Workflow Templates for Insurance: Cybersecurity Incident Response Checklist

Triage and Initial Classification

Log the suspected event in the incident register

The CISO or designee opens an entry in the incident log capturing reporter, time of detection, affected system, and initial indicators. Part 500.16 expects a written incident response plan with documented event handling — this log is the audit trail.

Classify the event severity

Use the carrier's defined severity tiers. "High" generally means confirmed unauthorized access, suspected NPI exposure, ransomware activity, or any condition reasonably likely to require regulator notification. Err toward the higher tier when in doubt — declassifying later is cheaper than missing a 72-hour clock.

Activate the incident response team

Page the CISO, IT lead, General Counsel, and Compliance Officer per the call tree. For High-severity events, also page the CEO and outside breach counsel. Confirm each role acknowledges; voicemail is not acknowledgment.

Issue litigation hold to custodians

General Counsel issues a written hold to IT, claims, underwriting, and any business-unit custodians of potentially affected data. Suspend automated retention/deletion on relevant mailboxes, file shares, and SIEM logs. Premature destruction of evidence is a discoverable spoliation issue.

Containment

Isolate affected hosts from the network

Quarantine via EDR (CrowdStrike, SentinelOne, Defender) rather than pulling power — preserves volatile memory for forensics. Disable affected service accounts and rotate any credentials known to have been on the host.

Revoke suspect sessions and tokens

Force re-authentication in IdP (Okta, Entra), invalidate refresh tokens, and reset MFA factors for any user whose credentials may have been compromised. Part 500.12(b) MFA scope includes contractor and TPA access — don't forget vendor accounts.

Preserve forensic evidence

Capture memory and disk images of affected hosts before remediation. Export SIEM logs covering at least the 30 days prior to detection. Document chain of custody — outside counsel and forensic vendors will need it.

Confirm whether NPI was accessed or exfiltrated

Review DLP, egress logs, and EDR telemetry for evidence of access to or transfer of NPI (insured PII, claim files, medical records under HIPAA scope). This finding drives whether the 72-hour DOI notification clock under Part 500.17(a) and the NAIC Model Law applies.

Regulatory Notification

File the 72-hour notice to the state DOI

NYDFS Part 500.17(a) and the NAIC Insurance Data Security Model Law (as adopted in SC, OH, MS, CT, and others) require notice to the domiciliary DOI within 72 hours of determining a cybersecurity event has occurred. File via the DFS Cybersecurity Portal for NY; check each adopting state's portal for others. Include known facts only — supplementals come later.

Notify cyber insurance carrier

Most cyber policies are claims-made and require notice of any matter "reasonably likely" to involve coverage. Late notice is the most common cyber-claim coverage dispute. Use the carrier's hotline to engage the breach response panel — outside counsel, forensics, PR — under the policy's panel terms.

Engage breach counsel under privilege

Outside counsel directs the forensic investigation so that work product is protected. The cyber carrier's panel typically includes Mullen Coughlin, BakerHostetler, or similar — confirm panel rates before retaining counsel outside the panel.

Map state breach-notification obligations

Each state where an affected resident lives has its own breach-notification statute and timing. Counsel produces a state-by-state matrix. Don't conflate Part 500's regulator notice with the consumer-notice statutes — they run on different clocks.

Eradication and Recovery

Remove the root cause from the environment

Patch the exploited vulnerability, remove persistence mechanisms (scheduled tasks, run keys, malicious service accounts), and rebuild rather than clean any host with confirmed attacker dwell time. Coordinate with the forensic firm before destroying artifacts.

Restore systems from validated backups

Restore from a backup pre-dating the earliest known compromise. Scan restored data before reconnecting to production. For PolicyCenter, ClaimCenter, or AMS systems, coordinate restore points with the vendor to keep policy and claim data consistent.

Verify system integrity before cutover

Run EDR scans, file-integrity checks against known-good baselines, and confirm no IOCs from the forensic report remain. CISO signs off before the system returns to production.

Re-investigate the issues found

Loop back to containment — additional IOCs typically mean broader scope than initially understood. Update the DOI notice and breach counsel with new findings.

Post-Incident Review

Conduct the post-incident review

Walk the timeline with IT, IR, Compliance, and Legal. Identify what detection control should have caught it earlier, which playbook steps slowed response, and where the call tree broke down. Capture findings in writing — Part 500 expects a written program updated after material events.

Update the WISP and IR playbook

Revise the GLBA Safeguards-Rule WISP and the Part 500 cybersecurity program documents to reflect the new controls. The biennial risk assessment under Part 500.9 should also be re-run if the incident materially changed the threat picture.

Brief the Board or Audit Committee

Part 500.4 requires the CISO to report material cybersecurity events to the Board. Cover scope, customer impact, regulator status, and the remediation plan. Capture the Board's acknowledgment in the minutes for the next exam.

Refresh employee security training

Targeted training tied to the incident's root cause — a phishing simulation if the entry vector was email, a vendor-access module if the entry was a TPA. Generic annual training is insufficient when a specific control failed.