Virginia Law

A. In addition to the information security program requirements of § 38.2-623 of the Code of Virginia, taking into consideration the licensee's size and complexity, each l licensee shall conduct a periodic risk assessment consistent with the following processes:

1. Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information held by a licensee, including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;

2. Assess the likelihood and potential damage of these threats taking into consideration the sensitivity of nonpublic information in the possession, custody, or control of the licensee;

3. Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, such as employee training and management; information classification that includes the processing, storage, transmission, and disposal of information; and the detection, prevention, and response to attacks and intrusions; and

4. Implement information safeguards to manage the threats identified in the licensee's ongoing assessment and, no less than annually, assess the effectiveness of the key controls, systems, and procedures.

B. An assessment conducted in accordance with the objectives of the most current revision of NIST SP 800-30, NIST SP 800-39, or other substantially similar standard shall meet the requirements for a periodic assessment in subsection A of this section.

C. Compliance with the provisions of this subsection is required of all licensees on or before July 1, 2022.