Cybersecurity Incident Response Checklist

The CISO or designee opens an entry in the incident log capturing reporter, time of detection, affected system, and initial indicators. Part 500.16 expects a written incident response plan with documented event handling — this log is the audit trail.

Use the carrier's defined severity tiers. "High" generally means confirmed unauthorized access, suspected NPI exposure, ransomware activity, or any condition reasonably likely to require regulator notification. Err toward the higher tier when in doubt — declassifying later is cheaper than missing a 72-hour clock.

Page the CISO, IT lead, General Counsel, and Compliance Officer per the call tree. For High-severity events, also page the CEO and outside breach counsel. Confirm each role acknowledges; voicemail is not acknowledgment.

General Counsel issues a written hold to IT, claims, underwriting, and any business-unit custodians of potentially affected data. Suspend automated retention/deletion on relevant mailboxes, file shares, and SIEM logs. Premature destruction of evidence is a discoverable spoliation issue.

Quarantine via EDR (CrowdStrike, SentinelOne, Defender) rather than pulling power — preserves volatile memory for forensics. Disable affected service accounts and rotate any credentials known to have been on the host.

Force re-authentication in IdP (Okta, Entra), invalidate refresh tokens, and reset MFA factors for any user whose credentials may have been compromised. Part 500.12(b) MFA scope includes contractor and TPA access — don't forget vendor accounts.

Capture memory and disk images of affected hosts before remediation. Export SIEM logs covering at least the 30 days prior to detection. Document chain of custody — outside counsel and forensic vendors will need it.

Review DLP, egress logs, and EDR telemetry for evidence of access to or transfer of NPI (insured PII, claim files, medical records under HIPAA scope). This finding drives whether the 72-hour DOI notification clock under Part 500.17(a) and the NAIC Model Law applies.

NYDFS Part 500.17(a) and the NAIC Insurance Data Security Model Law (as adopted in SC, OH, MS, CT, and others) require notice to the domiciliary DOI within 72 hours of determining a cybersecurity event has occurred. File via the DFS Cybersecurity Portal for NY; check each adopting state's portal for others. Include known facts only — supplementals come later.

Most cyber policies are claims-made and require notice of any matter "reasonably likely" to involve coverage. Late notice is the most common cyber-claim coverage dispute. Use the carrier's hotline to engage the breach response panel — outside counsel, forensics, PR — under the policy's panel terms.

Outside counsel directs the forensic investigation so that work product is protected. The cyber carrier's panel typically includes Mullen Coughlin, BakerHostetler, or similar — confirm panel rates before retaining counsel outside the panel.

Each state where an affected resident lives has its own breach-notification statute and timing. Counsel produces a state-by-state matrix. Don't conflate Part 500's regulator notice with the consumer-notice statutes — they run on different clocks.

Patch the exploited vulnerability, remove persistence mechanisms (scheduled tasks, run keys, malicious service accounts), and rebuild rather than clean any host with confirmed attacker dwell time. Coordinate with the forensic firm before destroying artifacts.

Restore from a backup pre-dating the earliest known compromise. Scan restored data before reconnecting to production. For PolicyCenter, ClaimCenter, or AMS systems, coordinate restore points with the vendor to keep policy and claim data consistent.

Run EDR scans, file-integrity checks against known-good baselines, and confirm no IOCs from the forensic report remain. CISO signs off before the system returns to production.

Loop back to containment — additional IOCs typically mean broader scope than initially understood. Update the DOI notice and breach counsel with new findings.

Walk the timeline with IT, IR, Compliance, and Legal. Identify what detection control should have caught it earlier, which playbook steps slowed response, and where the call tree broke down. Capture findings in writing — Part 500 expects a written program updated after material events.

Revise the GLBA Safeguards-Rule WISP and the Part 500 cybersecurity program documents to reflect the new controls. The biennial risk assessment under Part 500.9 should also be re-run if the incident materially changed the threat picture.

Part 500.4 requires the CISO to report material cybersecurity events to the Board. Cover scope, customer impact, regulator status, and the remediation plan. Capture the Board's acknowledgment in the minutes for the next exam.

Targeted training tied to the incident's root cause — a phishing simulation if the entry vector was email, a vendor-access module if the entry was a TPA. Generic annual training is insufficient when a specific control failed.