Bulletin on Heightened Cybersecurity Risk


Notify me of updates to this page

The Virginia Insurance Data Security Act, Article 2 of Chapter 6 of Title 38.2 (Sections 38.2-621 through 38.2-629 of the Code of Virginia), was effective July 1, 2020. This legislation is modeled on the NAIC Insurance Data Security Model Law. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events. It also provides the standards for notification to consumers, if applicable.

Chapter 430- the Rules Governing Insurance Data Security Risk and Reporting was approved effective June 1, 2021. The regulation provides (i) rules for reporting cybersecurity events; (ii) risk assessment requirements that must be implemented by July 1, 2022; and (iii) additional security measures that must be implemented by July 1, 2022.

Breach Notification requirements detailed in 14VAC5-430-60.A.1 may be satisfied by emailing the information required by §38.2-625.B.1-13 to the Bureau’s secure email at

July 1, 2020

  • Virginia Insurance Data Security Act becomes effective for cybersecurity events that occur on or after July 1, 2020.

  • Licensees shall report cybersecurity events to the Commissioner of Insurance no later than 3 business days after determining that a cybersecurity event has actually occurred when certain criteria are met.

  • Licensees subject to the Virginia Insurance Data Security Act shall implement Section 38.2-623 by this date. This section requires that licensees establish a comprehensive, written information security program by July 1, 2020.

June 1, 2021

  • Chapter 430- the Rules Governing Insurance Data Security Risk and Reporting was approved effective June 1, 2021. Licensees subject to the Act shall comply with the reporting requirements in Chapter 430 as of this date.

July 1, 2022

  • Licensees subject to Act who use the services of third-party service providers shall implement the provisions of Section 38.2-623 E by this date.  This section details additional requirements for licensees who contract with third-party service providers that maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.

  • Licensees subject to the Act must be in compliance with the risk assessment requirements in 14VAC5-430-40 as of this date.

  • Licensees subject to the Act must implement the appropriate security measures as set forth in 14VAC5-430-50 as of this date.​

February 15, 2023

  • Beginning on this date, each insurer domiciled in Virginia must annually submit to the Bureau of Insurance a written statement certifying that the insurer is in compliance with the requirements set forth in Section 38.2-623.  Domestic insurers required to submit a written statement will be contacted directly by the Financial Regulation & Solvency Division with further instructions prior to the February 15th deadline.

National Institute of Standards and Technology – NIST

ISACA – COBIT Framework

SANS Institute – CIS Controls

International Organization for Standardization – ISO

Federal Trade Commission

If you belong to an association or trade group, you may be able to find information to assist you with your information security program, including your risk assessment and establishing your security measures.