Disaster Recovery Checklist

NYDFS Part 500.09 requires a periodic written risk assessment; most Covered Entities run it annually. Cover NPI inventory, threat scenarios (ransomware, wire fraud, vendor outage, natural disaster), and the controls that mitigate each. The CISO signs off; the assessment feeds the rest of this workflow.

Rank business processes by RTO and RPO: policy issuance in PolicyCenter, FNOL intake in ClaimCenter, premium accounting, producer commission processing, and the AMS (Epic, AMS360, EZLynx). Tie each to its supporting systems so dependencies are explicit.

Per Part 500.11 and the NAIC Insurance Data Security Model Law, third-party service providers handling NPI are in scope — TPAs, document destruction, print/mail vendors, cloud-hosted rating engines. Note which carrier portals (loss runs, billing) the agency depends on for renewals.

Include carrier underwriting and claims contacts, appointed wholesalers, the cyber insurer's incident hotline, outside counsel, the state DOI consumer services line for each state of operation, and key TPAs. Store off-network (printed binder plus encrypted USB at the alternate site).

NYDFS uses the cybersecurity event reporting portal; NAIC-model states use their DOI's secure form. Document who has the credentials and the backup contact if the CISO is unavailable. Coordinate timing with breach counsel before submission.

Pre-draft the GLBA-aligned insured notice, the producer-of-record outage notice, and the carrier outage notice ("binding suspended pending system restoration"). Vermont opt-in language and California CCPA/CPRA disclosures need state-specific variants.

Three copies, two media types, one off-site and immutable. Confirm AMS database (Epic, AMS360), document repositories (ImageRight, ePolicy), email archive, and policy/claims systems are all covered. Immutable copies defend against ransomware that targets backup volumes.

Required by NYDFS Part 500.15 and equivalent NAIC-model state regulations. Document the cipher, key custody, and rotation cadence. Backup tapes shipped off-site must be encrypted at the volume level, not just transport-encrypted.

Restore a representative sample — a Tier 1 system, a document repository, and the email archive — into an isolated environment. "Backups complete successfully" in the console is not the same as "data restores cleanly"; the only proof is a tested restore.

Include rating engines (TurboRater, EZLynx Rating), the AMS, claims systems, and any carrier-portal credentials. Shadow-IT SaaS used by producers (e-signature, file transfer) is the most commonly missed category and a recurring NPI exposure.

Failover for the AMS, the policy admin system, and the claims system. Confirm that DNS, identity provider, and MFA still resolve at the failover site — the most common drill failure is SSO breaking when the primary IdP is offline.

Part 500.12(b) requires MFA for any individual accessing internal networks from external — including TPAs, claims vendors, and IT contractors with VPN access. Treating MFA as employee-only is a common Part 500 finding.

For any vendor without MFA, suspend access until enrolled or move them to a jump-host with carrier-side MFA. Update the vendor risk register and the next quarterly attestation.

Use a realistic scenario — ransomware encrypting the AMS during open enrollment, or a regional outage during peak FNOL volume after a hurricane. Include underwriting, claims, IT, the producer-of-record, and outside counsel.

Capture each gap with an owner and target date. A drill that produces no plan changes usually means the scenario was too easy or the debrief was rushed.

Required under Part 500.14 and the NAIC model. Cover phishing scenarios specific to insurance — fake loss-run requests, wire-instruction changes on a closing, fraudulent producer appointment emails.