Notify me of updates to this page

The Virginia Insurance Data Security Act, Article 2 of Chapter 6 of Title 38.2 (Sections 38.2-621 through 38.2-629 of the Code of Virginia), was effective July 1, 2020. This legislation is modeled on the NAIC Insurance Data Security Model Law. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events. It also provides the standards for notification to consumers, if applicable.

Email to receive instructions for reporting a cybersecurity event or with any related questions.

July 1, 2020

  • Virginia Insurance Data Security Act becomes effective for cybersecurity events that occur on or after July 1, 2020.
  • Licensees shall report cybersecurity events to the Commissioner of Insurance no later than 3 business days after determining that a cybersecurity event has actually occurred when certain criteria are met.
  • Licensees subject to the Virginia Insurance Data Security Act shall implement Section 38.2-623 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2020.

July 1, 2022

  • Licensees subject to Act who use the services of third-party service providers shall implement the provisions of Section 38.2-623 E by this date.  This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.

February 15, 2023

  • Beginning on this date, each insurer domiciled in Virginia must annually submit to the Bureau of Insurance a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38.2-623.  Domestic insurers required to submit a written statement will be contacted directly by the Financial Regulation & Solvency Division with further instructions prior to the February 15th deadline.

National Institute of Standards and Technology – NIST

ISACA – COBIT Framework

SANS Institute – CIS Controls

International Organization for Standardization – ISO

Federal Trade Commission

If you belong to an association or trade group, you may be able to find information to assist you with your information security program, including your risk assessment and establishing your security measures.