Workflow Templates for Vendor Management: Vendor Management Checklist

Vendor Selection and Due Diligence

Define the scope of NPI access

Document what nonpublic personal information the vendor will receive, store, or transmit — claimant PII, medical records, policyholder financials. Part 500 §500.11 scope tracks NPI access; vendors handling no NPI carry a lighter review track.

Classify the vendor tier

Tier the vendor by criticality: Tier 1 (TPA, claims vendor, cloud policy admin, BPO with NPI); Tier 2 (document destruction, print/mail handling claim packets); Tier 3 (no NPI, low operational impact). Tier drives diligence depth and reassessment cadence.

Issue the RFP and security questionnaire

Send the RFP alongside a security due-diligence packet — SIG Lite or CAIQ for cloud vendors, plus carrier-specific addenda for NPI handling, breach notification timing, and subcontractor disclosure.

Collect SOC 2 Type II and insurance evidence

Request the most recent SOC 2 Type II (within 12 months), bridge letter if the report is older than the audit period end, ACORD 25 evidencing cyber liability and E&O, and any state-required licensing. A SOC 2 Type I or expired Type II is a common gotcha for cloud TPAs.

Verify the carrier is named as additional insured where required and that the cyber limit matches the contract minimum.

Run OFAC and adverse-media screening

Screen the vendor entity, beneficial owners, and key principals against OFAC SDN and adverse media. Re-run at contract renewal — the SDN list changes weekly.

Check three vendor references

Prefer references from peer carriers or MGAs of similar size and line of business. Ask specifically about incident history, turnover on the account team, and SLA performance during volume spikes (CAT events, renewal season).

Enhanced Cybersecurity Diligence

Validate MFA on all NPI access paths

Part 500.12(b) requires MFA for any individual accessing the Covered Entity's internal networks from an external network — including the vendor's contractors with VPN access. Confirm MFA covers admin consoles, not just end-user portals.

Confirm encryption of NPI in transit and at rest

Verify TLS 1.2+ for transit and AES-256 (or vendor-defined effective alternative controls per §500.15) at rest. Get the encryption design in writing — "industry standard" in a marketing deck is not sufficient evidence for examiners.

Review the vendor's subcontractor list

Identify fourth parties touching NPI — offshore BPOs, cloud hosts, document scanning. The Insurance Data Security Model Law requires oversight of the chain, not just the direct contract counterparty.

Contract Negotiation and Execution

Draft contract using the carrier paper

Start from the carrier's master services agreement. Vendor paper typically caps liability below the cyber-incident exposure and lacks 72-hour notification language required under the NAIC Insurance Data Security Model.

Include 72-hour breach notification clause

The carrier has 72 hours to notify the DOI of a cybersecurity event under NYDFS Part 500.17(a) and most states adopting the NAIC Model. Vendor must notify the carrier within 24-48 hours so the carrier can meet its own clock — not within the vendor's preferred window.

Negotiate SLAs and service credits

Tie SLAs to outcomes that show up in market-conduct exams: FNOL acknowledgement within Texas Chapter 542's 15 business days, claim decisioning timing, and reserve-update cadence. Service credits should be material enough to drive behavior, not a token 5%.

Add audit and inspection rights

Reserve the right to audit vendor controls annually, on reasonable notice, and on demand following a cybersecurity event. Include cooperation with regulatory exams — DOI examiners can subpoena vendor records through the carrier.

Set retention and return-of-data terms

Most states require 5-7 years of policy and claim file retention; workers comp can require 10+ years given lifetime medical exposure. Specify return format, destruction certification, and the latest of statutory or contractual retention.

Execute the contract and store countersigned copy

Performance Monitoring

Define KPIs against the SLA schedule

Pick KPIs an examiner would recognize: FNOL acknowledgement timing, reserve-setting cadence (30/60/90), subrogation referral timeliness, OFAC screen-rate at payment. Avoid vanity metrics like "calls handled."

Hold the 30-day onboarding review

Review early indicators with the vendor account manager: ramp issues, integration gaps with PolicyCenter or ClaimCenter, training shortfalls. Catch problems before they become a market-conduct finding.

Run the 90-day operations audit

Sample 25-50 transactions for adherence to procedures: prompt-pay timing, reserve discipline, recorded-statement consent disclosure, OFAC screen at payment. Document findings and remediation owners.

Issue a corrective action plan

Required only when the audit returns findings or fail. Document each finding, the remediation owner at the vendor, and a deadline. Track to closure in the AMS or GRC tool of record.

Annual Risk Reassessment

Refresh SOC 2 and insurance certificates

Pull the current SOC 2 Type II and a fresh ACORD 25. Confirm cyber and E&O limits still meet the contract minimum — limits often erode after carriers push renewal increases.

Reassess financial stability

Pull a D&B or Bloomberg credit summary. Document any material changes — new ownership, declining DSO, rumored layoffs at the vendor's parent. Tier 1 vendors warrant a financial check at least annually.

Decide on contract renewal or exit

Renew, renegotiate, or exit. If exiting, trigger the contract's transition-services and data-return clauses; allow 90-180 days for migration of active claims or policies.

Trigger the exit and transition plan

Notify the vendor in writing per the contract's notice clause. Open the transition workstream — data return, destruction certification, knowledge transfer, replacement vendor onboarding.