COVID-19 Procedures: All business with the Commission should be through electronic filing systems, email, or by telephone. For public health safety, in-person visits to SCC offices are suspended. Filings or other deliveries are permitted by drop off at main entrance. On-site staff is minimal and processing of such deliveries may be delayed.
The Virginia Insurance Data Security Act was enacted by the 2020 Virginia General Assembly.This legislation is modeled on the NAIC Insurance Data Security Model Law. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events. It also provides the standards for notification to consumers, if applicable.
Email BOIDataSec@scc.virginia.gov to receive instructions for reporting a cybersecurity event or with any related questions.
July 1, 2020
- Virginia Insurance Data Security Act becomes effective for cybersecurity events that occur on or after July 1, 2020.
- Licensees shall report cybersecurity events to the Commissioner of Insurance no later than 3 business days after determining that a cybersecurity event has actually occurred when certain criteria are met.
- Licensees subject to the Virginia Insurance Data Security Act shall implement Section 38.2-623 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2020.
July 1, 2022
- Licensees subject to Act who use the services of third-party service providers shall implement the provisions of Section 38.2-623 E by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.
February 15, 2023
- Beginning on this date, each insurer domiciled in Virginia must annually submit to the Bureau of Insurance a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38.2-623. Domestic insurers required to submit a written statement will be contacted directly by the Financial Regulation & Solvency Division with further instructions prior to the February 15th deadline.
National Institute of Standards and Technology – NIST
- Cybersecurity Framework (PDF and Excel)
- Small Business Information Security (PDF)
- Risk Assessment SP 800-30 (PDF)
- Risk Assessment SP 800-39 (PDF)
- Information Security SP 800-53 (PDF)
- Information Security SP 800-171 (PDF)
- Incident Response SP 800-61 (PDF)
- NIST Educational Resources
ISACA – COBIT Framework
SANS Institute – CIS Controls
International Organization for Standardization – ISO
Federal Trade Commission