Vol. 38 Iss. 13 - February 14, 2022

Chapter 430



Final Regulation

REGISTRAR'S NOTICE: The State Corporation Commission is claiming an exemption from the Administrative Process Act in accordance with § 2.2-4002 A 2 of the Code of Virginia, which exempts courts, any agency of the Supreme Court, and any agency that by the Constitution is expressly granted any of the powers of a court of record.

Title of Regulation: 14VAC5-430. Insurance Data Security Risk Assessment and Reporting (amending 14VAC5-430-50).

Statutory Authority: §§ 12.1-13 and 38.2-223 of the Code of Virginia.

Effective Date: February 1, 2021.

Agency Contact: Katie Johnson, Insurance Policy Advisor, Bureau of Insurance, State Corporation Commission, P.O. Box 1157, Richmond, VA 23218, telephone (804) 371-9873, or email


The amendment corrects two documents incorporated by reference.




CASE NO. INS-2020-00168

Ex Parte: In the Matter of Adopting

Rules to Implement the Requirements

of the Insurance Data Security Act


On May 24, 2021, the State Corporation Commission ("Commission") issued an Order Adopting Regulations ("Order"). It has been brought to the Commission’s attention that there was a typographical error in the regulations adopted by the Order (“Regulations”). Specifically, 14VAC5-430-50 C referenced NIST SP 800-30, NIST SP 800-391 when it should have referenced NIST SP 800-53, NIST SP 800-171.

NOW THE COMMISSION, upon consideration of the matter, is of the opinion and finds that the erroneous reference in 14VAC5-430-50 C should be corrected as set forth herein and attached hereto.

Accordingly, IT IS ORDERED THAT:

(1) The incorrect reference in 14VAC5-430-50 C to NIST SP 800-30, NIST SP 800-39 is removed and replaced, nunc pro tunc, with NIST SP 800-53, NIST SP 800-171.

(2) The Regulations, as corrected and attached hereto, remain in full force and effect.

(3) The Bureau shall provide notice of the correction to the Regulations to all insurers, burial societies, fraternal benefit societies, health services plans, risk retention groups, joint underwriting associations, group self-insurance pools, and group self-insurance associations licensed by the Commission, to qualified reinsurers in Virginia, and to all interested persons.

(4) The Commission's Division of Information Resources shall cause a copy of this Order, together with the corrected Regulations, to be forwarded to the Virginia Registrar of Regulations for appropriate publication in the Virginia Register of Regulations.

(5) The Commission's Division of Information Resources shall make available this Order and the attached correction to the Rules on the Commission's website:

A copy of this Order shall be sent by the Clerk of the Commission to: C. Meade Browder, Jr., Senior Assistant Attorney General, Office of the Attorney General, Division of Consumer Counsel, by electronic mail at, and a copy hereof shall be delivered to the Commission's Office of General Counsel and the Bureau of Insurance in care of Deputy Commissioner Donald C. Beatty.


1NIST SP 800-30, NIST SP 800-39 is correctly referenced in 14VAC5-430-40 B and appears to have been inadvertently repeated in 14VAC5-430-50 C.

14VAC5-430-50. Information security program security measures.

A. As part of its information security program and based on its risk assessments, each licensee shall implement appropriate security measures as follows:

1. Manage the data, personnel, devices, systems, and facilities of the licensee in accordance with its identified risk;

2. Protect, by encryption or other appropriate means, all nonpublic information while being transmitted over an external network;

3. Protect, by encryption or other appropriate means, all nonpublic information stored on portable computing, storage devices, or media;

4. Adopt secure development practices for applications developed in-house and used by the licensee;

5. Adopt procedures for evaluating and assessing the security of externally developed applications utilized by the licensee;

6. Implement effective controls, which may include multi-factor authentication, for authorized persons to access nonpublic information; and

7. Use audit trails or audit logs designed to detect and respond to cybersecurity events and to reconstruct material financial transactions.

B. Compliance with the provisions of this section is required of all licensees on or before July 1, 2022.

C. Security measures implemented in accordance with the objectives of the most current revision of NIST SP 800-30, NIST SP 800-39 NIST SP 800-53, NIST SP 800-171, or other substantially similar standard shall meet the requirements for security measures in subsection A of this section.

D. Effective July 1, 2022, each licensee that utilizes a third-party service provider shall:

1. Exercise due diligence in selecting a third-party service provider; and

2. Require the third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.


National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930,

NIST, Special Publication, Guide for Conducting Risk Assessments, 800-30 (rev. 9/2012)

NIST, Special Publication, Managing Information Security Risk Organization, Mission, and Information System View, 800-39 (eff. 3/2011)

NIST, Special Publication, Security and Privacy Controls for Federal Information Systems and Organizations, 800-53 (rev. 9/2021)

NIST, Special Publication, Protecting Controlled Unclassified Information, 800-171 (rev. 2/2020)

VA.R. Doc. No. R22-6886; Filed January 21, 2022