COVID-19 Procedures: All business with the Commission should be through electronic filing systems, email, or by telephone. For public health safety, in-person visits to SCC offices are suspended. Filings or other deliveries are permitted by drop off at main entrance. On-site staff is minimal and processing of such deliveries may be delayed.
The Virginia Insurance Data Security Act, Article 2 of Chapter 6 of Title 38.2 (Sections 38.2-621 through 38.2-629 of the Code of Virginia), was effective July 1, 2020. This legislation is modeled on the NAIC Insurance Data Security Model Law. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events. It also provides the standards for notification to consumers, if applicable.
Email BOIDataSec@scc.virginia.gov to receive instructions for reporting a cybersecurity event or with any related questions.
July 1, 2020
- Virginia Insurance Data Security Act becomes effective for cybersecurity events that occur on or after July 1, 2020.
- Licensees shall report cybersecurity events to the Commissioner of Insurance no later than 3 business days after determining that a cybersecurity event has actually occurred when certain criteria are met.
- Licensees subject to the Virginia Insurance Data Security Act shall implement Section 38.2-623 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2020.
July 1, 2022
- Licensees subject to Act who use the services of third-party service providers shall implement the provisions of Section 38.2-623 E by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.
February 15, 2023
- Beginning on this date, each insurer domiciled in Virginia must annually submit to the Bureau of Insurance a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38.2-623. Domestic insurers required to submit a written statement will be contacted directly by the Financial Regulation & Solvency Division with further instructions prior to the February 15th deadline.
National Institute of Standards and Technology – NIST
- Cybersecurity Framework (PDF and Excel)
- Small Business Information Security (PDF)
- Risk Assessment SP 800-30 (PDF)
- Risk Assessment SP 800-39 (PDF)
- Information Security SP 800-53 (PDF)
- Information Security SP 800-171 (PDF)
- Incident Response SP 800-61 (PDF)
- NIST Educational Resources
ISACA – COBIT Framework
SANS Institute – CIS Controls
International Organization for Standardization – ISO
Federal Trade Commission