Vendor Management Checklist

Document what nonpublic personal information the vendor will receive, store, or transmit — claimant PII, medical records, policyholder financials. Part 500 §500.11 scope tracks NPI access; vendors handling no NPI carry a lighter review track.

Tier the vendor by criticality: Tier 1 (TPA, claims vendor, cloud policy admin, BPO with NPI); Tier 2 (document destruction, print/mail handling claim packets); Tier 3 (no NPI, low operational impact). Tier drives diligence depth and reassessment cadence.

Send the RFP alongside a security due-diligence packet — SIG Lite or CAIQ for cloud vendors, plus carrier-specific addenda for NPI handling, breach notification timing, and subcontractor disclosure.

Request the most recent SOC 2 Type II (within 12 months), bridge letter if the report is older than the audit period end, ACORD 25 evidencing cyber liability and E&O, and any state-required licensing. A SOC 2 Type I or expired Type II is a common gotcha for cloud TPAs.

Verify the carrier is named as additional insured where required and that the cyber limit matches the contract minimum.

Screen the vendor entity, beneficial owners, and key principals against OFAC SDN and adverse media. Re-run at contract renewal — the SDN list changes weekly.

Part 500.12(b) requires MFA for any individual accessing the Covered Entity's internal networks from an external network — including the vendor's contractors with VPN access. Confirm MFA covers admin consoles, not just end-user portals.

Verify TLS 1.2+ for transit and AES-256 (or vendor-defined effective alternative controls per §500.15) at rest. Get the encryption design in writing — "industry standard" in a marketing deck is not sufficient evidence for examiners.

Start from the carrier's master services agreement. Vendor paper typically caps liability below the cyber-incident exposure and lacks 72-hour notification language required under the NAIC Insurance Data Security Model.

The carrier has 72 hours to notify the DOI of a cybersecurity event under NYDFS Part 500.17(a) and most states adopting the NAIC Model. Vendor must notify the carrier within 24-48 hours so the carrier can meet its own clock — not within the vendor's preferred window.

Tie SLAs to outcomes that show up in market-conduct exams: FNOL acknowledgement within Texas Chapter 542's 15 business days, claim decisioning timing, and reserve-update cadence. Service credits should be material enough to drive behavior, not a token 5%.

Reserve the right to audit vendor controls annually, on reasonable notice, and on demand following a cybersecurity event. Include cooperation with regulatory exams — DOI examiners can subpoena vendor records through the carrier.

Most states require 5-7 years of policy and claim file retention; workers comp can require 10+ years given lifetime medical exposure. Specify return format, destruction certification, and the latest of statutory or contractual retention.

Pick KPIs an examiner would recognize: FNOL acknowledgement timing, reserve-setting cadence (30/60/90), subrogation referral timeliness, OFAC screen-rate at payment. Avoid vanity metrics like "calls handled."

Review early indicators with the vendor account manager: ramp issues, integration gaps with PolicyCenter or ClaimCenter, training shortfalls. Catch problems before they become a market-conduct finding.

Sample 25-50 transactions for adherence to procedures: prompt-pay timing, reserve discipline, recorded-statement consent disclosure, OFAC screen at payment. Document findings and remediation owners.

Pull the current SOC 2 Type II and a fresh ACORD 25. Confirm cyber and E&O limits still meet the contract minimum — limits often erode after carriers push renewal increases.

Pull a D&B or Bloomberg credit summary. Document any material changes — new ownership, declining DSO, rumored layoffs at the vendor's parent. Tier 1 vendors warrant a financial check at least annually.

Renew, renegotiate, or exit. If exiting, trigger the contract's transition-services and data-return clauses; allow 90-180 days for migration of active claims or policies.