Risk Mitigation Checklist

NYDFS Part 500.09 requires biennial at minimum but expects continuous reassessment after material changes (new product, acquisition, major vendor). Cover underwriting, claims, cyber, vendor, and compliance risk domains. Annual-only programs are out of compliance if a material change occurred mid-year.

Pull underwriting, claims, IT, compliance, and finance into one working session. Underwriters surface appetite drift; claims surfaces reserve cadence and litigation trends; IT owns Part 500 controls; compliance owns SERFF filings and DOI exam posture.

Pull 5-year loss runs from PolicyCenter / ClaimCenter or the AMS. Look for IBNR drift, reserve adequacy by line, and recurring causes of loss. LexisNexis CLUE and ISO data can supplement carrier-internal patterns.

Use a likelihood × impact matrix tied to the carrier's risk appetite statement. Tag each risk with owner, domain, and current control. Risks rated high or critical drive the policy and crisis-plan updates downstream.

Refresh the GLBA Safeguards Rule WISP and binding-authority grids per appointed carrier. Producers binding outside line, hazard grade, or limit authority is a recurring E&O driver. Version-stamp every change.

Map each policy to the applicable model: NAIC Insurance Data Security Model Law, NYDFS 23 NYCRR 500, state Unfair Claim Settlement Practices Acts, Anti-Fraud Plan filings (NY, CA, FL, NJ, OH, NM, KY, LA, MN). Confirm Texas Chapter 542 prompt-pay timing is reflected in claims SOPs.

If policy changes touch rates, rules, or forms, confirm the state's filing posture — prior approval, file-and-use, use-and-file, or no-file. Pushing a PA-state rate live before SERFF approval creates unauthorized rates.

File via NAIC SERFF for each state where the rate, rule, or form change applies. Track approval status by state — prior-approval states block implementation until disposition. Hold implementation until the slowest state clears.

Standard KRIs: loss ratio by line, reserve development by accident year, quote-to-bind ratio, producer CE lapse count, OFAC false-positive rate, vendor SOC 2 expiration runway, NYDFS Part 500 control exception count.

Reconcile the AMS roster against NIPR. Any producer with lapsed CE or missing state appointment for a state where they bound is an unauthorized-transaction exposure. Carriers can rescind affected policies.

Scope is not IT-vendor-only. TPAs, claims vendors, document destruction firms, and printers handling NPI all qualify. Pull each vendor's most recent SOC 2 Type II and confirm coverage period has not lapsed.

Required cadence varies by carrier size and Model Audit Rule applicability. Independent review surfaces the items internal teams normalize — reserve cadence drift, premium audit dispute backlog, retention schedule violations.

Each finding gets a named owner, target date, and severity. High and critical findings become inputs to the next quarter's risk assessment.

NAIC Insurance Data Security Model Law and NYDFS Part 500 require notification to the state DOI within 72 hours of a cybersecurity event. Many plans default to the GLBA or HIPAA window and miss the shorter DOI clock — fix that explicitly.

Pick a scenario tied to a top risk: ransomware on the policy admin system, a TPA data breach, a CAT event triggering claim surge. Time the team against the 72-hour DOI notification clock and the carrier's reinsurance treaty notification triggers.

Verify outside counsel, forensic IR vendor, cyber carrier, reinsurance broker, and DOI contacts. Test the after-hours numbers — stale contacts surface during the actual event.

Most excess policies require notice of any matter reasonably likely to involve the layer; carriers commonly use 50% of primary as the practical trigger. Following-form treaties may not align with policy form coverage triggers — confirm the gap is documented.