What to expect from South Carolina's insurance-specific cybersecurity law
South Carolina just passed its own cybersecurity regulation based on both the NIST framework and the NAIC model law. This law comes on the heels of the European Union’s General Data Protection Regulation (GDPR) that went into effect earlier this month, which may also apply to carriers in South Carolina that operate in the EU or interact with EU citizens.
The South Carolina regulation is the first of its kind. Where its predecessor, the New York State Cybersecurity regulation, focuses generally on financial services companies and firms that capture credit data, the South Carolina law is insurance-specific. It covers any entity providing insurance including carriers, agents, and brokers. The new regulation will likely put pressure on smaller agencies and brokers operating in the state, and some “mom and pop” operations may be forced to close up shop.
Other states are sure to follow in the footsteps of New York and South Carolina and begin to develop their own laws. It typically takes about three years from adoption of a NAIC model law to full adoption on a state-by-state basis. We fully expect cybersecurity regulations to differ from state to state, and some states are looking to re-introduce concepts that were eliminated in the final NAIC model law. A handful of states are also adopting data protection regulations (i.e. the Delaware Data Breach Notification Law) that apply to any firm capturing consumer data, including insurance carriers.
Cybersecurity regulation will not be one size fits all, meaning insurers will need to proactively respond to new laws as they emerge. Security is not a part-time job and hiring a CISO is becoming an imperative for carriers.
This blog entry has been reprinted with permission from Novarica.