Disaster Recovery Checklist

NYDFS Part 500.09 requires a periodic written risk assessment; most Covered Entities run it annually. Cover NPI inventory, threat scenarios (ransomware, wire fraud, vendor outage, natural disaster), and the controls that mitigate each. The CISO signs off; the assessment feeds the rest of this workflow.

Rank business processes by RTO and RPO: policy issuance in PolicyCenter, FNOL intake in ClaimCenter, premium accounting, producer commission processing, and the AMS (Epic, AMS360, EZLynx). Tie each to its supporting systems so dependencies are explicit.

Per Part 500.11 and the NAIC Insurance Data Security Model Law, third-party service providers handling NPI are in scope — TPAs, document destruction, print/mail vendors, cloud-hosted rating engines. Note which carrier portals (loss runs, billing) the agency depends on for renewals.

Most states require 5–7 years of policy/claim file retention; workers comp can require life-of-claim. Document the 72-hour DOI notification window under the NAIC Insurance Data Security Model Law (and shorter timelines under NYDFS Part 500.17) so the IR runbook reflects them.

Include carrier underwriting and claims contacts, appointed wholesalers, the cyber insurer's incident hotline, outside counsel, the state DOI consumer services line for each state of operation, and key TPAs. Store off-network (printed binder plus encrypted USB at the alternate site).

NYDFS uses the cybersecurity event reporting portal; NAIC-model states use their DOI's secure form. Document who has the credentials and the backup contact if the CISO is unavailable. Coordinate timing with breach counsel before submission.

Pre-draft the GLBA-aligned insured notice, the producer-of-record outage notice, and the carrier outage notice ("binding suspended pending system restoration"). Vermont opt-in language and California CCPA/CPRA disclosures need state-specific variants.

If email and the AMS are down, the tree must still work. Run a call-tree exercise using personal mobile numbers and the SMS notification platform. Capture who did not respond within the target window.

Three copies, two media types, one off-site and immutable. Confirm AMS database (Epic, AMS360), document repositories (ImageRight, ePolicy), email archive, and policy/claims systems are all covered. Immutable copies defend against ransomware that targets backup volumes.

Required by NYDFS Part 500.15 and equivalent NAIC-model state regulations. Document the cipher, key custody, and rotation cadence. Backup tapes shipped off-site must be encrypted at the volume level, not just transport-encrypted.

Restore a representative sample — a Tier 1 system, a document repository, and the email archive — into an isolated environment. "Backups complete successfully" in the console is not the same as "data restores cleanly"; the only proof is a tested restore.

Track the gap, owner, and target close date. Material restore failures may require updating the BIA's RTO assumptions and notifying the cyber carrier as a control change.

Include rating engines (TurboRater, EZLynx Rating), the AMS, claims systems, and any carrier-portal credentials. Shadow-IT SaaS used by producers (e-signature, file transfer) is the most commonly missed category and a recurring NPI exposure.

Failover for the AMS, the policy admin system, and the claims system. Confirm that DNS, identity provider, and MFA still resolve at the failover site — the most common drill failure is SSO breaking when the primary IdP is offline.

Part 500.12(b) requires MFA for any individual accessing internal networks from external — including TPAs, claims vendors, and IT contractors with VPN access. Treating MFA as employee-only is a common Part 500 finding.

For any vendor without MFA, suspend access until enrolled or move them to a jump-host with carrier-side MFA. Update the vendor risk register and the next quarterly attestation.

Pull current SOC 2 Type II reports for the AMS host, document repository, and any TPA touching NPI. Note any qualified opinions, bridge-letter gaps, and CUEC (complementary user entity controls) the agency is responsible for implementing.

Use a realistic scenario — ransomware encrypting the AMS during open enrollment, or a regional outage during peak FNOL volume after a hurricane. Include underwriting, claims, IT, the producer-of-record, and outside counsel.

Capture each gap with an owner and target date. A drill that produces no plan changes usually means the scenario was too easy or the debrief was rushed.

Required under Part 500.14 and the NAIC model. Cover phishing scenarios specific to insurance — fake loss-run requests, wire-instruction changes on a closing, fraudulent producer appointment emails.

Part 500.17(b) requires an annual written certification or acknowledgement of compliance, signed by the senior governing body or senior officer. File the supporting evidence (risk assessment, restore test logs, training records, tabletop AAR) with the certification.