Insurance Agency Office Closing Checklist

Walk each producer's desk and the CSR pods. Loose ACORD 125/130 applications, dec pages, loss runs, and printed COIs all contain NPI under GLBA and must be in a locked cabinet overnight — not stacked in inboxes. Pay attention to remarketing folders that tend to live on desks for weeks.

Clean-desk policy is a documented control under most agency WISPs and a Part 500 §500.11 expectation for vendors handling NPI. Anything left on a desk after close is treated as an unsecured exposure for the morning audit.

The shred vendor is a Part 500 §500.11 third-party service provider — premature disposal or an unlocked console is a reportable control gap. Verify the slot is closed and the bin is keyed shut.

Applied Epic, AMS360, EZLynx, and each carrier portal session must be fully signed out — not just minimized. Persistent sessions left on shared workstations are the most common finding in agency E&O cyber audits.

Pull the bind log and confirm each new policy and claim payee was screened against the OFAC SDN list today. A miss at the close step turns into an unauthorized transaction the next morning when premium posts.

Open the bind workflow in the AMS and identify any submissions where the insured expects effective dates before the next business morning. Anything time-sensitive needs an after-hours plan; do not let an indication roll into a quote without an underwriter touching it.

Email the on-call underwriter the submission, signed application, current loss runs, and any binding-authority notes. Confirm carrier appetite and producer state licensing before the handoff — a bind by an unappointed producer is rescindable.

Forward the claims intake line to the contracted TPA or carrier 24/7 number. Texas Chapter 542's 15-business-day acknowledgement clock starts at FNOL receipt regardless of what time the call comes in — gaps in coverage create prompt-pay exposure.

Check the backup console for the most recent Applied Epic / AMS360 / EZLynx job status. The GLBA Safeguards Rule and NYDFS Part 500 §500.08 require routine, tested backups of NPI; an undetected silent failure for several days is a documented exam finding.

Open a P1 ticket with the agency's MSP and copy the named CISO designee. A confirmed backup failure is a control deficiency that may trigger a 72-hour notification analysis under the NAIC Insurance Data Security Model Law if recovery is not assured.

Part 500 §500.12(b) requires MFA for any individual accessing the agency's internal network from an external network — including producers connecting from home and any contractor with VPN access. Confirm tonight's remote sessions all show an MFA factor in the access log.

Premium checks held overnight are commingled-funds and fiduciary risk under most state producer regulations. Drop them in the bank night deposit or lock in the agency safe — not in a desk drawer.

Engage the after-hours HVAC schedule. In coastal or high-humidity offices, do not set back so far that file rooms exceed humidity thresholds — paper claim files and humidor-sensitive records degrade.

Walk each marked exit. Boxes of file storage, printer overflow, or marketing materials cannot block egress paths — this is both an OSHA finding and a property-carrier loss-control inspection point.

Pull the access roster and confirm every issued key and badge is either with its assigned holder or in the lockbox. Terminated producers occasionally retain badges; reconcile here so it surfaces before payroll cutoff rather than at the next quarterly audit.