Administrative Code

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Virginia Administrative Code
Title 14. Insurance
Agency 5. State Corporation Commission, Bureau of Insurance
Chapter 430. Insurance Data Security Risk Assessment and Reporting

14VAC5-430-40. Information security program risk assessment.

A. In addition to the information security program requirements of § 38.2-623 of the Code of Virginia, taking into consideration the licensee's size and complexity, each l licensee shall conduct a periodic risk assessment consistent with the following processes:

1. Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information held by a licensee, including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;

2. Assess the likelihood and potential damage of these threats taking into consideration the sensitivity of nonpublic information in the possession, custody, or control of the licensee;

3. Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, such as employee training and management; information classification that includes the processing, storage, transmission, and disposal of information; and the detection, prevention, and response to attacks and intrusions; and

4. Implement information safeguards to manage the threats identified in the licensee's ongoing assessment and, no less than annually, assess the effectiveness of the key controls, systems, and procedures.

B. An assessment conducted in accordance with the objectives of the most current revision of NIST SP 800-30, NIST SP 800-39, or other substantially similar standard shall meet the requirements for a periodic assessment in subsection A of this section.

C. Compliance with the provisions of this subsection is required of all licensees on or before July 1, 2022.

Statutory Authority

§§ 12.1-13 and 38.2-223 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.