Business Continuity Checklist

List policy admin, claims, AMS, and any system holding NPI as defined under GLBA and NYDFS Part 500. Map east-west data flows including TPA, wholesaler, and reinsurance feeds — DR scope often misses the broker-portal integrations.

Score threats relevant to your book — ransomware on ClaimCenter, vendor outage at the wholesale broker, hurricane-driven claim volume spike, producer credential compromise. Generic IT risk frameworks miss the cat-event-driven volume scenarios.

Identify single-provider concentration on Guidewire, Duck Creek, Applied Epic, or shared TPAs. Part 500.11 requires vendor risk oversight covering anyone touching NPI — including print-mail vendors handling claim packets.

Confirm the risk assessment satisfies NAIC Insurance Data Security Model Law §4 in adopted states (NY, SC, OH, MS, AL, CT, and others). State-specific deviations exist; NY's Part 500 expects continuous assessment, not annual.

The CISO sign-off is required under Part 500.04 before the BCDR plan moves forward. Capture the approval status — conditional approvals frequently include named remediation owners and dates.

Include FNOL intake, claim payments, policy issuance, premium collection, and producer commission processing. Skipping commission processing breaks producer relationships fast — agencies rely on weekly or monthly settlement.

Tie RTO to binding regulatory windows: Texas Insurance Code Chapter 542 sets 15 business days to acknowledge a first-party claim, and missed FNOL intake during a multi-day outage triggers prompt-pay interest at 18% plus attorney's fees.

Document state-specific prompt-pay statutes, NAIC unfair claim settlement standards, and OFAC screening windows on claim payment. These are the deadlines a BCDR event cannot toll.

Talk with claims leads, underwriting managers, and accounting. Common gap: producer-of-record commission processing depends on AMS data the IT team scopes as 'reporting only,' but the agency considers it tier-1.

Attach the final BIA with named function owners, RTO/RPO targets, and regulatory drivers. Auditors and DOI examiners both look for dated approval signatures on the BIA.

Name the incident commander, CISO, claims VP, communications lead, and DOI liaison. Authority to declare a 'cybersecurity event' under Part 500.01(g) must rest with a named role, not a committee.

State insurance data security laws and Part 500.17 require notification within 72 hours of determining a cybersecurity event has occurred. Include the DFS cyber-event reporting portal URL and the named filer for each state of authority.

If the primary claims phone tree or customer portal goes down, route to a documented backup — adjuster cell directory, TPA overflow, or paper ACORD intake. The unfair claim settlement clock does not pause for outages.

Use a realistic scenario — ransomware on PolicyCenter during cat season, or a wholesale broker outage at Q4 renewals. Capture whether the exercise revealed gaps in roles, authorities, or runbooks.

For each gap surfaced, name an owner and a due date. Tabletop findings without an owner-and-date pair drift; auditors flag this at the next examination.

State data security laws and NYDFS Part 500.03 expect at least annual policy review. Set the calendar invite now — reviews left without a fixed date drift past the deadline and become market-conduct findings.

Confirm backup completion logs for the policy admin and claims systems for the prior 30 days. Restore at least one policy and one claim record to a sandbox; the existence of a backup is not the same as a recoverable backup.

Failover Applied Epic, AMS360, EZLynx, or the equivalent to its DR target. Capture actual time to recover; agencies often discover the AMS depends on a producer-licensing data feed that wasn't included in the DR runbook.

Section 500.12(b) requires MFA for any access to internal networks from an external network — including DR portals and backup-vendor consoles. Treating MFA as employee-only misses the contractor scope that comes alive during recovery.

Pull the current SOC 2 Type II for the cloud DR provider, the backup vendor, and any TPA hosting NPI. An expired or scope-mismatched SOC 2 is a Part 500.11 vendor-risk finding.

Email the vendor's compliance contact for the latest report or a bridge letter. If they cannot produce one within 30 days, escalate to vendor risk management — concentration risk on a non-attested vendor is a board-reportable issue.

Pick a different scenario each quarter — full datacenter loss, ransomware on the policy admin, vendor outage at the wholesale broker. Drills repeated against the same scenario miss the gaps that another scenario would surface.

Update the directory after every appointment change, MGA add, or reinsurance treaty renewal. Stale producer NPNs in the directory are a frequent cause of failed bind-authority verification during incident response.

Pre-approve templates with legal and compliance for each notification scenario — cybersecurity event, prolonged outage, cat event. Drafting under time pressure during a 72-hour clock produces inconsistent statements across states.

Test the call tree during business hours and after hours. CSR shifts in agencies vary; the after-hours adjuster on call is often a different person than the daytime claims lead.

Cat-event response often pulls in the reinsurance team for follow-form notice and treaty triggers. The reinsurance manager should know the BCDR plan before the cat event, not during it.

Part 500.03 requires the senior officer or the board to approve the cybersecurity policy. Capture the digital signature; minutes-only approvals frequently fail audit.