LIS

Administrative Code

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Virginia Administrative Code
Title 14. Insurance
Agency 5. State Corporation Commission, Bureau of Insurance
Chapter 430. Insurance Data Security Risk Assessment and Reporting
12/5/2024

14VAC5-430-60. Reporting cybersecurity events to the commissioner.

A. Reporting cybersecurity events to the commissioner.

1. Once a licensee has determined both that a cybersecurity event has occurred and that the licensee has a duty to report it to the commissioner pursuant to § 38.2-625 of the Code of Virginia, the licensee shall notify the commissioner within three business days that it has information to report, using the email address designated by the bureau. This notification should include the name, telephone number, and email address of the individual who is the licensee's designated contact for the cybersecurity event.

2. Instructions for communicating the information required by § 38.2-625 of the Code of Virginia to the commissioner through a secure portal will be provided by the bureau in response to the email.

3. The licensee shall update the commissioner on the progress of its investigation as information becomes known to the licensee until the licensee has provided as much of the information set forth in § 38.2-625 of the Code of Virginia as possible.

4. If also required to notify consumers, licensees shall (i) provide the commissioner with a copy of the notice template and any documentation provided to consumers and (ii) maintain a list of consumers notified and retain the list for the timeframe established by § 38.2-624 D of the Code of Virginia.

B. Except where nonpublic information has been accessed, once a domestic insurance company has notified the commissioner of the date, nature, and scope of the cybersecurity event, the insurance company may report any remaining information required by § 38.2-625 of the Code of Virginia discovered by the licensee pursuant to its investigation (i) annually in a separate report, (ii) in the certification described in § 38.2-623 H of the Code of Virginia, or (iii) on a continuing basis through the portal established for reporting cybersecurity events to the bureau.

C. Unless exempted by § 38.2-629 A 2 of the Code of Virginia, producers whose home state is Virginia shall report cybersecurity events to the commissioner in accordance with subsection A of this section.

D. If required to report to the commissioner, nondomestic insurance companies, and, unless exempted under § 38.2-629 A 2 of the Code of Virginia, producers whose home state is not Virginia shall notify the commissioner of the cybersecurity event pursuant to § 38.2-625 A 2 of the Code of Virginia as set forth in subsection A of this section.

Statutory Authority

§§ 12.1-13 and 38.2-223 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.