Virginia Administrative Code
Title 14 - INSURANCE
Agency 5 - STATE CORPORATION COMMISSION, BUREAU OF INSURANCE
Chapter 430 - INSURANCE DATA SECURITY RISK ASSESSMENT AND REPORTING
Section 14VAC5-430-40 - Information security program risk assessment

Universal Citation: 4 VA Admin Code 5-430-40

Current through Register Vol. 41, No. 3, September 23, 2024

A. In addition to the information security program requirements of § 38.2-623 of the Code of Virginia, taking into consideration the licensee's size and complexity, each licensee shall conduct a periodic risk assessment consistent with the following processes:

1. Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information held by a licensee, including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;

2. Assess the likelihood and potential damage of these threats taking into consideration the sensitivity of nonpublic information in the possession, custody, or control of the licensee;

3. Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, such as employee training and management; information classification that includes the processing, storage, transmission, and disposal of information; and the detection, prevention, and response to attacks and intrusions; and

4. Implement information safeguards to manage the threats identified in the licensee's ongoing assessment and, no less than annually, assess the effectiveness of the key controls, systems, and procedures.

B. An assessment conducted in accordance with the objectives of the most current revision of NIST SP 800-30, NIST SP 800-39, or other substantially similar standard shall meet the requirements for a periodic assessment in subsection A of this section.

C. Compliance with the provisions of this subsection is required of all licensees on or before July 1, 2022.

Statutory Authority: §§ 12.1-13 and 38.2-223 of the Code of Virginia.

Disclaimer: These regulations may not be the most recent version. Virginia may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.