South Carolina became the first state in the U.S. to pass HB 4655, a law requiring insurers to establish a “strong and aggressive” cyber program to protection companies and their clients from data breaches. Effective January 1, 2019, the law creates rules for insurers, agents and other licensed entities to cover data security to include maintaining and information security program based on ongoing risk assessment, detection, investigation and notification of breaches, and notifying regulators should a cyber event occur.
Forty two state currently have law, bills or resolutions regarding cybersecurity. Many businesses do not realize they fall under these requirements even if they do not maintain protected data that would require compliance with other mandates, such as Payment Card Industry (PCI), HIPAA for healthcare, or GDPR for protecting data of EU citizens.
So how do we help business to determine which mandate(s) apply to them, if they are meeting the requirements, and if not, how they can become compliant?
Typically an initial consultation to confirm the cyber requirements starts with:
- Where is the business located?
- Where does the organization do business?
- What type(s) of data are processed?
Once the requirements have been established, a gap assessment can be performed to verify compliance. For any areas found non-compliant, the auditor can either provide valid reason why the control does not apply, or make a recommendation for how to best meet the requirement given the organization’s risk.