KapacyberKapacyber
Iowa AgenciesFree Checklist

The Iowa Insurance Data Security Act WISP checklist.

A plain-English readiness checklist mapped to the Iowa Insurance Data Security Act (Iowa Code Chapter 507F) — the exemption thresholds, every required control, and the evidence to keep on file. Built for independent agencies in Des Moines and across Iowa.

What's inside

Ten checkpoints — starting with whether the Act even applies to you.

Each checkpoint explains what Iowa Code Ch. 507F expects, gives you a yes/no readiness check, and lists the evidence examiners and E&O carriers expect to see. Print it, work the gaps, and keep it with your program file.

  1. 1Are You Exempt? — The Iowa Thresholds
  2. 2Designated Qualified Individual
  3. 3Annual Written Risk Assessment
  4. 4Access Controls & Identity Management
  5. 5Encryption of Non-Public Information
  6. 6Multi-Factor Authentication
  7. 7Third-Party Service Provider Oversight
  8. 8Cybersecurity Event Investigation & Notification
  9. 9Cybersecurity Awareness Training
  10. 10Program Review & Annual Certification

Free download — drop your work email

We'll unlock the template immediately and add you to our dealership-security list (unsubscribe any time).

By submitting, you agree to our Privacy Policy. We don't sell or share your information.

The checklist is a printable web document. Use your browser's Print → Save as PDF to keep an offline copy.

Why this matters in Iowa

Iowa was an early adopter — and the exemption is narrower than most agencies assume.

Iowa adopted it early

Iowa enacted the Insurance Data Security Act (Iowa Code Chapter 507F), with the information-security-program requirement effective January 1, 2022. If your agency is over the exemption thresholds, the program is already required.

The exemption is narrower than people think

Iowa exempts licensees with fewer than 20 individuals in their workforce, under $5M gross annual revenue, or under $10M in year-end assets. Many Des Moines agencies sit above at least one line — and even exempt agencies must document the basis for the exemption on request.

Carriers and E&O check regardless

Whether or not Ch. 507F applies to you, your carrier appointment reviews and E&O renewal questionnaires now ask for MFA, a written program, and a tested incident response plan. Misrepresent any of it and the claim can be denied.

Source: Iowa Code Chapter 507F (Insurance Data Security) and the Iowa Insurance Division. General information, not legal advice — confirm your agency's obligations with qualified counsel.

Want the controls behind the checklist?

Kapacyber runs the day-to-day security operations behind every checkpoint — MFA on your AMS and every carrier portal, EDR on every device, 24/7 monitoring, agency-specific BEC training, and a tested incident response plan. Local to Des Moines, available statewide.

Des Moines & Iowa ProgramGet Free Assessment