The bill amends various sections of the West Virginia Code to enhance the state's cybersecurity program and define the responsibilities of the Chief Information Security Officer (CISO). It establishes the West Virginia Cybersecurity Office within the Office of Technology, which will be led by the CISO. The office is tasked with setting cybersecurity standards and managing the cybersecurity framework applicable to all state agencies, with specific exemptions for higher education institutions, the State Police, and other constitutional officers. The bill also outlines definitions for key terms related to cybersecurity, such as "cyber incident," "cyber risk management service," and "information custodian."

Additionally, the bill delineates the powers and duties of the CISO, including the development of policies and procedures for an enterprise cybersecurity program, the establishment of cyber risk assessment requirements, and the provision of guidance to state agencies on managing cyber risks. It mandates that information custodians undergo annual cybersecurity program reviews and adhere to established cybersecurity standards. Furthermore, it exempts certain cybersecurity-related information from public disclosure to protect sensitive data and requires the CISO to report annually on the status of the cybersecurity program to the Joint Committee on Government and Finance and the Governor.

Statutes affected:
Introduced Version: 5A-6B-1, 5A-6B-2, 5A-6B-3, 5A-6B-4, 5A-6B-5, 5A-6B-6
Engrossed Version: 5A-6B-1, 5A-6B-2, 5A-6B-3, 5A-6B-4, 5A-6B-5, 5A-6B-6
Enrolled Version: 5A-6B-1, 5A-6B-2, 5A-6B-3, 5A-6B-4, 5A-6B-5, 5A-6B-6