Cyber Security Checklist

Pull the current ruleset from each perimeter firewall and diff against the approved baseline. Flag any-any rules, expired temporary rules, and rules referencing decommissioned hosts. Part 500.7 access privileges and 500.3 written policies expect documented review evidence.

NYDFS 23 NYCRR 500.12(b) requires MFA for any individual accessing internal networks from an external network — including third-party vendors with VPN access and TPAs touching claims systems. Treating MFA as employee-only is a common scope miss.

Document each gap with the system, account type, and compensating control. Part 500.12 allows the CISO to approve reasonably equivalent compensating controls in writing — verbal approval is insufficient at exam time.

Producer portals and quote/bind APIs are common attack surfaces. Confirm signatures are current and that anomalous-volume alerts route to the SOC, not just a shared inbox.

Guest Wi-Fi must not route to networks carrying NPI or PHI. Verify SSID-to-VLAN mapping and confirm WPA3 or WPA2-Enterprise on staff networks.

Per Part 500.15 and the NAIC Data Security Model Law, NPI must be encrypted in transit and at rest. Confirm TLS 1.2+ on agency portals and that policy admin databases (PolicyCenter, Epic, AMS360) use disk or column-level encryption. Where infeasible, the CISO must approve compensating controls in writing.

Sample 30 days of access logs from ClaimCenter, PolicyCenter, and the AMS. Look for off-hours access, bulk exports, and access by accounts of terminated employees. Document findings even when nothing is anomalous — auditors expect to see the review happened.

Pick a random claim file and a random policy file, restore to an isolated environment, and confirm integrity. Untested backups are a finding waiting to happen — recovery time matters under Part 500.16 incident response obligations.

Most states require 5–7 years of policy and claim file retention; workers comp can run 10+ years given lifetime medical exposure. Premature destruction creates spoliation risk and is often discovered during litigation, not exam.

Cross-check active producer logins in the AMS and rating systems against current NIPR appointment and license status. A producer with a lapsed license still able to bind in the system creates an unauthorized-transaction exposure.

Pull HR's last-90-days termination report. For each, verify SSO disabled, AMS access revoked, carrier portal logins deprovisioned, and email forwarding removed. Lingering carrier-portal accounts are a frequent finding.

For each orphaned account found, record the system, the date access was revoked, and whether the account was used between termination and revocation. The latter triggers Part 500.17 incident analysis.

Part 500.7 requires periodic review of access privileges. Confirm domain admin, AMS admin, and carrier-portal admin counts against the approved list. Service accounts with interactive logon enabled are a common finding.

Pull patch compliance from Intune, Jamf, or your endpoint management console. Critical CVEs older than 30 days require a documented exception with CISO sign-off.

Reconcile EDR (CrowdStrike, SentinelOne, Defender for Endpoint) device count against asset inventory. Devices in inventory but not reporting to EDR for 14+ days should be quarantined or recovered.

Part 500.5 requires annual penetration testing of internet-facing systems. Scope must include the producer portal, claimant intake, and any quote/bind APIs. Confirm the engagement letter, test window, and remediation SLA before kickoff.

Pull SAST/DAST findings from the last cycle. Prioritize anything touching NPI or auth flows. Document risk acceptance for any findings deferred beyond the SLA.

Part 500.11 vendor risk scope includes TPAs, claims vendors, document destruction firms, and printers handling claim packets — anyone touching NPI, not IT vendors only. Treat expired SOC 2 reports as a finding requiring a bridge letter.

Request a bridge letter from each vendor with an expired report and set a due date for the next SOC 2 delivery. Where the vendor cannot produce one, escalate to the business owner for a replacement decision.

Review Netskope, Defender for Cloud Apps, or your CASB alerts for unsanctioned cloud usage — particularly NPI uploads to personal storage and unapproved AI tools handling underwriting submissions.

The NAIC Insurance Data Security Model Law and NYDFS Part 500.17 require notification of a cybersecurity event to the Superintendent within 72 hours. Many incident response plans default to GLBA or HIPAA windows and miss this. Walk the runbook with on-call IR staff and verify state-by-state contact paths.