fbpx
Skip to content
Call us
Login
Comp Calculator
(800) 718-7552

South Dakota , States

South Dakota Cyber Insurance: What Business Owners Must Know

From Sioux Falls to Spearfish, businesses across South Dakota are going digital—and becoming more vulnerable. Cyberattacks, ransomware, and data breaches now affect companies in every sector, from rural schools to local manufacturers. While cyber insurance isn’t legally required, going without it can lead to serious financial and legal consequences.

 

This guide breaks down who needs cyber insurance in South Dakota, what it covers, how much it costs, and what to do if your business is breached.

Why Cyber Coverage Matters in South Dakota

There is no law mandating cyber liability insurance for South Dakota businesses. But that doesn’t mean you’re protected.

 

Under the South Dakota Data Breach Notification Law (SDCL §§ 22-40-19 to 22-40-26), any “information holder” (person or business that conducts business in this state and owns or licenses computerized personal or protected information of residents of this state) must notify affected residents not later than 60 days from the discovery or notification of a breach of system security. If a breach affects more than 250 South Dakota residents, you must also notify the state Attorney General.

 

Without a policy, you’re left to cover legal fees, IT recovery, notification expenses, and reputational damage on your own.

Who Needs Cyber Insurance?

Even though coverage isn’t mandatory, cyber insurance is critical for any business handling personal, financial, or regulated data. High-risk industries in South Dakota include:

 

  • Healthcare Providers: HIPAA rules require strict safeguards for medical data. Without HIPAA breach insurance SD, ransomware attacks can cost hospitals and clinics hundreds of thousands in damages.
  • Financial Institutions: Banks, credit unions, and loan servicers must follow GLBA guidelines. Cyber liability requirements for South Dakota financial firms are often included in regulatory reviews. (Note: Financial organizations in compliance with GLBA are deemed to comply with SDCL §§ 22-40-19 to 22-40-26).
  • Retail and E-commerce: Any business accepting credit cards must meet PCI DSS standards. Many vendor contracts now require cyber coverage.
  • Schools and Colleges: Public and private institutions are common ransomware targets. Ransomware coverage for schools in South Dakota is now essential.
  • Agriculture and Manufacturing: Modern OT systems and cloud-based production tools are now standard. Agricultural business cyber insurance protects against downtime and sabotage.
  • Government Contractors: Many state partnerships may include clauses requiring cyber insurance coverage as a condition of doing business
  • Insurance Licensees: While South Dakota has not adopted the NAIC Insurance Data Security Model Law, entities licensed under Title 58 (Insurance) must comply with other existing privacy and security rules (e.g., related to medical records and financial information, like SDCL 58-2-40 and 58-2-41), and are subject to oversight by the South Dakota Division of Insurance.

 

Even small businesses in rural areas must comply with breach notification laws if they store names, emails, or Social Security numbers. A single breach at a hotel near Mount Rushmore or a Rapid City online retailer can lead to six-figure recovery costs.

What Cyber Insurance Covers

A comprehensive cyber insurance policy in South Dakota offers two types of protection:

 

First-Party Coverage These protections help your business recover from a direct cyber incident:

  • Notification letters and optional credit monitoring for affected individuals (Note: Credit monitoring is not explicitly mandated by SDCL §§ 22-40-19 to 22-40-26, but is a common best practice).
  • Digital forensic analysis to pinpoint the breach.
  • Ransomware payments and negotiation services (when permitted by policy terms and law).
  • Crisis communications and PR damage control.
  • Business interruption compensation for lost income.

 

Third-Party Coverage These features cover lawsuits and regulatory actions tied to the breach:

  • Defense costs and settlements if clients or patients sue your business.
  • Regulatory fines (when insurable by law) from bodies like OCR or the FTC.
  • Contractual liability if a vendor breach causes client data loss.

 

Cyber liability insurance coverage is tailored to your risk level, industry, and contract obligations—making it a flexible safeguard for businesses of all sizes.

 

Explore the role of technology in workers’ compensation and how it can strengthen your company’s protection approach.

Common Cyber Risks in South Dakota

Cyberattacks aren’t limited to large cities. Threats are increasingly targeting smaller towns and less-defended networks. Here are some of the most common risks:

 

  • Phishing Emails: Fake messages trick employees into sharing credentials or paying fraudulent invoices. Real estate, legal, and accounting firms are frequent targets.
  • Ransomware Attacks: Healthcare providers and school districts are especially vulnerable. Some ransomware incidents in South Dakota have cost over $1 million.
  • Lost or Stolen Devices: If laptops or USB drives containing personal data go missing, businesses must notify everyone impacted—adding mailing, legal, and identity protection costs.
  • Cloud Misconfigurations: Poorly secured cloud platforms may leak sensitive data to the public internet without notice.
  • Third-Party Breaches: If your payroll processor or web host is hacked, your business could be held liable, especially under contract terms.

Cyber Insurance Cost in South Dakota

Cyber insurance premiums in South Dakota are generally lower than in heavily regulated states, but costs still vary based on size, industry, and security controls.

 

  • Small Businesses (Under 10 Employees):
    • Premium: $1,200–$7,000 per year
    • Deductibles: Around $2,500
  • Midsize Firms (10–100 Employees):
    • Premium: $2,500–$15,000 per year
    • Deductibles: $10,000–$50,000
  • Large Enterprises:
    • Premium: $25,000+ annually
    • Higher coverage limits and optional extensions

 

Discounts are available for businesses that:

  • Use multi-factor authentication (MFA).
  • Encrypt sensitive data at rest and in transit.
  • Train staff in basic cybersecurity hygiene.
  • Have gone five years without a claim.
  • Bundle cyber coverage with general liability or E&O insurance.

What To Do After a Data Breach

Under South Dakota law, if an “information holder” discovers a “breach of system security” (as defined in SDCL 22-40-19), they must:

 

  1. Conduct a Prompt Investigation and Determine Harm:
    • An investigation must be conducted to determine if misuse of personal or protected information has occurred or is reasonably likely to occur.
    • Notification is not required if, following an appropriate investigation and notice to the Attorney General, the information holder reasonably determines that the breach will not likely result in harm to the affected person. This determination must be documented in writing and maintained for not less than three years.
  2. Notify Affected Residents:
    • If notification is required, disclose the breach to any resident of this state whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.
    • Disclosure must be made not later than 60 days from the discovery or notification of the breach of system security, unless a longer period is required due to the legitimate needs of law enforcement.
    • Permitted Delay: Notice may be delayed if a law enforcement agency determines that it would impede a criminal investigation; however, if delayed, notice must be provided within 30 days after the agency determines it will not compromise the investigation.
    • Methods: Written notice, electronic notice (consistent with E-SIGN), or substitute notice (if cost exceeds $250,000, affected class exceeds 500,000, or insufficient contact info).
  3. Notify the Attorney General:
    • Any information holder that experiences a breach of system security shall disclose to the Attorney General by mail or electronic mail any breach of system security that affects more than 250 residents of this state. This notification must also occur not later than 60 days from the discovery or notification of the breach.
  4. Notify Consumer Reporting Agencies:
    • Any information holder that notifies affected South Dakota residents of a breach (regardless of the number of residents affected) shall also notify, without unreasonable delay, all consumer reporting agencies (as defined in 15 U.S.C. Section 1681a) of the timing, distribution, and content of the consumer notices. (Note: Earlier versions of the law had a 250-resident threshold for this, but the final version removed that limitation, making it applicable to all breaches that require consumer notice).

 

Your Notice Must Include:

  • While South Dakota law does not explicitly specify the content of the notices, best practice typically includes: the nature of the breach, the types of personal or protected data exposed, steps taken to prevent future breaches, and contact information for follow-up.

 

Most insurance policies also require notice within 24 to 72 hours of discovery. Failing to report in time can result in a denied claim.

 

Prepare the following:

  • Breach Summary: What happened and how.
  • Number of Individuals Affected: And what kind of data was exposed.
  • Response Timeline: What actions you took and when.

 

If your insurance provider denies coverage unfairly, you can file a complaint with the South Dakota Division of Insurance, which enforces the Unfair Trade Practices Act (SDCL 58-33-67).

 

Penalties: Failure to disclose a breach is considered a deceptive act under the state’s consumer protection laws (SDCL 37-24-6), and the Attorney General may prosecute each failure to disclose as a deceptive act or practice. The Attorney General may also bring an action to recover a civil penalty of not more than $10,000 per day per violation, in addition to attorneys’ fees and costs (SDCL 22-40-25).

Final Takeaways for South Dakota Business Owners

Cybercrime in South Dakota is not just a big-city problem—it’s everywhere. From small retail shops to clinics and farming cooperatives, no one is immune.

 

Cyber insurance for small business South Dakota operations is no longer optional—it’s critical for business continuity, compliance, and customer trust.

 

Ready to Protect Your Business? Call at 855-718-7552 for more information.

  • Blog

RECOMMENDED ARTICLES

View more articles

OCMI Workers Comp is a PEO brokerage finding the best affordable PEO program for your business.

Programs

Workers comp

Short - term coverage

PEO services

Calculator

Comp calculator

About us

About OCMI

Compliance

Contact us

Resources

Clients forms

Help center

Blog

Payroll calculator

OCMI App

State Mandated Posters

FAQ

  • 225 E Dania Beach Blvd, Suite 120 - Dania Beach, FL 33004
  • (800) 718-7552
  • quotes@ocmiworkerscomp.com

© 2025 OCMI Workers Comp & Professional Services, LLC.

All Rights Reserved  |  Accessibility Statement   |   Terms & Conditions   |    Privacy Policy