507F.9 Cybersecurity event — third-party service providers. 1. If a licensee becomes aware of a cybersecurity event in an information system maintained by a third-party service provider of the licensee, the licensee shall comply withsection 507F.7, or the licensee may obtain a written certification from the third-party serviceprovider that the provider is in compliance with section 507F.7. If the third-party providerfails to provide written certification to the licensee, the licensee shall comply with section507F.7. The computation of the licensee’s deadlines pursuant to section 507F.7 shall begin onthe business day after the date on which the licensee’s third-party service provider notifiesthe licensee of a cybersecurity event, or the date on which the licensee has actual knowledgeof the cybersecurity event, whichever date is earlier. 2. This section shall not be construed to prohibit or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party for the otherlicensee, third-party service provider, or other party to execute the requirements undersection 507F.6 or section 507F.7 on behalf of the licensee. y service provider, or any other party for the otherlicensee, third-party service provider, or other party to execute the requirements undersection 507F.6 or section 507F.7 on behalf of the licensee. 2021 Acts, ch 79, §9, 17 Sat Dec 23 00:40:19 2023 Iowa Code 2024, Section 507F.9 (2, 0)
Iowa Legal Code