{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/38.2-623.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/38.2-623.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/38.2-623.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/38.2-623.html"}],"law_id":83071,"edition_id":1,"section_id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","history":"2020, c. 264.","full_text":"A\n\nCommensurate with the size and complexity of the licensee; the nature and scope of the licensee&#8217;s activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee&#8217;s possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee&#8217;s assessment of the licensee&#8217;s risk and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee&#8217;s information system.B\n\nEach licensee&#8217;s information security program shall be designed to:1\n\nProtect the security and confidentiality of nonpublic information and the security of the information system;2\n\nProtect against any reasonably foreseeable threats or hazards to the security or integrity of nonpublic information and the information system;3\n\nProtect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and4\n\nDefine and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction.C\n\nEach licensee shall:1\n\nDesignate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee who is responsible for the information security program;2\n\nDesign its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee; the nature and scope of the licensee&#8217;s activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee&#8217;s possession, custody, or control;3\n\nPlace access controls on information systems, including controls to authenticate and permit access only to authorized persons to protect against the unauthorized acquisition of nonpublic information;4\n\nAt physical locations containing nonpublic information, restrict access to nonpublic information to authorized persons only;5\n\nImplement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;6\n\nDevelop, implement, and maintain procedures for the secure disposal of nonpublic information in any format;7\n\nStay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and8\n\nProvide its personnel with cybersecurity awareness training.D\n\n1. If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, require the licensee&#8217;s information executive management or its delegates to (i) develop, implement, and maintain the licensee&#8217;s information security program and (ii) report in writing (a) the overall status of the information security program and the licensee&#8217;s compliance with this article and (b) material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management&#8217;s responses thereto, and recommendations for changes in the information security program.2\n\nIf executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee&#8217;s information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of subdivision 1.E\n\nBeginning July 1, 2022, if a licensee utilizes a third-party service provider, the licensee shall:1\n\nExercise due diligence in selecting its third-party service provider; and2\n\nRequire a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.F\n\nEach licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee&#8217;s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.G\n\nAs part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession; the licensee&#8217;s information systems; or the continuing functionality of any aspect of the licensee&#8217;s business or operations. Such incident response plan shall address:1\n\nThe internal process for responding to a cybersecurity event;2\n\nThe goals of the incident response plan;3\n\nThe definition of clear roles, responsibilities, and levels of decision-making authority;4\n\nExternal and internal communications and information sharing;5\n\nIdentification of requirements for the remediation of any identified weaknesses in information systems and associated controls;6\n\nDocumentation and reporting regarding cybersecurity events and related incident response activities; and7\n\nThe evaluation and revision, as necessary, of the incident response plan following a cybersecurity event.H\n\nBeginning in 2023 and annually thereafter, each insurer domiciled in the Commonwealth shall, by February 15, submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and any requirements prescribed by the Commission. Each insurer shall maintain for examination by the Bureau all records, schedules, and data supporting this certificate for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the Commissioner.","order_by":null,"text":{"0":{"id":297710,"text":"Commensurate with the size and complexity of the licensee; the nature and scope of the licensee&#8217;s activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee&#8217;s possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee&#8217;s assessment of the licensee&#8217;s risk and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee&#8217;s information system.","type":"section","prefixes":["A"],"prefix":"A","entire_prefix":"A","prefix_anchor":"A","level":1,"next_prefix":"B"},"1":{"id":297711,"text":"Each licensee&#8217;s information security program shall be designed to:","type":"section","prefixes":["B"],"prefix":"B","entire_prefix":"B","prefix_anchor":"B","level":1,"prior_prefix":"A","next_prefix":"B1"},"2":{"id":297712,"text":"Protect the security and confidentiality of nonpublic information and the security of the information system;","type":"section","prefixes":["B","1"],"prefix":"1","entire_prefix":"B1","prefix_anchor":"B1","level":2,"prior_prefix":"B","next_prefix":"B2"},"3":{"id":297713,"text":"Protect against any reasonably foreseeable threats or hazards to the security or integrity of nonpublic information and the information system;","type":"section","prefixes":["B","2"],"prefix":"2","entire_prefix":"B2","prefix_anchor":"B2","level":2,"prior_prefix":"B1","next_prefix":"B3"},"4":{"id":297714,"text":"Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and","type":"section","prefixes":["B","3"],"prefix":"3","entire_prefix":"B3","prefix_anchor":"B3","level":2,"prior_prefix":"B2","next_prefix":"B4"},"5":{"id":297715,"text":"Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction.","type":"section","prefixes":["B","4"],"prefix":"4","entire_prefix":"B4","prefix_anchor":"B4","level":2,"prior_prefix":"B3","next_prefix":"C"},"6":{"id":297716,"text":"Each licensee shall:","type":"section","prefixes":["C"],"prefix":"C","entire_prefix":"C","prefix_anchor":"C","level":1,"prior_prefix":"B4","next_prefix":"C1"},"7":{"id":297717,"text":"Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee who is responsible for the information security program;","type":"section","prefixes":["C","1"],"prefix":"1","entire_prefix":"C1","prefix_anchor":"C1","level":2,"prior_prefix":"C","next_prefix":"C2"},"8":{"id":297718,"text":"Design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee; the nature and scope of the licensee&#8217;s activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee&#8217;s possession, custody, or control;","type":"section","prefixes":["C","2"],"prefix":"2","entire_prefix":"C2","prefix_anchor":"C2","level":2,"prior_prefix":"C1","next_prefix":"C3"},"9":{"id":297719,"text":"Place access controls on information systems, including controls to authenticate and permit access only to authorized persons to protect against the unauthorized acquisition of nonpublic information;","type":"section","prefixes":["C","3"],"prefix":"3","entire_prefix":"C3","prefix_anchor":"C3","level":2,"prior_prefix":"C2","next_prefix":"C4"},"10":{"id":297720,"text":"At physical locations containing nonpublic information, restrict access to nonpublic information to authorized persons only;","type":"section","prefixes":["C","4"],"prefix":"4","entire_prefix":"C4","prefix_anchor":"C4","level":2,"prior_prefix":"C3","next_prefix":"C5"},"11":{"id":297721,"text":"Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;","type":"section","prefixes":["C","5"],"prefix":"5","entire_prefix":"C5","prefix_anchor":"C5","level":2,"prior_prefix":"C4","next_prefix":"C6"},"12":{"id":297722,"text":"Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format;","type":"section","prefixes":["C","6"],"prefix":"6","entire_prefix":"C6","prefix_anchor":"C6","level":2,"prior_prefix":"C5","next_prefix":"C7"},"13":{"id":297723,"text":"Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and","type":"section","prefixes":["C","7"],"prefix":"7","entire_prefix":"C7","prefix_anchor":"C7","level":2,"prior_prefix":"C6","next_prefix":"C8"},"14":{"id":297724,"text":"Provide its personnel with cybersecurity awareness training.","type":"section","prefixes":["C","8"],"prefix":"8","entire_prefix":"C8","prefix_anchor":"C8","level":2,"prior_prefix":"C7","next_prefix":"D"},"15":{"id":297725,"text":"1. If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, require the licensee&#8217;s information executive management or its delegates to (i) develop, implement, and maintain the licensee&#8217;s information security program and (ii) report in writing (a) the overall status of the information security program and the licensee&#8217;s compliance with this article and (b) material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management&#8217;s responses thereto, and recommendations for changes in the information security program.","type":"section","prefixes":["D"],"prefix":"D","entire_prefix":"D","prefix_anchor":"D","level":1,"prior_prefix":"C8","next_prefix":"D2"},"16":{"id":297726,"text":"If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee&#8217;s information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of subdivision 1.","type":"section","prefixes":["D","2"],"prefix":"2","entire_prefix":"D2","prefix_anchor":"D2","level":2,"prior_prefix":"D","next_prefix":"E"},"17":{"id":297727,"text":"Beginning July 1, 2022, if a licensee utilizes a third-party service provider, the licensee shall:","type":"section","prefixes":["E"],"prefix":"E","entire_prefix":"E","prefix_anchor":"E","level":1,"prior_prefix":"D2","next_prefix":"E1"},"18":{"id":297728,"text":"Exercise due diligence in selecting its third-party service provider; and","type":"section","prefixes":["E","1"],"prefix":"1","entire_prefix":"E1","prefix_anchor":"E1","level":2,"prior_prefix":"E","next_prefix":"E2"},"19":{"id":297729,"text":"Require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.","type":"section","prefixes":["E","2"],"prefix":"2","entire_prefix":"E2","prefix_anchor":"E2","level":2,"prior_prefix":"E1","next_prefix":"F"},"20":{"id":297730,"text":"Each licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee&#8217;s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.","type":"section","prefixes":["F"],"prefix":"F","entire_prefix":"F","prefix_anchor":"F","level":1,"prior_prefix":"E2","next_prefix":"G"},"21":{"id":297731,"text":"As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession; the licensee&#8217;s information systems; or the continuing functionality of any aspect of the licensee&#8217;s business or operations. Such incident response plan shall address:","type":"section","prefixes":["G"],"prefix":"G","entire_prefix":"G","prefix_anchor":"G","level":1,"prior_prefix":"F","next_prefix":"G1"},"22":{"id":297732,"text":"The internal process for responding to a cybersecurity event;","type":"section","prefixes":["G","1"],"prefix":"1","entire_prefix":"G1","prefix_anchor":"G1","level":2,"prior_prefix":"G","next_prefix":"G2"},"23":{"id":297733,"text":"The goals of the incident response plan;","type":"section","prefixes":["G","2"],"prefix":"2","entire_prefix":"G2","prefix_anchor":"G2","level":2,"prior_prefix":"G1","next_prefix":"G3"},"24":{"id":297734,"text":"The definition of clear roles, responsibilities, and levels of decision-making authority;","type":"section","prefixes":["G","3"],"prefix":"3","entire_prefix":"G3","prefix_anchor":"G3","level":2,"prior_prefix":"G2","next_prefix":"G4"},"25":{"id":297735,"text":"External and internal communications and information sharing;","type":"section","prefixes":["G","4"],"prefix":"4","entire_prefix":"G4","prefix_anchor":"G4","level":2,"prior_prefix":"G3","next_prefix":"G5"},"26":{"id":297736,"text":"Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;","type":"section","prefixes":["G","5"],"prefix":"5","entire_prefix":"G5","prefix_anchor":"G5","level":2,"prior_prefix":"G4","next_prefix":"G6"},"27":{"id":297737,"text":"Documentation and reporting regarding cybersecurity events and related incident response activities; and","type":"section","prefixes":["G","6"],"prefix":"6","entire_prefix":"G6","prefix_anchor":"G6","level":2,"prior_prefix":"G5","next_prefix":"G7"},"28":{"id":297738,"text":"The evaluation and revision, as necessary, of the incident response plan following a cybersecurity event.","type":"section","prefixes":["G","7"],"prefix":"7","entire_prefix":"G7","prefix_anchor":"G7","level":2,"prior_prefix":"G6","next_prefix":"H"},"29":{"id":297739,"text":"Beginning in 2023 and annually thereafter, each insurer domiciled in the Commonwealth shall, by February 15, submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and any requirements prescribed by the Commission. Each insurer shall maintain for examination by the Bureau all records, schedules, and data supporting this certificate for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the Commissioner.","type":"section","prefixes":["H"],"prefix":"H","entire_prefix":"H","prefix_anchor":"H","level":1,"prior_prefix":"G7"}},"ancestry":[{"id":12923,"edition_id":1,"name":"Insurance Data Security Act","identifier":"2","label":"article","depth":3,"order_by":1,"parent_id":12922,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218125,"object_type":"structure","relational_id":12923,"identifier":"2","token":"38.2\/6\/2","url":"\/38.2\/6\/2\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12922,"edition_id":1,"name":"Insurance Information and Privacy Protection","identifier":"6","label":"chapter","depth":2,"order_by":1,"parent_id":12698,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218013,"object_type":"structure","relational_id":12922,"identifier":"6","token":"38.2\/6","url":"\/38.2\/6\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12698,"edition_id":1,"name":"Insurance","identifier":"38.2","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:49","date_modified":"2026-06-26 03:43:49","permalink":{"id":210661,"object_type":"structure","relational_id":12698,"identifier":"38.2","token":"38.2","url":"\/38.2\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":86014,"structure_id":12923,"section_number":"38.2-621","catch_line":"Definitions","url":"\/38.2-621\/","token":"38.2\/6\/2\/38.2-621","metadata":false},{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},{"id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","metadata":false},{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},{"id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","metadata":false},{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},{"id":54030,"structure_id":12923,"section_number":"38.2-629","catch_line":"Exceptions","url":"\/38.2-629\/","token":"38.2\/6\/2\/38.2-629","metadata":false}],"previous_section":{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},"next_section":{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/38.2-623\/","history_text":"<p>This law was first created in 2020. The record of its establishment is cataloged in chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?201+ful+CHAP0264\">264<\/a> of that year\u2019s edition of \u201cActs of Assembly,\u201d the annual state publication listing all changes made to the Code of Virginia in that year.<\/p>","references":[{"id":57578,"section_number":"38.2-628","catch_line":"Confidentiality","order_by":null,"url":"\/38.2-628\/"},{"id":54030,"section_number":"38.2-629","catch_line":"Exceptions","order_by":null,"url":"\/38.2-629\/"}],"refers_to":false,"permalink":{"id":218135,"object_type":"law","relational_id":83071,"identifier":"38.2-623","token":"38.2\/6\/2\/38.2-623","url":"\/38.2-623\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","dublin_core":{"Title":"Information security program","Type":"Text","Format":"text\/html","Identifier":"\u00a7 38.2-623","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section id=\"A\"><p><span class=\"prefix-number\">A.<\/span> Commensurate with the size and complexity of the <span class=\"dictionary\">licensee<\/span>; the nature and scope of the <span class=\"dictionary\">licensee<\/span>&#8217;s activities, including its use of <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service providers<\/span>; and the sensitivity of the <span class=\"dictionary\">nonpublic information<\/span> used by the <span class=\"dictionary\">licensee<\/span> or in the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">possession<\/span>, <span class=\"dictionary\">custody<\/span>, or control, each <span class=\"dictionary\">licensee<\/span> shall develop, implement, and maintain a comprehensive written <span class=\"dictionary\">information security program<\/span> based on the <span class=\"dictionary\">licensee<\/span>&#8217;s assessment of the <span class=\"dictionary\">licensee<\/span>&#8217;s risk and that contains administrative, technical, and physical safeguards for the protection of <span class=\"dictionary\">nonpublic information<\/span> and the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">information system<\/span>. <a id=\"paragraph-297710\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#A\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B\"><p><span class=\"prefix-number\">B.<\/span> Each <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">information security program<\/span> shall be designed to: <a id=\"paragraph-297711\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#B\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> Protect the security and confidentiality of <span class=\"dictionary\">nonpublic information<\/span> and the security of the <span class=\"dictionary\">information system<\/span>; <a id=\"paragraph-297712\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#B1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> Protect against any reasonably foreseeable threats or hazards to the security or integrity of <span class=\"dictionary\">nonpublic information<\/span> and the <span class=\"dictionary\">information system<\/span>; <a id=\"paragraph-297713\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#B2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B3\" class=\"indent-1\"><p><span class=\"prefix-number\">3.<\/span> Protect against unauthorized access to or use of <span class=\"dictionary\">nonpublic information<\/span>, and minimize the likelihood of harm to any <span class=\"dictionary\">consumer<\/span>; and <a id=\"paragraph-297714\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#B3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B4\" class=\"indent-1\"><p><span class=\"prefix-number\">4.<\/span> Define and periodically reevaluate a schedule for retention of <span class=\"dictionary\">nonpublic information<\/span> and a mechanism for its destruction. <a id=\"paragraph-297715\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#B4\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C\"><p><span class=\"prefix-number\">C.<\/span> Each <span class=\"dictionary\">licensee<\/span> shall: <a id=\"paragraph-297716\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the <span class=\"dictionary\">licensee<\/span> who is responsible for the <span class=\"dictionary\">information security program<\/span>; <a id=\"paragraph-297717\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> Design its <span class=\"dictionary\">information security program<\/span> to mitigate the identified risks, commensurate with the size and complexity of the <span class=\"dictionary\">licensee<\/span>; the nature and scope of the <span class=\"dictionary\">licensee<\/span>&#8217;s activities, including its use of <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service providers<\/span>; and the sensitivity of the <span class=\"dictionary\">nonpublic information<\/span> used by the <span class=\"dictionary\">licensee<\/span> or in the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">possession<\/span>, <span class=\"dictionary\">custody<\/span>, or control; <a id=\"paragraph-297718\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C3\" class=\"indent-1\"><p><span class=\"prefix-number\">3.<\/span> Place access controls on <span class=\"dictionary\">information systems<\/span>, including controls to authenticate and permit access only to <span class=\"dictionary\">authorized persons<\/span> to protect against the unauthorized acquisition of <span class=\"dictionary\">nonpublic information<\/span>; <a id=\"paragraph-297719\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C4\" class=\"indent-1\"><p><span class=\"prefix-number\">4.<\/span> At physical locations containing <span class=\"dictionary\">nonpublic information<\/span>, restrict access to <span class=\"dictionary\">nonpublic information<\/span> to <span class=\"dictionary\">authorized persons<\/span> only; <a id=\"paragraph-297720\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C4\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C5\" class=\"indent-1\"><p><span class=\"prefix-number\">5.<\/span> Implement measures to protect against destruction, loss, or damage of <span class=\"dictionary\">nonpublic information<\/span> due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; <a id=\"paragraph-297721\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C5\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C6\" class=\"indent-1\"><p><span class=\"prefix-number\">6.<\/span> Develop, implement, and maintain procedures for the secure disposal of <span class=\"dictionary\">nonpublic information<\/span> in any format; <a id=\"paragraph-297722\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C6\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C7\" class=\"indent-1\"><p><span class=\"prefix-number\">7.<\/span> <span class=\"dictionary\">Stay<\/span> informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and <a id=\"paragraph-297723\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C7\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C8\" class=\"indent-1\"><p><span class=\"prefix-number\">8.<\/span> Provide its personnel with cybersecurity awareness training. <a id=\"paragraph-297724\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#C8\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"D\"><p><span class=\"prefix-number\">D.<\/span> 1. If a <span class=\"dictionary\">licensee<\/span> has a board of directors, the board or an appropriate committee of the board shall, at a minimum, require the <span class=\"dictionary\">licensee<\/span>&#8217;s information executive management or its delegates to (i) develop, implement, and maintain the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">information security program<\/span> and (ii) report in writing (a) the overall status of the <span class=\"dictionary\">information security program<\/span> and the <span class=\"dictionary\">licensee<\/span>&#8217;s compliance with this article and (b) <span class=\"dictionary\">material<\/span> matters related to the <span class=\"dictionary\">information security program<\/span>, addressing <span class=\"dictionary\">issues<\/span> such as risk assessment, risk management and control decisions, <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> arrangements, results of testing, <span class=\"dictionary\">cybersecurity events<\/span> or violations and management&#8217;s responses thereto, and recommendations for changes in the <span class=\"dictionary\">information security program<\/span>. <a id=\"paragraph-297725\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#D\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"D2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">information security program<\/span> prepared by the delegate and shall receive a report from the delegate complying with the requirements of subdivision 1. <a id=\"paragraph-297726\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#D2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"E\"><p><span class=\"prefix-number\">E.<\/span> Beginning July 1, 2022, if a <span class=\"dictionary\">licensee<\/span> utilizes a <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span>, the <span class=\"dictionary\">licensee<\/span> shall: <a id=\"paragraph-297727\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#E\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"E1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> Exercise due diligence in selecting its <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span>; and <a id=\"paragraph-297728\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#E1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"E2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> Require a <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> to implement appropriate administrative, technical, and physical measures to protect and secure the <span class=\"dictionary\">information systems<\/span> and <span class=\"dictionary\">nonpublic information<\/span> that are accessible to, or held by, the <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span>. <a id=\"paragraph-297729\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#E2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"F\"><p><span class=\"prefix-number\">F.<\/span> Each <span class=\"dictionary\">licensee<\/span> shall monitor, evaluate, and adjust, as appropriate, the <span class=\"dictionary\">information security program<\/span> consistent with any relevant changes in technology, the sensitivity of its <span class=\"dictionary\">nonpublic information<\/span>, internal or external threats to information, and the <span class=\"dictionary\">licensee<\/span>&#8217;s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to <span class=\"dictionary\">information systems<\/span>. <a id=\"paragraph-297730\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#F\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G\"><p><span class=\"prefix-number\">G.<\/span> As part of its <span class=\"dictionary\">information security program<\/span>, each <span class=\"dictionary\">licensee<\/span> shall establish a written incident response plan designed to promptly respond to, and recover from, any <span class=\"dictionary\">cybersecurity event<\/span> that compromises the confidentiality, integrity, or availability of <span class=\"dictionary\">nonpublic information<\/span> in its <span class=\"dictionary\">possession<\/span>; the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">information systems<\/span>; or the continuing functionality of any aspect of the <span class=\"dictionary\">licensee<\/span>&#8217;s business or operations. Such incident response plan shall address: <a id=\"paragraph-297731\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#G\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> The internal process for responding to a <span class=\"dictionary\">cybersecurity event<\/span>; <a id=\"paragraph-297732\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#G1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> The goals of the incident response plan; <a id=\"paragraph-297733\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#G2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G3\" class=\"indent-1\"><p><span class=\"prefix-number\">3.<\/span> The definition of clear roles, responsibilities, and levels of decision-making authority; <a id=\"paragraph-297734\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#G3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G4\" class=\"indent-1\"><p><span class=\"prefix-number\">4.<\/span> External and internal communications and information sharing; <a id=\"paragraph-297735\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#G4\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G5\" class=\"indent-1\"><p><span class=\"prefix-number\">5.<\/span> Identification of requirements for the remediation of any identified weaknesses in <span class=\"dictionary\">information systems<\/span> and associated controls; <a id=\"paragraph-297736\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#G5\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G6\" class=\"indent-1\"><p><span class=\"prefix-number\">6.<\/span> Documentation and reporting regarding <span class=\"dictionary\">cybersecurity events<\/span> and related incident response activities; and <a id=\"paragraph-297737\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#G6\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G7\" class=\"indent-1\"><p><span class=\"prefix-number\">7.<\/span> The evaluation and revision, as necessary, of the incident response plan following a <span class=\"dictionary\">cybersecurity event<\/span>. <a id=\"paragraph-297738\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#G7\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"H\"><p><span class=\"prefix-number\">H.<\/span> Beginning in 2023 and annually thereafter, each <span class=\"dictionary\">insurer<\/span> domiciled in the Commonwealth shall, by February 15, submit to the <span class=\"dictionary\">Commissioner<\/span> a written statement certifying that the <span class=\"dictionary\">insurer<\/span> is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and any requirements prescribed by the <span class=\"dictionary\">Commission<\/span>. Each <span class=\"dictionary\">insurer<\/span> shall maintain for examination by the <span class=\"dictionary\">Bureau<\/span> all records, <span class=\"dictionary\">schedules<\/span>, and data supporting this certificate for a period of five years. To the extent an <span class=\"dictionary\">insurer<\/span> has identified areas, systems, or processes that require <span class=\"dictionary\">material<\/span> improvement, updating, or redesign, the <span class=\"dictionary\">insurer<\/span> shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the <span class=\"dictionary\">Commissioner<\/span>. <a id=\"paragraph-297739\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-623\/#H\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nINFORMATION SECURITY PROGRAM (\u00a7 38.2-623)\n\nA. Commensurate with the size and complexity of the licensee; the nature and\nscope of the licensee&#8217;s activities, including its use of third-party\nservice providers; and the sensitivity of the nonpublic information used by the\nlicensee or in the licensee&#8217;s possession, custody, or control, each\nlicensee shall develop, implement, and maintain a comprehensive written\ninformation security program based on the licensee&#8217;s assessment of the\nlicensee&#8217;s risk and that contains administrative, technical, and physical\nsafeguards for the protection of nonpublic information and the licensee&#8217;s\ninformation system.\n\nB. Each licensee&#8217;s information security program shall be designed to:\n\n   1. Protect the security and confidentiality of nonpublic information and the\n   security of the information system;\n\n   2. Protect against any reasonably foreseeable threats or hazards to the\n   security or integrity of nonpublic information and the information system;\n\n   3. Protect against unauthorized access to or use of nonpublic information, and\n   minimize the likelihood of harm to any consumer; and\n\n   4. Define and periodically reevaluate a schedule for retention of nonpublic\n   information and a mechanism for its destruction.\n\nC. Each licensee shall:\n\n   1. Designate one or more employees, an affiliate, or an outside vendor\n   designated to act on behalf of the licensee who is responsible for the\n   information security program;\n\n   2. Design its information security program to mitigate the identified risks,\n   commensurate with the size and complexity of the licensee; the nature and\n   scope of the licensee&#8217;s activities, including its use of third-party\n   service providers; and the sensitivity of the nonpublic information used by\n   the licensee or in the licensee&#8217;s possession, custody, or control;\n\n   3. Place access controls on information systems, including controls to\n   authenticate and permit access only to authorized persons to protect against\n   the unauthorized acquisition of nonpublic information;\n\n   4. At physical locations containing nonpublic information, restrict access to\n   nonpublic information to authorized persons only;\n\n   5. Implement measures to protect against destruction, loss, or damage of\n   nonpublic information due to environmental hazards, such as fire and water\n   damage or other catastrophes or technological failures;\n\n   6. Develop, implement, and maintain procedures for the secure disposal of\n   nonpublic information in any format;\n\n   7. Stay informed regarding emerging threats or vulnerabilities and utilize\n   reasonable security measures when sharing information relative to the\n   character of the sharing and the type of information shared; and\n\n   8. Provide its personnel with cybersecurity awareness training.\n\nD. 1. If a licensee has a board of directors, the board or an appropriate\ncommittee of the board shall, at a minimum, require the licensee&#8217;s\ninformation executive management or its delegates to (i) develop, implement, and\nmaintain the licensee&#8217;s information security program and (ii) report in\nwriting (a) the overall status of the information security program and the\nlicensee&#8217;s compliance with this article and (b) material matters related\nto the information security program, addressing issues such as risk assessment,\nrisk management and control decisions, third-party service provider\narrangements, results of testing, cybersecurity events or violations and\nmanagement&#8217;s responses thereto, and recommendations for changes in the\ninformation security program.\n\n   2. If executive management delegates any of its responsibilities under this\n   section, it shall oversee the development, implementation, and maintenance of\n   the licensee&#8217;s information security program prepared by the delegate and\n   shall receive a report from the delegate complying with the requirements of\n   subdivision 1.\n\nE. Beginning July 1, 2022, if a licensee utilizes a third-party service\nprovider, the licensee shall:\n\n   1. Exercise due diligence in selecting its third-party service provider; and\n\n   2. Require a third-party service provider to implement appropriate\n   administrative, technical, and physical measures to protect and secure the\n   information systems and nonpublic information that are accessible to, or held\n   by, the third-party service provider.\n\nF. Each licensee shall monitor, evaluate, and adjust, as appropriate, the\ninformation security program consistent with any relevant changes in technology,\nthe sensitivity of its nonpublic information, internal or external threats to\ninformation, and the licensee&#8217;s own changing business arrangements, such\nas mergers and acquisitions, alliances and joint ventures, outsourcing\narrangements, and changes to information systems.\n\nG. As part of its information security program, each licensee shall establish a\nwritten incident response plan designed to promptly respond to, and recover\nfrom, any cybersecurity event that compromises the confidentiality, integrity,\nor availability of nonpublic information in its possession; the licensee&#8217;s\ninformation systems; or the continuing functionality of any aspect of the\nlicensee&#8217;s business or operations. Such incident response plan shall\naddress:\n\n   1. The internal process for responding to a cybersecurity event;\n\n   2. The goals of the incident response plan;\n\n   3. The definition of clear roles, responsibilities, and levels of\n   decision-making authority;\n\n   4. External and internal communications and information sharing;\n\n   5. Identification of requirements for the remediation of any identified\n   weaknesses in information systems and associated controls;\n\n   6. Documentation and reporting regarding cybersecurity events and related\n   incident response activities; and\n\n   7. The evaluation and revision, as necessary, of the incident response plan\n   following a cybersecurity event.\n\nH. Beginning in 2023 and annually thereafter, each insurer domiciled in the\nCommonwealth shall, by February 15, submit to the Commissioner a written\nstatement certifying that the insurer is in compliance with the requirements set\nforth in this section, any rules adopted pursuant to this article, and any\nrequirements prescribed by the Commission. Each insurer shall maintain for\nexamination by the Bureau all records, schedules, and data supporting this\ncertificate for a period of five years. To the extent an insurer has identified\nareas, systems, or processes that require material improvement, updating, or\nredesign, the insurer shall document the identification and the remedial efforts\nplanned and underway to address such areas, systems, or processes. Such\ndocumentation must be available for inspection by the Commissioner.\n\nHISTORY: 2020, c. 264.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}