507F.9 Cybersecurity event — third-party service providers.
1. If a licensee becomes aware of a cybersecurity event in an information system maintained by a third-party service provider of the licensee, the licensee shall comply with section 507F.7, or the licensee may obtain a written certification from the third-party service provider that the provider is in compliance with section 507F.7. If the third-party provider fails to provide written certification to the licensee, the licensee shall comply with section 507F.7. The computation of the licensee’s deadlines pursuant to section 507F.7 shall begin on the business day after the date on which the licensee’s third-party service provider notifies the licensee of a cybersecurity event, or the date on which the licensee has actual knowledge of the cybersecurity event, whichever date is earlier.
2. This section shall not be construed to prohibit or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party for the other licensee, third-party service provider, or other party to execute the requirements under section 507F.6 or section 507F.7 on behalf of the licensee.
2021 Acts, ch 79, §9, 17
Section effective January 1, 2022; 2021 Acts, ch 79, §17
NEW section
Structure Iowa Code
Chapter 507F - INSURANCE DATA SECURITY
Section 507F.2 - Purpose and scope.
Section 507F.4 - Information security program.
Section 507F.5 - Third-party service provider arrangements.
Section 507F.6 - Cybersecurity event — investigation.
Section 507F.7 - Cybersecurity event — notification and report to the commissioner.
Section 507F.8 - Cybersecurity event — notification to consumers.
Section 507F.9 - Cybersecurity event — third-party service providers.
Section 507F.10 - Cybersecurity event reinsurers.
Section 507F.11 - Cybersecurity event — producers of record.
Section 507F.12 - Confidentiality.
Section 507F.13 - Applicability.