Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

rawpixel ©

Cybersecurity Rules May Be Coming to a State Near You: South Carolina Enacts NAIC’s Model Law

In the wake of cybersecurity requirements for financial services companies that were issued by the New York Department of Financial Services and went into effect on March 1, 2017 (codified at 23 NYCRR §500), the National Association of Insurance Commissioners (NAIC) adopted a similar Insurance Data Security Model Law.

Because the NAIC rules are simply a template for legislation, for now only insurance and insurance-related companies as well as brokers, agents and adjusters licensed to transact business in New York are bound by cyber regulations earmarked for the insurance industry – regulations that require the assessment of specific cyber risk profiles and design of cybersecurity programs that address such risk in a robust fashion. But New York’s membership in this exclusive club will be short-lived. And that is because on May 14, 2018, South Carolina became the first state in the nation to enact the model law promulgated by the NAIC.

The South Carolina Insurance Data Security Act

Effective January 1, 2019, the South Carolina Insurance Data Security Act – which is similar to New York’s cyber regulations and the NAIC model rules that precede it – will require so-called “covered entities” (insurers domiciled in South Carolina, among other licensees there)to implement written information security programs (WISP) to secure sensitive data, which programs are to include incident response and data recovery plans in the event of a cyber event. Pursuant to the legislation (House Bill 4655), covered entities will also have to abide by annual compliance requirements. In addition, they will need to notify the Department of Insurance within 72 hours of determining the occurrence of a data breach or similar hack.

Upon closer inspection, the WISP to be developed and implemented by licensees subject to the law in South Carolina will have to be based on a risk assessment and meet specified objectives. Likewise, licensees will need to include cybersecurity risks in their enterprise risk management processes and provide staff with training that is updated to reflect risks identified in the risk assessment. There is more. Any licensee having a board of directors must ensure that executive management implements the WISP and provides an annual written report to the board on the overall status of the program and any material matters.

When it comes to the processing and storage of nonpublic information, entities contemplated under the South Carolina law will be required to exercise due diligence in selecting any third-party service providers retained to handle such tasks. And these providers will need to take steps to protect and secure the information systems and nonpublic information they hold (licensees will have until July 1, 2020, to implement the provisions of the legislation relating to third-party service provider oversight).

Finally, incident response plans mandated under the South Carolina legislation will have to include a description of the internal process for responding to a cybersecurity event, and a written statement certifying that insurers are in compliance with the law’s WISP requirements will need to be submitted to the Insurance Director by February 15 of each year. Of note, all records, schedules and data supporting the certification must be maintained for five years.

A Head Start on Compliance

Many companies transacting insurance, even those outside of New York and, now, South Carolina, are already paying heed to and implementing cyber rules akin to those in the NAIC’s model law. No doubt, when it comes to cybersecurity regulation, those in the insurance space would be wise to expect more legislation to be on the way sooner rather than later and act accordingly.

Of course, anyone with specific questions about compliance with the South Carolina law or the existing New York cyber rules, or more general queries regarding the NAIC’s model law or the likelihood of similar legislation passing in other jurisdictions, should not hesitate to contact Scott Lyon at (714) 557-7990 or  

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.