Data Protection Checklist

List every state where the entity holds a license or transacts business and map each to its data security regime — NYDFS 23 NYCRR 500 for NY Covered Entities, and the NAIC Insurance Data Security Model Law as adopted in SC, OH, MS, AL, CT, IN, IA, KY, LA, ME, MD, MI, MN, NH, ND, TN, VT, VA, WI, and others. Note where state adoption is stricter than the model.

The Written Information Security Program must address the FTC Safeguards Rule's nine elements, including a qualified individual, risk assessment, access controls, encryption, and MFA. Confirm the WISP names the current CISO or qualified individual — stale designations after turnover are a frequent finding.

Document the CISO's name, reporting line, and the date of the most recent written report to the board or senior governing body. Part 500 requires at least an annual written report covering the cybersecurity program, material risks, and material cybersecurity events.

Annual NYDFS notice of compliance is due April 15 each year via the DFS portal. Choose between certification of material compliance or acknowledgement of non-compliance with a remediation plan; do not file a certification if known gaps remain.

Part 500 requires risk assessments updated as needed but no less than annually under the amended rule, with criteria documenting how risks are identified, evaluated, and mitigated. Tie the assessment to the NIST CSF or CIS Controls if the WISP cites them.

Map NPI flows through Guidewire PolicyCenter/ClaimCenter, Applied Epic or AMS360, the rating engine, document repositories like ImageRight, and any shared drives. Include claim recorded statements and EUO transcripts, which routinely contain NPI and PHI.

Required where new claims tools, telematics, or AI-driven underwriting models process personal information. Document lawful basis, retention, and any cross-border transfer; flag any model that uses prior loss data as a rating variable for fair-claims-practices review.

Part 500.15 requires encryption of NPI in transit over external networks and at rest, with effective compensating controls approved by the CISO if encryption is infeasible. Document the standard (AES-256, TLS 1.2+) and any compensating-control approvals on file.

§500.12(b) requires MFA for any individual accessing internal networks from an external network — including TPAs, wholesale brokers, and contractors with VPN access, not just employees. Treating MFA as employee-only misses contractor scope and is a recurring NYDFS finding.

Reconcile AMS and PolicyCenter roles against current producer appointments and CSR responsibilities. Terminated producers and inactive CSRs retaining access to loss runs and claim files is a common audit finding.

Refresh roles, escalation paths, and external counsel and forensic-firm contacts. The plan must address ransomware events specifically following the 2023 Part 500 amendments, including extortion-payment governance.

Walk through a realistic insurance scenario — for example, ransomware on the AMS exposing loss runs and claimant SSNs. Time the response against the 72-hour DOI notification window and the state-by-state consumer notice timelines.

The NAIC Model Law and NYDFS Part 500 each require notification to the domiciliary commissioner within 72 hours of determining a cybersecurity event has occurred. The HIPAA 60-day window does not apply; defaulting to it is a common mistake for stop-loss and group health carriers.

Capture whether the tabletop, MFA review, or access-log sampling surfaced any control gaps that need a tracked remediation plan.

Most states require five to seven years of policy and claim file retention; workers comp commonly requires ten or more years given lifetime medical exposure on occurrence-based liability. Map the schedule line by line to the longest applicable jurisdiction.

Confirm rules in document repositories actually fire and that holds for litigation, subrogation, or open SIU files override automatic deletion. Premature destruction creates discoverable spoliation risk and can support a bad-faith claim.

Include TPAs, wholesale brokers, claims vendors, IME providers, document destruction firms, and print vendors handling claim packets — anyone touching NPI. IT-vendor-only inventories miss the operational vendor scope and are a recurring exam finding.

Review reports for material exceptions, bridge letters covering the gap to current date, and subservice organization carve-outs. A SOC 2 covering only colocation while the vendor's SaaS layer is carved out is not coverage of the SaaS layer.

Required clauses include MFA, encryption, breach-notification timing aligned with the 72-hour DOI window, audit rights, and subcontractor flow-down. Standard MSAs predating Part 500 amendments often lack the ransomware-event language now expected.