South Carolina was the first state to establish an adaptation of the Insurance Data Security Model Law. That law, which is based on the NAIC Model Cybersecurity Act recently implemented by the National Association of Insurance Commissioners, offers solutions to address the threat of cyberattacks. Since new legislation is likely to be similar to South Carolina’s Insurance Data Security Act (SC Act), our blog series will use that statute as a guide for outlining actions title agents should take in preparing for inevitable adoption of similar legislation in other states.
The SC Act goes into effect January 1, 2019. It requires SC licensees (title agents) and domestic insurers to develop a “comprehensive, written information security program [ISP]” on or before July 1, 2019. At first glance, the term ISP may seem generic and vague. However, a thorough reading of the SC Act reveals a broad outline of a number of specific types of individual reports that must be included in the ISP (and even more detail about what must be included in each report).
These are not reports you merely copy and paste into your plan. The required reports, and the itemized details therein, must demonstrate your intention to address the particular risks of a potential cyberattack or negligent mishandling of nonpublic personal information (NPI). Building an ISP will be a substantial undertaking for most title agents, requiring much time, resources, and effort. The requirements are so vast that adherence to even a 14-month completion deadline could be challenging.
First Step– Risk Assessment
Developing an ISP requires you to start with a risk assessment. While this is a commonly understood term in the IT and cybersecurity world, it may be new to the vocabulary of most title agents. In layman’s terms, risk assessment refers to a process that examines how your office operates while routinely conducting daily operations.
First, you should document sources of NPI data and where it is located and stored, then carefully analyze the possibilities of “risk events,” or ways data could be improperly accessed. The risk assessment process is a necessary step, as a completed ISP must specifically address what is being done to prevent– or at least minimize– the potential for the occurrence of identified risk events.
Once the risk assessment is completed, the next steps are to 1) categorize the likelihood of occurrence for each risk event, and 2) rank all identified risk events from most critical to minimal. Risk can never be eliminated, but by categorizing the risk events from highest to lowest, one can begin to focus on minimizing the occurrence of those events that pose the greatest damage potential.
Sound easy? Hackers have the ability to break into all types of networks. Understanding firewall security, reviewing breach attempt logs, and educating employees on how a simple mistake could improperly release client information is not something to take lightly– but is a necessity. However, few people in the title industry feel confident enough in taking this first step without professional guidance.
PYA’s team of information security professionals is focused on the title industry and can guide you through the process, assisting with the development of reports and plans necessary for ensuring compliance with these types of new statutory requirements. Contact us to see how we can help.