A. As part of its information security program and based on its risk assessments, each licensee shall implement appropriate security measures as follows:
- 1. Manage the data, personnel, devices, systems, and facilities of the licensee in accordance with its identified risk;
- 2. Protect, by encryption or other appropriate means, all nonpublic information while being transmitted over an external network;
- 3. Protect, by encryption or other appropriate means, all nonpublic information stored on portable computing, storage devices, or media;
- 4. Adopt secure development practices for applications developed in-house and used by the licensee;
- 5. Adopt procedures for evaluating and assessing the security of externally developed applications utilized by the licensee;
- 6. Implement effective controls, which may include multi-factor authentication, for authorized persons to access nonpublic information; and
- 7. Use audit trails or audit logs designed to detect and respond to cybersecurity events and to reconstruct material financial transactions.
- B. Compliance with the provisions of this section is required of all licensees on or before July 1, 2022.
- C. Security measures implemented in accordance with the objectives of the most current revision of NIST SP 800-53, NIST SP 800-171, or other substantially similar standard shall meet the requirements for security measures in subsection A of this section.
D. Effective July 1, 2022, each licensee that utilizes a third-party service provider shall:
- 1. Exercise due diligence in selecting a third-party service provider; and
- 2. Require the third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.
Statutory Authority
§§ 12.1-13 and 38.2-223 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021; amended, Virginia Register Volume 38, Issue 13, eff. February 1, 2022.