Cyberuptive
Contact Us

Insurance · Self-assessment · Free

Insurance Security Assessment.

Twenty-four questions across the six risk domains regulators and carriers actually examine — Data Protection, PII Security, Regulatory Compliance, Incident Response, Third-Party Risk, and Business Continuity. About ten minutes. No email required to see your score.

  • Mapped to NAIC Model Law, NYDFS 500, GLBA, NIST CSF 2.0
  • Maturity scored Initial → Optimized per domain
  • Scoring runs locally in your browser
  • Optional written report + roadmap on request
Data Protection PII Security Regulatory Compliance Incident Response Third-Party Risk Business Continuity
Question 1 of 24 0%

Choose the option that best describes your current state

What it covers

Six domains. Twenty-four honest questions.

Built around the threat picture insurance organizations actually face: ransomware on claims systems, BEC on premium and commission flow, third-party platform breaches that flow back as your notification obligation, and the regulator filings that expect documented evidence. The score gives leadership a place to start the conversation — not the conversation itself.

  • Data Protection

    Encryption, key management, classification, and DLP for policyholder data, claims records, and underwriting files.

  • PII Security

    Identity, access, and the controls that protect policyholder PII from phishing, BEC, and insider misuse.

  • Regulatory Compliance

    Information-security program, certifications of compliance, and the evidence regulators expect to see.

  • Incident Response

    What happens between the alarm and the regulator notification — including state-by-state breach timelines.

  • Third-Party Risk

    Claims TPAs, policy admin platforms, rating engines, and the federation paths that move PII between you and them.

  • Business Continuity

    Backups, recovery testing, and the discipline that keeps claims paying when systems are down.

FAQ

About this assessment

Don't see your question? Talk to a real person — 833-92-CYBER.

  • What does the assessment cover?

    Twenty-four questions across six domains: Data Protection, PII Security, Regulatory Compliance, Incident Response, Third-Party Risk, and Business Continuity. Each answer maps to a maturity level (Initial, Developing, Managed, Optimized) cross-walked to the NAIC Insurance Data Security Model Law, NYDFS 23 NYCRR 500, GLBA Safeguards, and NIST CSF 2.0.

  • How long does it take?

    About ten minutes. You can stop at any point — your answers are scored locally in the browser and never leave your device until you choose to request a written report.

  • Do I need to give an email address?

    No. The assessment runs entirely client-side. If you want a written report and a 30/60/90-day plan from our team, you can request one at the end — but the score itself is yours immediately.

  • Is this a substitute for a regulator filing or audit?

    No. It is a fast, honest self-check — meant to surface the obvious gaps before a NAIC examination, NYDFS certification of compliance, carrier audit, or — worst case — a ransomware event. A formal audit, NYDFS 500 program assessment, or pen test is a separate engagement.

About this insurance cybersecurity assessment

What this assessment measures — and how insurers use it under NAIC Model Law and NYDFS Part 500.

This insurance industry cybersecurity readiness assessment is built around the NAIC Insurance Data Security Model Law (#668) as adopted by 25+ states, the NYDFS Part 500 Cybersecurity Regulation that applies to every entity licensed by the New York Department of Financial Services, and the GLBA Safeguards Rule overlay that applies to insurers handling consumer financial information. The questions cover the same control areas state insurance examiners scrutinize during market-conduct examinations: the written information security program (WISP), risk assessments, access controls, multi-factor authentication, vendor due diligence, encryption of nonpublic information, incident response, board reporting, and the 72-hour breach-notification requirements that NYDFS-licensed institutions face.

Scoring runs locally in your browser — nothing leaves your device unless you explicitly request a written report. The output maps to a four-tier maturity scale aligned to NAIC Model Law program-evaluation criteria, so the result is usable when responding to state insurance department information requests or preparing the annual certification of compliance NYDFS Part 500 requires from covered entities.

How insurance security teams typically use these results

Three patterns: (1) annual NYDFS Part 500 certification — the regulation requires a written certification each April; this assessment surfaces the gaps you'd otherwise certify around; (2) vendor due diligence response — carriers, brokers, and reinsurers increasingly require self-assessed cybersecurity maturity from third parties handling policyholder PII; (3) board reporting — the NAIC Model Law explicitly requires the WISP and security program to report annually to the board.

What to do next

Cyberuptive serves carriers, MGAs, brokers, third-party administrators, and the insurtech vendors serving them with managed cybersecurity programs built around state insurance regulator expectations. Our Managed Detection and Response and 24/7 SOC-as-a-Service stack produces the continuous monitoring and incident-response evidence both NAIC Model Law and NYDFS Part 500 require, and our penetration testing services meet the annual penetration testing requirement at NYDFS §500.05(a).

Related reading: MDR vs MSSP vs SIEM: a 2026 buyer's guide · Top MSSP providers in 2026.

Talk to a real engineer

Want a partner who knows what an examiner actually asks for?

Whether you're shoring up after a near-miss, prepping a NYDFS certification of compliance, or scoping a managed SOC for the carrier — we can help.

Schedule a discovery call Call 833-92-CYBER