Network Security Checklist

NYDFS Part 500.12(b) requires MFA for any individual accessing internal networks from an external network — including TPAs, claims vendors, and contractors with VPN access. Pull the IdP report (Okta, Entra ID, Duo) and confirm 100% coverage on remote access, privileged accounts, and any system holding NPI. Treating MFA as employee-only is the single most common Part 500 finding.

Pull the access list from PolicyCenter / ClaimCenter / Applied Epic and have each business owner attest. Common gotchas: terminated producers still appointed in the AMS, claims examiners with cross-LOB access, and shared service accounts for batch jobs.

Underwriters should not see claim notes; claims examiners should not see actuarial pricing files; producers should only see their book. Verify RBAC in the AMS, document management system (ImageRight, ePolicy), and any SharePoint or shared drive holding loss runs or claim packets.

Confirm IDS/IPS sensors cover all ingress/egress points and the segments holding policy and claims data. Validate rules are current and that alerts route to the on-call SOC queue, not a shared mailbox.

Review the past quarter of authentication, file-access, and admin-action logs in Splunk / Sentinel / Elastic. Flag bulk exports of claim files, after-hours producer logins, and any access from outside expected geographies.

NYDFS Part 500.5 requires annual pen testing or continuous monitoring equivalent. Scope must include the AMS, any portal exposing insured or claimant data, and the VPN. Capture the report and remediation tracker for the exam file.

Part 500.15 requires encryption of NPI in transit over external networks and at rest, or a CISO-approved compensating control. Check policy and claim databases, document repositories, backup volumes, and any SFTP exchange with carriers, reinsurers, or TPAs.

Confirm DLP fingerprints match real fields: claim numbers, SSNs on ACORD 130 workers comp apps, claimant medical records under HIPAA. Review the past quarter's DLP alerts — false positive rate above ~30% means the rules need retuning.

Restore a known recent backup of PolicyCenter / ClaimCenter / AMS to an isolated environment and validate data integrity. Backups that have never been test-restored are a common gap discovered during a real ransomware event.

Confirm the IRP includes the 72-hour DOI notification window required under the NAIC Insurance Data Security Model Law and NYDFS Part 500.17. Many IRPs default to GLBA's looser timing or HIPAA's 60-day window and miss the much shorter state-DOI clock.

Walk through a realistic scenario: ransomware on the AMS during renewal season, or a producer phishing compromise exposing a book of NPI. Include legal, compliance, claims leadership, and the carrier appointments contact. Document the after-action.

For any material gap from the tabletop, document owner, due date, and compensating control. Track in the CISO's risk register so it appears in the next biennial risk assessment under Part 500.9.

Update the control mapping for each state where the entity is licensed: NYDFS Part 500, the NAIC Insurance Data Security Model Law as adopted in SC, OH, MS, CT, VA, and others, plus GLBA Safeguards. Identify any state-specific deltas and assign owners.

Part 500.11 vendor scope includes TPAs, claims vendors, document destruction firms, and any printer handling claim packets — not just IT vendors. Confirm a current SOC 2 Type II for each, review CUECs, and document compensating controls for any gaps.

Phishing-resistance training tailored to insurance operations: fake FNOL emails, fraudulent loss-run requests, claimant impersonation, wire-fraud schemes targeting closing payments. Track completion against the producer and adjuster rosters; lapsed training is an audit finding.