Chapter 430. Insurance Data Security Risk Assessment and Reporting
14VAC5-430-10. Applicability and scope.
This chapter sets forth rules to carry out the provisions of the Insurance Data Security Act, Article 2 (§ 38.2-621, et seq.) of Chapter 6 of Title 38.2 of the Code of Virginia, and sets minimum standards for risk assessment and security standards required of all licensees. However, as outlined, the specific requirements for licensees may differ in certain circumstances, depending on the size and complexity of the licensee. This chapter applies to and protects physical and electronic data, including nonpublic information, stored, transmitted, and processed across various information systems or any other media used by licensees.
Statutory Authority
§§ 12.1-13 and 38.2-223 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021.
14VAC5-430-20. Severability.
If any provision of this chapter or its application to any person or circumstance is for any reason held to be invalid by a court or the commission, the remainder of this chapter and the application of the provisions to other persons or circumstances shall not be affected.
Statutory Authority
§§ 12.1-13 and 38.2-223 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021.
14VAC5-430-30. Definitions.
The following words and terms when used in this chapter shall have the following meanings, unless context clearly indicates otherwise:
"Authorized person" means a person known to and authorized by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.
"Bureau" means the Bureau of Insurance.
"Commissioner" means the Commissioner of Insurance.
"Consumer" means an individual, including any applicant, policyholder, former policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of Virginia and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person.
"Cybersecurity event" means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. "Cybersecurity event" does not include (i) the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization or (ii) an event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
"Encrypted" or "encryption" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.
"Home state" means the jurisdiction in which the producer maintains its principal place of residence or principal place of business and is licensed by that jurisdiction to act as a resident insurance producer.
"Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.
"Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system, such as industrial or process control systems, telephone switching and private branch exchange systems, and environmental control systems.
"Licensee" means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Virginia. "Licensee" does not include a purchasing group or a risk retention group chartered and licensed in a state other than Virginia or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
"Multi-factor authentication" means authentication through verification of at least two of the following types of authentication factors:
1. Knowledge factors, such as a password;
2. Possession factors, such as a token or text message on a mobile device; or
3. Inherence factors, such as a biometric characteristic.
"Nonpublic information" means information that is not publicly available information and is:
1. Business-related information of a licensee the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;
2. Any information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify such consumer, in any combination with a consumer's (i) social security number; (ii) driver's license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a consumer's financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or
3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family; (ii) the provision of health care to any consumer; or (iii) payment for the provision of health care to any consumer.
"Nonpublic information" does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under HIPAA.
"Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine (i) that the information is of the type that is available to the general public and (ii) whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.
"Third-party service provider" means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store nonpublic information or otherwise is permitted access to nonpublic information through its provision of services to the licensee, or an insurance-support organization.
Statutory Authority
§§ 12.1-13 and 38.2-223 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021; Errata, 37:23 VA.R. 3482 July 5, 2021.
14VAC5-430-40. Information security program risk assessment.
A. In addition to the information security program requirements of § 38.2-623 of the Code of Virginia, taking into consideration the licensee's size and complexity, each l licensee shall conduct a periodic risk assessment consistent with the following processes:
1. Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information held by a licensee, including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;
2. Assess the likelihood and potential damage of these threats taking into consideration the sensitivity of nonpublic information in the possession, custody, or control of the licensee;
3. Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, such as employee training and management; information classification that includes the processing, storage, transmission, and disposal of information; and the detection, prevention, and response to attacks and intrusions; and
4. Implement information safeguards to manage the threats identified in the licensee's ongoing assessment and, no less than annually, assess the effectiveness of the key controls, systems, and procedures.
B. An assessment conducted in accordance with the objectives of the most current revision of NIST SP 800-30, NIST SP 800-39, or other substantially similar standard shall meet the requirements for a periodic assessment in subsection A of this section.
C. Compliance with the provisions of this subsection is required of all licensees on or before July 1, 2022.
Statutory Authority
§§ 12.1-13 and 38.2-223 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021.
14VAC5-430-50. Information security program security measures.
A. As part of its information security program and based on its risk assessments, each licensee shall implement appropriate security measures as follows:
1. Manage the data, personnel, devices, systems, and facilities of the licensee in accordance with its identified risk;
2. Protect, by encryption or other appropriate means, all nonpublic information while being transmitted over an external network;
3. Protect, by encryption or other appropriate means, all nonpublic information stored on portable computing, storage devices, or media;
4. Adopt secure development practices for applications developed in-house and used by the licensee;
5. Adopt procedures for evaluating and assessing the security of externally developed applications utilized by the licensee;
6. Implement effective controls, which may include multi-factor authentication, for authorized persons to access nonpublic information; and
7. Use audit trails or audit logs designed to detect and respond to cybersecurity events and to reconstruct material financial transactions.
B. Compliance with the provisions of this section is required of all licensees on or before July 1, 2022.
C. Security measures implemented in accordance with the objectives of the most current revision of NIST SP 800-53, NIST SP 800-171, or other substantially similar standard shall meet the requirements for security measures in subsection A of this section.
D. Effective July 1, 2022, each licensee that utilizes a third-party service provider shall:
1. Exercise due diligence in selecting a third-party service provider; and
2. Require the third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.
Statutory Authority
§§ 12.1-13 and 38.2-223 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021; amended, Virginia Register Volume 38, Issue 13, eff. February 1, 2022.
14VAC5-430-60. Reporting cybersecurity events to the commissioner.
A. Reporting cybersecurity events to the commissioner.
1. Once a licensee has determined both that a cybersecurity event has occurred and that the licensee has a duty to report it to the commissioner pursuant to § 38.2-625 of the Code of Virginia, the licensee shall notify the commissioner within three business days that it has information to report, using the email address designated by the bureau. This notification should include the name, telephone number, and email address of the individual who is the licensee's designated contact for the cybersecurity event.
2. Instructions for communicating the information required by § 38.2-625 of the Code of Virginia to the commissioner through a secure portal will be provided by the bureau in response to the email.
3. The licensee shall update the commissioner on the progress of its investigation as information becomes known to the licensee until the licensee has provided as much of the information set forth in § 38.2-625 of the Code of Virginia as possible.
4. If also required to notify consumers, licensees shall (i) provide the commissioner with a copy of the notice template and any documentation provided to consumers and (ii) maintain a list of consumers notified and retain the list for the timeframe established by § 38.2-624 D of the Code of Virginia.
B. Except where nonpublic information has been accessed, once a domestic insurance company has notified the commissioner of the date, nature, and scope of the cybersecurity event, the insurance company may report any remaining information required by § 38.2-625 of the Code of Virginia discovered by the licensee pursuant to its investigation (i) annually in a separate report, (ii) in the certification described in § 38.2-623 H of the Code of Virginia, or (iii) on a continuing basis through the portal established for reporting cybersecurity events to the bureau.
C. Unless exempted by § 38.2-629 A 2 of the Code of Virginia, producers whose home state is Virginia shall report cybersecurity events to the commissioner in accordance with subsection A of this section.
D. If required to report to the commissioner, nondomestic insurance companies, and, unless exempted under § 38.2-629 A 2 of the Code of Virginia, producers whose home state is not Virginia shall notify the commissioner of the cybersecurity event pursuant to § 38.2-625 A 2 of the Code of Virginia as set forth in subsection A of this section.
Statutory Authority
§§ 12.1-13 and 38.2-223 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021.
14VAC5-430-70. Consumer notification provisions.
A. Licensees, except those exempted under subsection A 1 or A 2 of § 38.2-629 of the Code of Virginia, that determine a cybersecurity event has occurred and has caused or has a reasonable likelihood of causing identity theft or other fraud to consumers whose information was accessed or acquired shall notify those consumers in accordance with § 38.2-626 of the Code of Virginia, subject to any applicable numerical threshold.
B. Each licensee required to notify consumers of a cybersecurity event that does not intend to notify consumers based on a belief that the cybersecurity event does not have a reasonable likelihood of causing identity theft or other fraud to the consumers shall notify the commissioner, without unreasonable delay, of its position and provide an explanation supporting the licensee's position.
Statutory Authority
§§ 12.1-13 and 38.2-223 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021.
Documents Incorporated by Reference (14VAC5-430)
National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930, sec-cert@nist.gov
NIST, Special Publication, Guide for Conducting Risk Assessments, 800-30 (rev. 9/2012)
NIST, Special Publication, Security and Privacy Controls for Federal Information Systems and Organizations, 800-53 (rev. 9/2021)
NIST, Special Publication, Protecting Controlled Unclassified Information, 800-171 (rev. 2/2020)