<?xml version="1.0"?>
<law><site_title>Virginia Decoded</site_title><site_url>https://vacode.org</site_url><law_id>83071</law_id><section_number>38.2-623</section_number><catch_line>Information security program</catch_line><edition url="https://vacode.org/2025/" slug="2025" current="TRUE" last_updated="">2025</edition><referred_to_by><reference>38.2-628</reference><reference>38.2-629</reference></referred_to_by><structure><unit label="title" level="1" order_by="1" identifier="38.2">Insurance</unit><unit label="chapter" level="2" order_by="1" identifier="6">Insurance Information and Privacy Protection</unit><unit label="article" level="3" order_by="1" identifier="2">Insurance Data Security Act</unit></structure><text>
						<section id="A"><p><span class="prefix-number">A.</span> Commensurate with the size and complexity of the <span class="dictionary">licensee</span>; the nature and scope of the <span class="dictionary">licensee</span>&#x2019;s activities, including its use of <span class="dictionary">third-<span class="dictionary">party</span> service providers</span>; and the sensitivity of the <span class="dictionary">nonpublic information</span> used by the <span class="dictionary">licensee</span> or in the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">possession</span>, <span class="dictionary">custody</span>, or control, each <span class="dictionary">licensee</span> shall develop, implement, and maintain a comprehensive written <span class="dictionary">information security program</span> based on the <span class="dictionary">licensee</span>&#x2019;s assessment of the <span class="dictionary">licensee</span>&#x2019;s risk and that contains administrative, technical, and physical safeguards for the protection of <span class="dictionary">nonpublic information</span> and the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">information system</span>. <a id="paragraph-297710" class="section-permalink" href="https://vacode.org/38.2-623/#A"><i class="fa fa-link"/></a></p></section>
						<section id="B"><p><span class="prefix-number">B.</span> Each <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">information security program</span> shall be designed to: <a id="paragraph-297711" class="section-permalink" href="https://vacode.org/38.2-623/#B"><i class="fa fa-link"/></a></p></section>
						<section id="B1" class="indent-1"><p><span class="prefix-number">1.</span> Protect the security and confidentiality of <span class="dictionary">nonpublic information</span> and the security of the <span class="dictionary">information system</span>; <a id="paragraph-297712" class="section-permalink" href="https://vacode.org/38.2-623/#B1"><i class="fa fa-link"/></a></p></section>
						<section id="B2" class="indent-1"><p><span class="prefix-number">2.</span> Protect against any reasonably foreseeable threats or hazards to the security or integrity of <span class="dictionary">nonpublic information</span> and the <span class="dictionary">information system</span>; <a id="paragraph-297713" class="section-permalink" href="https://vacode.org/38.2-623/#B2"><i class="fa fa-link"/></a></p></section>
						<section id="B3" class="indent-1"><p><span class="prefix-number">3.</span> Protect against unauthorized access to or use of <span class="dictionary">nonpublic information</span>, and minimize the likelihood of harm to any <span class="dictionary">consumer</span>; and <a id="paragraph-297714" class="section-permalink" href="https://vacode.org/38.2-623/#B3"><i class="fa fa-link"/></a></p></section>
						<section id="B4" class="indent-1"><p><span class="prefix-number">4.</span> Define and periodically reevaluate a schedule for retention of <span class="dictionary">nonpublic information</span> and a mechanism for its destruction. <a id="paragraph-297715" class="section-permalink" href="https://vacode.org/38.2-623/#B4"><i class="fa fa-link"/></a></p></section>
						<section id="C"><p><span class="prefix-number">C.</span> Each <span class="dictionary">licensee</span> shall: <a id="paragraph-297716" class="section-permalink" href="https://vacode.org/38.2-623/#C"><i class="fa fa-link"/></a></p></section>
						<section id="C1" class="indent-1"><p><span class="prefix-number">1.</span> Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the <span class="dictionary">licensee</span> who is responsible for the <span class="dictionary">information security program</span>; <a id="paragraph-297717" class="section-permalink" href="https://vacode.org/38.2-623/#C1"><i class="fa fa-link"/></a></p></section>
						<section id="C2" class="indent-1"><p><span class="prefix-number">2.</span> Design its <span class="dictionary">information security program</span> to mitigate the identified risks, commensurate with the size and complexity of the <span class="dictionary">licensee</span>; the nature and scope of the <span class="dictionary">licensee</span>&#x2019;s activities, including its use of <span class="dictionary">third-<span class="dictionary">party</span> service providers</span>; and the sensitivity of the <span class="dictionary">nonpublic information</span> used by the <span class="dictionary">licensee</span> or in the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">possession</span>, <span class="dictionary">custody</span>, or control; <a id="paragraph-297718" class="section-permalink" href="https://vacode.org/38.2-623/#C2"><i class="fa fa-link"/></a></p></section>
						<section id="C3" class="indent-1"><p><span class="prefix-number">3.</span> Place access controls on <span class="dictionary">information systems</span>, including controls to authenticate and permit access only to <span class="dictionary">authorized persons</span> to protect against the unauthorized acquisition of <span class="dictionary">nonpublic information</span>; <a id="paragraph-297719" class="section-permalink" href="https://vacode.org/38.2-623/#C3"><i class="fa fa-link"/></a></p></section>
						<section id="C4" class="indent-1"><p><span class="prefix-number">4.</span> At physical locations containing <span class="dictionary">nonpublic information</span>, restrict access to <span class="dictionary">nonpublic information</span> to <span class="dictionary">authorized persons</span> only; <a id="paragraph-297720" class="section-permalink" href="https://vacode.org/38.2-623/#C4"><i class="fa fa-link"/></a></p></section>
						<section id="C5" class="indent-1"><p><span class="prefix-number">5.</span> Implement measures to protect against destruction, loss, or damage of <span class="dictionary">nonpublic information</span> due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; <a id="paragraph-297721" class="section-permalink" href="https://vacode.org/38.2-623/#C5"><i class="fa fa-link"/></a></p></section>
						<section id="C6" class="indent-1"><p><span class="prefix-number">6.</span> Develop, implement, and maintain procedures for the secure disposal of <span class="dictionary">nonpublic information</span> in any format; <a id="paragraph-297722" class="section-permalink" href="https://vacode.org/38.2-623/#C6"><i class="fa fa-link"/></a></p></section>
						<section id="C7" class="indent-1"><p><span class="prefix-number">7.</span> <span class="dictionary">Stay</span> informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and <a id="paragraph-297723" class="section-permalink" href="https://vacode.org/38.2-623/#C7"><i class="fa fa-link"/></a></p></section>
						<section id="C8" class="indent-1"><p><span class="prefix-number">8.</span> Provide its personnel with cybersecurity awareness training. <a id="paragraph-297724" class="section-permalink" href="https://vacode.org/38.2-623/#C8"><i class="fa fa-link"/></a></p></section>
						<section id="D"><p><span class="prefix-number">D.</span> 1. If a <span class="dictionary">licensee</span> has a board of directors, the board or an appropriate committee of the board shall, at a minimum, require the <span class="dictionary">licensee</span>&#x2019;s information executive management or its delegates to (i) develop, implement, and maintain the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">information security program</span> and (ii) report in writing (a) the overall status of the <span class="dictionary">information security program</span> and the <span class="dictionary">licensee</span>&#x2019;s compliance with this article and (b) <span class="dictionary">material</span> matters related to the <span class="dictionary">information security program</span>, addressing <span class="dictionary">issues</span> such as risk assessment, risk management and control decisions, <span class="dictionary">third-<span class="dictionary">party</span> service provider</span> arrangements, results of testing, <span class="dictionary">cybersecurity events</span> or violations and management&#x2019;s responses thereto, and recommendations for changes in the <span class="dictionary">information security program</span>. <a id="paragraph-297725" class="section-permalink" href="https://vacode.org/38.2-623/#D"><i class="fa fa-link"/></a></p></section>
						<section id="D2" class="indent-1"><p><span class="prefix-number">2.</span> If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">information security program</span> prepared by the delegate and shall receive a report from the delegate complying with the requirements of subdivision 1. <a id="paragraph-297726" class="section-permalink" href="https://vacode.org/38.2-623/#D2"><i class="fa fa-link"/></a></p></section>
						<section id="E"><p><span class="prefix-number">E.</span> Beginning July 1, 2022, if a <span class="dictionary">licensee</span> utilizes a <span class="dictionary">third-<span class="dictionary">party</span> service provider</span>, the <span class="dictionary">licensee</span> shall: <a id="paragraph-297727" class="section-permalink" href="https://vacode.org/38.2-623/#E"><i class="fa fa-link"/></a></p></section>
						<section id="E1" class="indent-1"><p><span class="prefix-number">1.</span> Exercise due diligence in selecting its <span class="dictionary">third-<span class="dictionary">party</span> service provider</span>; and <a id="paragraph-297728" class="section-permalink" href="https://vacode.org/38.2-623/#E1"><i class="fa fa-link"/></a></p></section>
						<section id="E2" class="indent-1"><p><span class="prefix-number">2.</span> Require a <span class="dictionary">third-<span class="dictionary">party</span> service provider</span> to implement appropriate administrative, technical, and physical measures to protect and secure the <span class="dictionary">information systems</span> and <span class="dictionary">nonpublic information</span> that are accessible to, or held by, the <span class="dictionary">third-<span class="dictionary">party</span> service provider</span>. <a id="paragraph-297729" class="section-permalink" href="https://vacode.org/38.2-623/#E2"><i class="fa fa-link"/></a></p></section>
						<section id="F"><p><span class="prefix-number">F.</span> Each <span class="dictionary">licensee</span> shall monitor, evaluate, and adjust, as appropriate, the <span class="dictionary">information security program</span> consistent with any relevant changes in technology, the sensitivity of its <span class="dictionary">nonpublic information</span>, internal or external threats to information, and the <span class="dictionary">licensee</span>&#x2019;s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to <span class="dictionary">information systems</span>. <a id="paragraph-297730" class="section-permalink" href="https://vacode.org/38.2-623/#F"><i class="fa fa-link"/></a></p></section>
						<section id="G"><p><span class="prefix-number">G.</span> As part of its <span class="dictionary">information security program</span>, each <span class="dictionary">licensee</span> shall establish a written incident response plan designed to promptly respond to, and recover from, any <span class="dictionary">cybersecurity event</span> that compromises the confidentiality, integrity, or availability of <span class="dictionary">nonpublic information</span> in its <span class="dictionary">possession</span>; the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">information systems</span>; or the continuing functionality of any aspect of the <span class="dictionary">licensee</span>&#x2019;s business or operations. Such incident response plan shall address: <a id="paragraph-297731" class="section-permalink" href="https://vacode.org/38.2-623/#G"><i class="fa fa-link"/></a></p></section>
						<section id="G1" class="indent-1"><p><span class="prefix-number">1.</span> The internal process for responding to a <span class="dictionary">cybersecurity event</span>; <a id="paragraph-297732" class="section-permalink" href="https://vacode.org/38.2-623/#G1"><i class="fa fa-link"/></a></p></section>
						<section id="G2" class="indent-1"><p><span class="prefix-number">2.</span> The goals of the incident response plan; <a id="paragraph-297733" class="section-permalink" href="https://vacode.org/38.2-623/#G2"><i class="fa fa-link"/></a></p></section>
						<section id="G3" class="indent-1"><p><span class="prefix-number">3.</span> The definition of clear roles, responsibilities, and levels of decision-making authority; <a id="paragraph-297734" class="section-permalink" href="https://vacode.org/38.2-623/#G3"><i class="fa fa-link"/></a></p></section>
						<section id="G4" class="indent-1"><p><span class="prefix-number">4.</span> External and internal communications and information sharing; <a id="paragraph-297735" class="section-permalink" href="https://vacode.org/38.2-623/#G4"><i class="fa fa-link"/></a></p></section>
						<section id="G5" class="indent-1"><p><span class="prefix-number">5.</span> Identification of requirements for the remediation of any identified weaknesses in <span class="dictionary">information systems</span> and associated controls; <a id="paragraph-297736" class="section-permalink" href="https://vacode.org/38.2-623/#G5"><i class="fa fa-link"/></a></p></section>
						<section id="G6" class="indent-1"><p><span class="prefix-number">6.</span> Documentation and reporting regarding <span class="dictionary">cybersecurity events</span> and related incident response activities; and <a id="paragraph-297737" class="section-permalink" href="https://vacode.org/38.2-623/#G6"><i class="fa fa-link"/></a></p></section>
						<section id="G7" class="indent-1"><p><span class="prefix-number">7.</span> The evaluation and revision, as necessary, of the incident response plan following a <span class="dictionary">cybersecurity event</span>. <a id="paragraph-297738" class="section-permalink" href="https://vacode.org/38.2-623/#G7"><i class="fa fa-link"/></a></p></section>
						<section id="H"><p><span class="prefix-number">H.</span> Beginning in 2023 and annually thereafter, each <span class="dictionary">insurer</span> domiciled in the Commonwealth shall, by February 15, submit to the <span class="dictionary">Commissioner</span> a written statement certifying that the <span class="dictionary">insurer</span> is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and any requirements prescribed by the <span class="dictionary">Commission</span>. Each <span class="dictionary">insurer</span> shall maintain for examination by the <span class="dictionary">Bureau</span> all records, <span class="dictionary">schedules</span>, and data supporting this certificate for a period of five years. To the extent an <span class="dictionary">insurer</span> has identified areas, systems, or processes that require <span class="dictionary">material</span> improvement, updating, or redesign, the <span class="dictionary">insurer</span> shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the <span class="dictionary">Commissioner</span>. <a id="paragraph-297739" class="section-permalink" href="https://vacode.org/38.2-623/#H"><i class="fa fa-link"/></a></p></section></text><history>2020, c. 264.</history><metadata></metadata></law>
