Virginia Administrative Code
Title 14 - INSURANCE
Agency 5 - STATE CORPORATION COMMISSION, BUREAU OF INSURANCE
Chapter 430 - INSURANCE DATA SECURITY RISK ASSESSMENT AND REPORTING
Section 14VAC5-430-60 - Reporting cybersecurity events to the commissioner

Universal Citation: 4 VA Admin Code 5-430-60

Current through Register Vol. 41, No. 3, September 23, 2024

A. Reporting cybersecurity events to the commissioner.

1. Once a licensee has determined both that a cybersecurity event has occurred and that the licensee has a duty to report it to the commissioner pursuant to § 38.2-625 of the Code of Virginia, the licensee shall notify the commissioner within three business days that it has information to report, using the email address designated by the bureau. This notification should include the name, telephone number, and email address of the individual who is the licensee's designated contact for the cybersecurity event.

2. Instructions for communicating the information required by § 38.2-625 of the Code of Virginia to the commissioner through a secure portal will be provided by the bureau in response to the email.

3. The licensee shall update the commissioner on the progress of its investigation as information becomes known to the licensee until the licensee has provided as much of the information set forth in § 38.2-625 of the Code of Virginia as possible.

4. If also required to notify consumers, licensees shall (i) provide the commissioner with a copy of the notice template and any documentation provided to consumers and (ii) maintain a list of consumers notified and retain the list for the timeframe established by § 38.2-624D of the Code of Virginia.

B. Except where nonpublic information has been accessed, once a domestic insurance company has notified the commissioner of the date, nature, and scope of the cybersecurity event, the insurance company may report any remaining information required by § 38.2-625 of the Code of Virginia discovered by the licensee pursuant to its investigation (i) annually in a separate report, (ii) in the certification described in § 38.2-623H of the Code of Virginia, or (iii) on a continuing basis through the portal established for reporting cybersecurity events to the bureau.

C. Unless exempted by § 38.2-629A 2 of the Code of Virginia, producers whose home state is Virginia shall report cybersecurity events to the commissioner in accordance with subsection A of this section.

D. If required to report to the commissioner, nondomestic insurance companies, and, unless exempted under § 38.2-629A 2 of the Code of Virginia, producers whose home state is not Virginia shall notify the commissioner of the cybersecurity event pursuant to § 38.2-625A 2 of the Code of Virginia as set forth in subsection A of this section.

Statutory Authority: §§ 12.1-13 and 38.2-223 of the Code of Virginia.

Disclaimer: These regulations may not be the most recent version. Virginia may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.