Network Security Checklist

NYDFS Part 500.12(b) requires MFA for any individual accessing internal networks from an external network — including TPAs, claims vendors, and contractors with VPN access. Pull the IdP report (Okta, Entra ID, Duo) and confirm 100% coverage on remote access, privileged accounts, and any system holding NPI. Treating MFA as employee-only is the single most common Part 500 finding.

Pull the access list from PolicyCenter / ClaimCenter / Applied Epic and have each business owner attest. Common gotchas: terminated producers still appointed in the AMS, claims examiners with cross-LOB access, and shared service accounts for batch jobs.

Underwriters should not see claim notes; claims examiners should not see actuarial pricing files; producers should only see their book. Verify RBAC in the AMS, document management system (ImageRight, ePolicy), and any SharePoint or shared drive holding loss runs or claim packets.

Confirm minimum 8 characters, breached-password screening, no forced periodic rotation absent compromise. NYDFS expects documented password controls; GLBA Safeguards rule expects screening against known-breached credentials.

Confirm IDS/IPS sensors cover all ingress/egress points and the segments holding policy and claims data. Validate rules are current and that alerts route to the on-call SOC queue, not a shared mailbox.

Review the past quarter of authentication, file-access, and admin-action logs in Splunk / Sentinel / Elastic. Flag bulk exports of claim files, after-hours producer logins, and any access from outside expected geographies.

NYDFS Part 500.5 requires annual pen testing or continuous monitoring equivalent. Scope must include the AMS, any portal exposing insured or claimant data, and the VPN. Capture the report and remediation tracker for the exam file.

Pull firmware versions on perimeter firewalls, core switches, and VPN concentrators. Apply vendor-current versions or document a compensating control. Outdated edge firmware is a common finding in market-conduct cyber reviews.

Part 500.15 requires encryption of NPI in transit over external networks and at rest, or a CISO-approved compensating control. Check policy and claim databases, document repositories, backup volumes, and any SFTP exchange with carriers, reinsurers, or TPAs.

Confirm DLP fingerprints match real fields: claim numbers, SSNs on ACORD 130 workers comp apps, claimant medical records under HIPAA. Review the past quarter's DLP alerts — false positive rate above ~30% means the rules need retuning.

Restore a known recent backup of PolicyCenter / ClaimCenter / AMS to an isolated environment and validate data integrity. Backups that have never been test-restored are a common gap discovered during a real ransomware event.

Most states require 5–7 years of policy and claim file retention; workers comp often requires 10+ years given lifetime medical exposure. Confirm the destruction calendar honors the longest applicable retention and that the disposal vendor (often a Part 500 §500.11 covered third party) returns certificates of destruction.

Confirm the IRP includes the 72-hour DOI notification window required under the NAIC Insurance Data Security Model Law and NYDFS Part 500.17. Many IRPs default to GLBA's looser timing or HIPAA's 60-day window and miss the much shorter state-DOI clock.

Walk through a realistic scenario: ransomware on the AMS during renewal season, or a producer phishing compromise exposing a book of NPI. Include legal, compliance, claims leadership, and the carrier appointments contact. Document the after-action.

For any material gap from the tabletop, document owner, due date, and compensating control. Track in the CISO's risk register so it appears in the next biennial risk assessment under Part 500.9.

Confirm current contact info for each state DOI cyber-event reporting portal, the cyber liability carrier's breach hotline, outside breach counsel, and the forensics retainer. Numbers go stale fast — verify, don't assume.

Update the control mapping for each state where the entity is licensed: NYDFS Part 500, the NAIC Insurance Data Security Model Law as adopted in SC, OH, MS, CT, VA, and others, plus GLBA Safeguards. Identify any state-specific deltas and assign owners.

Part 500.11 vendor scope includes TPAs, claims vendors, document destruction firms, and any printer handling claim packets — not just IT vendors. Confirm a current SOC 2 Type II for each, review CUECs, and document compensating controls for any gaps.

Phishing-resistance training tailored to insurance operations: fake FNOL emails, fraudulent loss-run requests, claimant impersonation, wire-fraud schemes targeting closing payments. Track completion against the producer and adjuster rosters; lapsed training is an audit finding.

CISO sign-off plus any open findings feed into the annual compliance certification under Part 500.17(b). Capture the signature, the summary disposition, and any documented exceptions for the audit binder.