Workflow Templates for Insurance: Network Security Checklist

Access Control and Authentication

Verify MFA on all external network access

NYDFS Part 500.12(b) requires MFA for any individual accessing internal networks from an external network — including TPAs, claims vendors, and contractors with VPN access. Pull the IdP report (Okta, Entra ID, Duo) and confirm 100% coverage on remote access, privileged accounts, and any system holding NPI. Treating MFA as employee-only is the single most common Part 500 finding.

Recertify privileged and producer access

Pull the access list from PolicyCenter / ClaimCenter / Applied Epic and have each business owner attest. Common gotchas: terminated producers still appointed in the AMS, claims examiners with cross-LOB access, and shared service accounts for batch jobs.

Confirm role-based access on NPI repositories

Underwriters should not see claim notes; claims examiners should not see actuarial pricing files; producers should only see their book. Verify RBAC in the AMS, document management system (ImageRight, ePolicy), and any SharePoint or shared drive holding loss runs or claim packets.

Enforce password policy against NIST 800-63B

Confirm minimum 8 characters, breached-password screening, no forced periodic rotation absent compromise. NYDFS expects documented password controls; GLBA Safeguards rule expects screening against known-breached credentials.

Network Monitoring and Intrusion Detection

Review IDS/IPS rule coverage

Confirm IDS/IPS sensors cover all ingress/egress points and the segments holding policy and claims data. Validate rules are current and that alerts route to the on-call SOC queue, not a shared mailbox.

Audit SIEM logs for anomalous access

Review the past quarter of authentication, file-access, and admin-action logs in Splunk / Sentinel / Elastic. Flag bulk exports of claim files, after-hours producer logins, and any access from outside expected geographies.

Run an annual penetration test

NYDFS Part 500.5 requires annual pen testing or continuous monitoring equivalent. Scope must include the AMS, any portal exposing insured or claimant data, and the VPN. Capture the report and remediation tracker for the exam file.

Patch firmware on firewalls and switches

Pull firmware versions on perimeter firewalls, core switches, and VPN concentrators. Apply vendor-current versions or document a compensating control. Outdated edge firmware is a common finding in market-conduct cyber reviews.

Data Protection and Encryption

Verify encryption of NPI in transit and at rest

Part 500.15 requires encryption of NPI in transit over external networks and at rest, or a CISO-approved compensating control. Check policy and claim databases, document repositories, backup volumes, and any SFTP exchange with carriers, reinsurers, or TPAs.

Tune DLP rules for claim and policy data

Confirm DLP fingerprints match real fields: claim numbers, SSNs on ACORD 130 workers comp apps, claimant medical records under HIPAA. Review the past quarter's DLP alerts — false positive rate above ~30% means the rules need retuning.

Test backup restoration of policy and claim systems

Restore a known recent backup of PolicyCenter / ClaimCenter / AMS to an isolated environment and validate data integrity. Backups that have never been test-restored are a common gap discovered during a real ransomware event.

Confirm retention and secure disposal schedules

Most states require 5–7 years of policy and claim file retention; workers comp often requires 10+ years given lifetime medical exposure. Confirm the destruction calendar honors the longest applicable retention and that the disposal vendor (often a Part 500 §500.11 covered third party) returns certificates of destruction.

Incident Response and Recovery

Refresh the incident response plan

Confirm the IRP includes the 72-hour DOI notification window required under the NAIC Insurance Data Security Model Law and NYDFS Part 500.17. Many IRPs default to GLBA's looser timing or HIPAA's 60-day window and miss the much shorter state-DOI clock.

Run a tabletop exercise with claims and underwriting

Walk through a realistic scenario: ransomware on the AMS during renewal season, or a producer phishing compromise exposing a book of NPI. Include legal, compliance, claims leadership, and the carrier appointments contact. Document the after-action.

File a remediation plan for surfaced gaps

For any material gap from the tabletop, document owner, due date, and compensating control. Track in the CISO's risk register so it appears in the next biennial risk assessment under Part 500.9.

Validate breach notification contact list

Confirm current contact info for each state DOI cyber-event reporting portal, the cyber liability carrier's breach hotline, outside breach counsel, and the forensics retainer. Numbers go stale fast — verify, don't assume.

Compliance and Vendor Risk

Map controls to Part 500 and the NAIC Model Law

Update the control mapping for each state where the entity is licensed: NYDFS Part 500, the NAIC Insurance Data Security Model Law as adopted in SC, OH, MS, CT, VA, and others, plus GLBA Safeguards. Identify any state-specific deltas and assign owners.

Review TPA and claims-vendor SOC 2 reports

Part 500.11 vendor scope includes TPAs, claims vendors, document destruction firms, and any printer handling claim packets — not just IT vendors. Confirm a current SOC 2 Type II for each, review CUECs, and document compensating controls for any gaps.

Deliver security awareness training to all staff

Phishing-resistance training tailored to insurance operations: fake FNOL emails, fraudulent loss-run requests, claimant impersonation, wire-fraud schemes targeting closing payments. Track completion against the producer and adjuster rosters; lapsed training is an audit finding.

Sign off on the quarterly security review

CISO sign-off plus any open findings feed into the annual compliance certification under Part 500.17(b). Capture the signature, the summary disposition, and any documented exceptions for the audit binder.