Enterprise Risk Assessment Checklist

List every legal entity, line of business, and licensed state in scope. Holding-company entities filed under the Insurance Holding Company System Regulatory Act (Forms B/D) should each be named explicitly so the assessment maps to the same boundaries the DOI sees.

Catalog where nonpublic personal information lives: PolicyCenter / ClaimCenter (or Duck Creek, BriteCore), the AMS (Epic, AMS360, EZLynx), document repositories like ImageRight, and any TPA-hosted claim systems. Don't forget print/mail vendors and document-destruction firms — they're in scope for Part 500 §500.11.

Tag each identified risk to the relevant control family — NAIC Insurance Data Security Model Law §4 (information security program), NYDFS 23 NYCRR 500 sections, GLBA Safeguards Rule, and the NAIC Model Audit Rule for financial controls. Auditors expect the crosswalk; building it after the fact is a common finding.

Score likelihood and impact on the carrier's standard 5x5 scale. Attach the populated heat map. Inherent risk goes in this step; residual risk after controls is captured later.

Each top-quadrant risk gets a named owner at the VP or C-level. The CISO owns cyber risks under Part 500 §500.04; the Chief Actuary owns reserve adequacy; Compliance owns market-conduct exposure. Generic ownership ('IT owns it') is a recurring exam finding.

Part 500.12(b) requires MFA for any individual accessing the Covered Entity's internal networks from an external network — including TPAs, claims vendors, and contractors with VPN access. Pull the IdP report and reconcile against the vendor inventory; treating MFA as employee-only is the most common scoping miss.

Pull current-year SOC 2 Type II reports for every Tier 1 vendor handling NPI — claims TPA, document destruction, print/mail, cloud hosting, AMS provider. Note any qualified opinions or carve-outs and route to the Vendor Risk Officer.

Part 500.15 requires encryption of NPI in transit over external networks and at rest unless infeasible with CISO-approved compensating controls. Sample backup volumes, claim-document shares, and email gateways. Document any compensating controls in writing — verbal acceptance won't survive an exam.

Part 500.05 requires annual penetration testing and biennial risk assessments at minimum. Attach the executive summary; track open findings to remediation tickets so the next assessment can verify closure.

Open a tracked remediation ticket for each gap surfaced in the MFA review. Part 500.17 requires the CISO to report material cybersecurity issues to the board, which includes scoping gaps that take more than 30 days to close.

Pull the NIPR roster and reconcile NPNs, resident vs. non-resident lines, and CE status against AMS-recorded producers of record. A bound transaction by a lapsed-CE producer is grounds for rescission and a market-conduct finding.

For MGAs and binding-authority producers, sample bound risks against the underlying carrier authority letter — line, hazard grade, limit, and geography. Out-of-authority bindings are a top E&O driver and a common reason carriers terminate appointments mid-year.

Pull a sample of TX, FL, and CA first-party claims and test against statutory acknowledgement and decision windows — Tex. Ins. Code Ch. 542 requires acknowledgement within 15 business days and decisioning within 15 business days of receiving all info, capped at 60 days. Each missed deadline triggers 18% statutory interest plus attorney's fees.

Most carriers screen at policy issuance but not at every claim payment. A claimant or assignee may be added to the SDN list mid-policy. Confirm the screening hits both events and that the daily SDN delta runs against the active claimant population.

Confirm SERFF rate/form filings, Anti-Fraud Plan refreshes (NY, CA, FL, NJ, OH, NM, KY, LA, MN), Holding Company Forms B/D, and surplus-lines stamping office filings are current. Acquisitions in the prior year frequently leave inherited Anti-Fraud Plans unfiled.

Sample case reserves against the carrier's 30/60/90-day re-evaluation schedule. Placeholder reserves left untouched after FNOL contribute to IBNR drift and surface as market-conduct exam findings; the actuarial team should sign off on the sample.

Compute RBC at the legal-entity level and classify against NAIC action levels — Company Action, Regulatory Action, Authorized Control, Mandatory Control. Anything below the Company Action Level requires a written plan to the domiciliary commissioner.

A 'follow the fortunes' treaty drafted broadly may not align with the actual policy form's coverage triggers — particularly for claims-made forms, cyber, and named-peril property. Walk a sample of large-loss recoveries through the treaty wording with the reinsurance broker.

Workers comp audits true up payroll-based premium at policy end; insureds who under-reported on the application receive an additional premium bill, which becomes a dispute and bad-debt exposure. Confirm the audit backlog is within carrier SLA and that audit results are flowing back to the underwriter for renewal.

RBC at or below Company Action Level triggers mandatory board reporting and a corrective plan to the domiciliary commissioner under the Risk-Based Capital Model Act. The Chief Actuary and CFO co-present.

Capture the final disposition, attach the signed CISO attestation required under Part 500.17(b) (NY) or the equivalent state Insurance Data Security Model Law certification, and archive per the 5–7 year retention schedule (longer for WC).