Insurance IT Security Review Checklist

NYDFS Part 500.12(b) requires MFA for any individual accessing internal networks from an external network — including third-party vendors with VPN access, not just employees. Confirm MFA coverage in the IdP for AMS, PolicyCenter, ClaimCenter, and any portal where producers or adjusters connect remotely.

Pull the access roster from the AMS and policy/claims systems and reconcile against active producer appointments and adjuster assignments. Drift between HR status and system entitlements is the most common finding in market-conduct IT exams.

Walk the HR offboarding ticket queue against IdP de-provisioning logs for the prior quarter. Pay special attention to terminated producers — their NPN may be deactivated at NIPR but their AMS login often lingers.

Review admin and configuration roles in PolicyCenter, ClaimCenter, and the AMS. Privileged accounts should be named (no shared admin), tied to a justified role, and recertified at least annually under Part 500.07.

Cross-reference active VPN accounts against current vendor contracts — TPAs, document destruction firms, claims vendors, and printers handling NPI all fall in scope under Part 500.11. Disable any account whose contract has lapsed.

Confirm TLS 1.2+ on all carrier-facing portals and disk-level encryption on policy and claim file stores. Part 500.15 requires either encryption or a CISO-approved compensating control with documented rationale.

Run a restore test — not just a backup-job success check. Workers comp claims may need life-of-claim retention (10+ years), and a backup that has never been restored is not a backup.

Review the prior quarter's DLP alerts. Tune patterns to catch claimant SSNs and policy numbers in outbound email and Slack-style channels. Adjusters emailing recorded statement transcripts to personal accounts is the recurring incident.

Vermont requires opt-in for non-affiliate sharing; California requires CCPA/CPRA-aligned disclosures for personal-lines insureds. Form letters templated nationally fail state-specific tests — confirm the AMS is sending the right state variant.

Audit the file-transfer endpoints used for loss runs, bordereau, and premium remittance. Any FTP or unauthenticated HTTP endpoints found should be migrated to SFTP or a managed file-transfer service before the next bordereau cycle.

Confirm current patch level on PolicyCenter, ClaimCenter, Applied Epic or AMS360 hosts, and supporting middleware. Critical patches should be deployed within the SLA defined in the WISP — typically 30 days for high, 7 days for critical.

Scan the external attack surface — producer portal, claims intake forms, marketing sites — and capture the report. Record the highest finding severity below; any Critical drives the emergency patching step.

Verify that the claims environment housing recorded statements, EUO transcripts, and medical records is isolated from general corporate access. Run a sample-path test from a standard user workstation to confirm segmentation holds.

Part 500.05 requires annual penetration testing and biennial risk assessment at minimum. Record the date of the last test below — if it is approaching the 12-month mark, book the next engagement now.

Critical external findings on insurance systems are a 72-hour clock — both for patching and, if exploitation is suspected, for DOI notification under the Insurance Data Security Model Law. Open the change ticket today and notify the CISO.

Walk the IR plan against 500.16's required elements: internal response, recovery, external communications, evidence preservation, and post-incident review. Plans drafted before the 2023 amendments often miss the ransomware-payment notification requirement.

Simulate ransomware encrypting the AMS during a renewal cycle. Test producer continuity, COI re-issuance for active certificate holders, and the 72-hour DOI notification chain. Capture any gaps below — findings drive the playbook update step.

The NAIC Insurance Data Security Model Law requires notification within 72 hours of determining a cybersecurity event has occurred. Confirm the notification template, the named DOI contact for each licensed state, and who has authority to send.

Confirm the SIEM is ingesting IdP authentication, AMS audit logs, and ClaimCenter administrative events. Logs that exist but are not retained for the WISP-defined window (often 1 year hot, 7 years cold) are findings waiting to happen.

Translate each gap from the tabletop into a concrete playbook revision — named roles, decision authority, and notification timing. Re-circulate to the IR team and re-run the simulation if the gaps were material.

Cover the named cases — claimant SSNs in email subject lines, recorded statements in personal cloud storage, COIs with bystander insureds. Track completion in the LMS; Part 500.14 requires training tied to risk assessment results.

Some states are one-party consent; others are two-party. Failing to disclose recording at the start of the call makes the statement inadmissible and can support a bad-faith claim. Walk through state-by-state in the next adjuster huddle.

Use lures producers actually see — fake carrier portal password resets, spoofed loss-run requests, fake NIPR license-renewal notices. Track click-through and reporting rates per role; assign remedial training to repeat clickers.

The 72-hour clock starts when a cybersecurity event is determined to have occurred. A no-blame reporting path (email alias plus phone) gets adjusters and CSRs to escalate the misdirected loss-run faster than a ticketing system will.

NYDFS Part 500.17 requires the CISO to file a written annual report and certification of compliance to the board. Capture the signature and attach the program report below; the certification is a personal attestation and should be reviewed before signing.