Iowa Code § 507F.4
1.
b. This section shall not apply to any of the following:
(1) A licensee that meets any of the following criteria:
2. A licensee’s information security program must be designed to do all of the following:
3. A licensee shall conduct a risk assessment that accomplishes all of the following:
d. Assesses the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats identified in paragraph “b”. This assessment must include consideration of threats identified in each relevant area of the licensee’s operations, including all of the following:
4. Based on the risk assessment conducted pursuant to subsection 3, a licensee shall do all of the following:
b. Determine which of the following security measures are appropriate and implement each appropriate security measure:
5.
a. If a licensee has a board of directors, the board or an appropriate committee of the board shall at a minimum require the licensee’s executive management or the executive management’s delegates to:
(2) Provide a written report to the board, at least annually, that documents all of the following:
7. As part of a licensee’s information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee’s possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s operations. The written incident response plan must address all of the following:
2021 Acts, ch 79, §4, 17
Referred to in §507F.3