemented Section 38-99-20 by this date.  This section requires that licensees establish a comprehensive, written information security program by July 1, 2019.

July 1, 2020

:  Licensees must have implemented Section 38-99-20(F) by this date.  This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.

February 15, 2020

:  Beginning on this date, each insurer domiciled in South Carolina must annually submit to the Director a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38-99-20.

Additional Information and Resources


The Department will issue a series of bulletins regarding the implementation of this legislation and each will be copied below as they become available.

  1. Bulletin 2018-02. South Carolina Insurance Data Security Act.  This bulletin provides answers to questions such as to whom does the Act apply, what does the legislation do, and when will the legislation be effective.
  2. Bulletin 2018-09. Cybersecurity Event Reporting Form.  This bulletin addresses the process for reporting a cybersecurity event and provides guidance regarding what constitutes a cybersecurity event.  
  3. Bulletin 2018-12. Insurance Data Security Act Exemptions.  The bulletin provides more information on exemptions from the Act's information security program requirements.  Please be reminded that licensees qualifying for an exemption must still comply with other provisions of the Act. 

View a copy of the "Report a Cybersecurity Event" form.  A link to the "live" version of this form will be available closer to the January 1, 2019 effective date of the new law.  This form will be used by licensees to fulfill the notification requirements under Section 38-99-40 (licensees must notify the Department no later than 72 hours after determining that a cybersecurity event has occurred). 


The Department held an information session on September 10, 2018, entitled "Complying with the S.C. Insurance Data Security Act."  If you were unable to attend in-person, please click on one of the links below to view the PowerPoint slides or watch a video of the presentation: