Statutes, codes, and regulations
Virginia Administrative Code
Title 14 - INSURANCEAgency 5 - STATE CORPORATION COMMISSION, BUREAU OF INSURANCE
Chapter 430 - INSURANCE DATA SECURITY RISK ASSESSMENT AND REPORTING
Section 14VAC5-430-50 - Information security program security measures

14 Va. Admin. Code § 5-430-50

Download
PDF
Current through Register Vol. 41, No. 10, December 30, 2024
Section 14VAC5-430-50 - Information security program security measures
A. As part of its information security program and based on its risk assessments, each licensee shall implement appropriate security measures as follows:
1. Manage the data, personnel, devices, systems, and facilities of the licensee in accordance with its identified risk;
2. Protect, by encryption or other appropriate means, all nonpublic information while being transmitted over an external network;
3. Protect, by encryption or other appropriate means, all nonpublic information stored on portable computing, storage devices, or media;
4. Adopt secure development practices for applications developed in-house and used by the licensee;
5. Adopt procedures for evaluating and assessing the security of externally developed applications utilized by the licensee;
6. Implement effective controls, which may include multi-factor authentication, for authorized persons to access nonpublic information; and
7. Use audit trails or audit logs designed to detect and respond to cybersecurity events and to reconstruct material financial transactions.
B. Compliance with the provisions of this section is required of all licensees on or before July 1, 2022.
C. Security measures implemented in accordance with the objectives of the most current revision of NIST SP 800-53, NIST SP 800-171, or other substantially similar standard shall meet the requirements for security measures in subsection A of this section.
D. Effective July 1, 2022, each licensee that utilizes a third-party service provider shall:
1. Exercise due diligence in selecting a third-party service provider; and
2. Require the third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

DOCUMENTS INCORPORATED BY REFERENCE (14VAC5-430)

National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930, sec-cert@nist.gov

NIST, Special Publication, Guide for Conducting Risk Assessments, 800-30 (rev. 9/2012)

NIST, Special Publication, Managing Information Security Risk Organization, Mission, and Information System View, 800-39 (eff. 3/2011)

NIST, Special Publication, Security and Privacy Controls for Federal Information Systems and Organizations, 800-53 (rev. 9/2021)

NIST, Special Publication, Protecting Controlled Unclassified Information, 800-171 (rev. 2/2020)

14 Va. Admin. Code § 5-430-50

Derived from Virginia Register Volume 37, Issue 21, eff. 6/1/2021; Amended, Virginia Register Volume 38, Issue 13, eff. 2/1/2021.

Statutory Authority: §§ 12.1-13 and 38.2-223 of the Code of Virginia.