Workflow Templates for Insurance: Data Protection Checklist

Regulatory Compliance Mapping

Inventory states triggering Part 500 and Model Law

List every state where the entity holds a license or transacts business and map each to its data security regime — NYDFS 23 NYCRR 500 for NY Covered Entities, and the NAIC Insurance Data Security Model Law as adopted in SC, OH, MS, AL, CT, IN, IA, KY, LA, ME, MD, MI, MN, NH, ND, TN, VT, VA, WI, and others. Note where state adoption is stricter than the model.

Refresh the GLBA Safeguards WISP

The Written Information Security Program must address the FTC Safeguards Rule's nine elements, including a qualified individual, risk assessment, access controls, encryption, and MFA. Confirm the WISP names the current CISO or qualified individual — stale designations after turnover are a frequent finding.

Confirm CISO designation under §500.4

Document the CISO's name, reporting line, and the date of the most recent written report to the board or senior governing body. Part 500 requires at least an annual written report covering the cybersecurity program, material risks, and material cybersecurity events.

File the §500.17 certification of compliance

Annual NYDFS notice of compliance is due April 15 each year via the DFS portal. Choose between certification of material compliance or acknowledgement of non-compliance with a remediation plan; do not file a certification if known gaps remain.

Refresh GLBA privacy notices for state variants

Vermont requires opt-in for non-affiliate sharing; California requires CCPA/CPRA-aligned disclosures for personal-lines insureds. A nationally-templated notice that omits these is the most common privacy-notice finding in market conduct exams.

Risk Assessment and NPI Inventory

Run the §500.9 cybersecurity risk assessment

Part 500 requires risk assessments updated as needed but no less than annually under the amended rule, with criteria documenting how risks are identified, evaluated, and mitigated. Tie the assessment to the NIST CSF or CIS Controls if the WISP cites them.

Inventory NPI across PolicyCenter and the AMS

Map NPI flows through Guidewire PolicyCenter/ClaimCenter, Applied Epic or AMS360, the rating engine, document repositories like ImageRight, and any shared drives. Include claim recorded statements and EUO transcripts, which routinely contain NPI and PHI.

Conduct a privacy impact assessment on new processing

Required where new claims tools, telematics, or AI-driven underwriting models process personal information. Document lawful basis, retention, and any cross-border transfer; flag any model that uses prior loss data as a rating variable for fair-claims-practices review.

Document data subject and consumer request procedures

Cover CCPA/CPRA access, deletion, and correction rights for personal-lines California insureds, plus FCRA adverse-action procedures when consumer reports drive declinations. Include intake routing so producer-received requests reach compliance within statutory windows.

Encryption and Access Control

Verify encryption of NPI in transit and at rest

Part 500.15 requires encryption of NPI in transit over external networks and at rest, with effective compensating controls approved by the CISO if encryption is infeasible. Document the standard (AES-256, TLS 1.2+) and any compensating-control approvals on file.

Confirm MFA on all external network access

§500.12(b) requires MFA for any individual accessing internal networks from an external network — including TPAs, wholesale brokers, and contractors with VPN access, not just employees. Treating MFA as employee-only misses contractor scope and is a recurring NYDFS finding.

Review role-based access and producer entitlements

Reconcile AMS and PolicyCenter roles against current producer appointments and CSR responsibilities. Terminated producers and inactive CSRs retaining access to loss runs and claim files is a common audit finding.

Sample claim and policy access logs

Pull a sample of high-sensitivity records — large losses, SIU files, executive-officer policies — and confirm only authorized roles accessed them. Document anomalies for SIU follow-up.

Incident Response and Breach Notification

Update the §500.16 incident response plan

Refresh roles, escalation paths, and external counsel and forensic-firm contacts. The plan must address ransomware events specifically following the 2023 Part 500 amendments, including extortion-payment governance.

Run a tabletop exercise on a simulated breach

Walk through a realistic insurance scenario — for example, ransomware on the AMS exposing loss runs and claimant SSNs. Time the response against the 72-hour DOI notification window and the state-by-state consumer notice timelines.

Document the 72-hour DOI notification protocol

The NAIC Model Law and NYDFS Part 500 each require notification to the domiciliary commissioner within 72 hours of determining a cybersecurity event has occurred. The HIPAA 60-day window does not apply; defaulting to it is a common mistake for stop-loss and group health carriers.

Were findings identified requiring remediation?

Capture whether the tabletop, MFA review, or access-log sampling surfaced any control gaps that need a tracked remediation plan.

Open remediation items in the GRC tracker

Each finding gets an owner, target date, and a documented compensating control if remediation will extend past the §500.17 certification window. Open items unmitigated at filing time push the entity toward an acknowledgement-with-remediation filing rather than a clean certification.

Retention and Secure Disposal

Refresh the policy and claim file retention schedule

Most states require five to seven years of policy and claim file retention; workers comp commonly requires ten or more years given lifetime medical exposure on occurrence-based liability. Map the schedule line by line to the longest applicable jurisdiction.

Validate automated deletion in ImageRight and the AMS

Confirm rules in document repositories actually fire and that holds for litigation, subrogation, or open SIU files override automatic deletion. Premature destruction creates discoverable spoliation risk and can support a bad-faith claim.

Verify certificates of destruction from disposal vendors

Collect NAID AAA certificates from paper-shredding vendors and media-destruction certificates for decommissioned drives. These vendors handle NPI and fall under §500.11 third-party scope, not just IT vendor management.

Third-Party and Vendor Oversight

Refresh the §500.11 third-party service provider inventory

Include TPAs, wholesale brokers, claims vendors, IME providers, document destruction firms, and print vendors handling claim packets — anyone touching NPI. IT-vendor-only inventories miss the operational vendor scope and are a recurring exam finding.

Collect SOC 2 Type II reports from critical vendors

Review reports for material exceptions, bridge letters covering the gap to current date, and subservice organization carve-outs. A SOC 2 covering only colocation while the vendor's SaaS layer is carved out is not coverage of the SaaS layer.

Update data protection clauses in vendor contracts

Required clauses include MFA, encryption, breach-notification timing aligned with the 72-hour DOI window, audit rights, and subcontractor flow-down. Standard MSAs predating Part 500 amendments often lack the ransomware-event language now expected.

Sign off on the annual data protection review

The CISO and Compliance Officer sign off jointly on the program review before the §500.17 filing. Include a one-page summary of material risks and remediation status for the senior governing body's records.