The Virginia Insurance Data Security Act, Article 2 of Chapter 6 of Title 38.2 (Sections 38.2-621 through 38.2-629 of the Code of Virginia), was effective July 1, 2020. This legislation is modeled on the NAIC Insurance Data Security Model Law. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events. It also provides the standards for notification to consumers, if applicable.
Chapter 430- the Rules Governing Insurance Data Security Risk and Reporting was approved effective June 1, 2021. The regulation provides (i) rules for reporting cybersecurity events; (ii) risk assessment requirements that must be implemented by July 1, 2022; and (iii) additional security measures that must be implemented by July 1, 2022.
Email BOIDataSec@scc.virginia.gov to receive instructions for reporting a cybersecurity event or with any related questions.
July 1, 2020
Virginia Insurance Data Security Act becomes effective for cybersecurity events that occur on or after July 1, 2020.
Licensees shall report cybersecurity events to the Commissioner of Insurance no later than 3 business days after determining that a cybersecurity event has actually occurred when certain criteria are met.
Licensees subject to the Virginia Insurance Data Security Act shall implement Section 38.2-623 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2020.
June 1, 2021
Chapter 430- the Rules Governing Insurance Data Security Risk and Reporting was approved effective June 1, 2021. Licensees subject to the Act shall comply with the reporting requirements in Chapter 430 as of this date.
July 1, 2022
Licensees subject to Act who use the services of third-party service providers shall implement the provisions of Section 38.2-623 E by this date. This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.
Licensees subject to the Act must be in compliance with the risk assessment requirements in 14VAC5-430-40 as of this date.
- Licensees subject to the Act must implement the appropriate security measures as set forth in 14VAC5-430-50 as of this date.
February 15, 2023
Beginning on this date, each insurer domiciled in Virginia must annually submit to the Bureau of Insurance a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38.2-623. Domestic insurers required to submit a written statement will be contacted directly by the Financial Regulation & Solvency Division with further instructions prior to the February 15th deadline.
National Institute of Standards and Technology – NIST
- Cybersecurity Framework (Framework Documents in PDF, Excel)
- Small Business Information Security
- Risk Assessment SP 800-30
- Risk Assessment SP 800-39
- Information Security SP 800-53
- Information Security SP 800-171
- Incident Response SP 800-61
- NIST Educational Resources
ISACA – COBIT Framework
SANS Institute – CIS Controls
International Organization for Standardization – ISO
Federal Trade Commission