Insurance · Policyholder data · NAIC & NYDFS
Insurers hold the data attackers want — and the regulators expect proof you can protect it.
Carriers, MGAs, and agencies sit on policyholder PII, medical underwriting data, claims history, and the third-party platforms that move all of it. We operate a managed security program built for that picture — aligned to the NAIC Insurance Data Security Model Law, NYDFS 23 NYCRR 500, GLBA, and the state breach-notification statutes that apply to your book.
Free · ~10 minutes · No email required to see your score.
The threat picture
Ransomware on claims systems, BEC on premium flow, and a long tail of third-party exposure.
Three threat patterns dominate insurance engagements: ransomware that takes claims systems offline at the worst possible time, business email compromise rerouting premium and commission payments, and breaches at a third-party platform — claims TPA, policy admin, rating engine — that flow back as a notification obligation to the carrier or agency.
Our managed services are built for that picture: 24/7 SOC and EDR, identity hardening across Microsoft 365 and Azure, vulnerability management, vendor risk monitoring, and a rehearsed incident response plan with state-by-state notification timelines pre-mapped.
-
24/7 SOC
Endpoint, identity, and SaaS telemetry monitored continuously by US-based analysts.
-
EDR + active response
Endpoint isolation under your authorization rules — contain a host before it reaches the policy or claims environment.
-
Identity hardening
Conditional Access, MFA, and PIM across M365 and Azure to shut down phishing, BEC, and premium-diversion fraud.
-
Vulnerability management
Continuous credentialed scanning, prioritization by exploitability, patching cadence aligned to NAIC expectations.
-
Third-party risk
Inventory of claims, policy admin, and rating vendors with attestation review and federation monitoring.
-
Backup posture review
Immutable backups and recovery-time validation so claims operations are restored in hours, not weeks.
-
Incident response
24/7 IR retainer with state breach-notification timelines, regulator-ready evidence, and reinsurer / carrier escalation paths.
-
Regulator-ready evidence
Documentation packages mapped to NAIC Model Law, NYDFS 500, GLBA Safeguards, and state-specific filings.
Who we serve
Carriers, MGAs, and independent agencies — same threat picture, different scope.
The data attackers want is the same up and down the distribution chain. The control scope, evidence burden, and regulator reach is not. We tune the engagement to fit.
Carriers
Full NAIC Insurance Data Security Model Law and (where applicable) NYDFS 500 obligations. Claims systems, policy admin, rating engines, and underwriting data all in scope.
MGAs & program admins
Sitting on carrier paper with inherited security expectations from the carrier's information-security program. Federated identity and data-flow boundaries matter more than anything.
Independent agencies
Same ransomware and BEC exposure as a small business — with thinner IT and a fiduciary duty over policyholder PII. We deliver the operational controls without the enterprise weight.
Frameworks we map to
Insurance regulators speak in models. Your evidence has to match.
We deliver against the frameworks your domiciliary regulator, your carriers, and your reinsurers actually ask about. Evidence is mapped, dated, and version-controlled.
NAIC Insurance Data Security Model Law
Adopted by 25+ states. Information-security program, risk assessment, third-party oversight, breach notification.
NYDFS 23 NYCRR 500
CISO designation, MFA, encryption, IR plan, third-party security policy, certification of compliance.
GLBA Safeguards Rule
For insurance affiliates of financial holding companies. Risk assessment, access controls, encryption, training.
State breach-notification
All 50 states + DC. Pre-mapped notification timelines, content requirements, and regulator addresses.
NIST CSF 2.0
Govern, Identify, Protect, Detect, Respond, Recover. The cross-walk every insurance examiner recognizes.
SOC 2 / HITRUST (vendor-side)
Attestation review for claims, policy admin, and rating-engine vendors. Trust but verify.
Operational resilience
Designed around the cost of a stopped claims line.
Insurance security is a business-continuity discipline. Every control we recommend is justified against one question: does this reduce the chance — or the duration — of an outage that stops claims payments and triggers a regulator call?
Prevent
Identity hardening, MFA on every remote path, patching, segmentation, and email controls that close the doors attackers actually use.
Detect
EDR + SIEM with 24/7 analyst review and SaaS-aware detections for M365, Azure, and federated insurance platforms.
Recover
Immutable backups, IR retainer, and tabletop exercises so the first time you run the playbook isn't during a regulator call.
Free self-assessment
Where does your insurance program actually stand on policyholder data, regulators, third-party risk, and IR?
Twenty-four questions across six domains — Data Protection, PII Security, Regulatory Compliance, Incident Response, Third-Party Risk, and Business Continuity. Mapped to NAIC Model Law, NYDFS 500, GLBA, and NIST CSF 2.0. Scored locally in your browser. Roughly ten minutes.
-
What insurance regulations does Cyberuptive align with?
Our managed program aligns to the NAIC Insurance Data Security Model Law (adopted by 25+ states), the New York DFS 23 NYCRR 500 cybersecurity regulation, GLBA Safeguards Rule for insurance affiliates, and state-level breach-notification statutes. Where carriers are publicly traded, we also map to SOX IT general controls. Evidence packages are framework-mapped, dated, and version-controlled.
-
Do you work with carriers, MGAs, and independent agencies?
Yes. The threat picture is similar — policyholder PII, claims data, and third-party platform access — but the controls scope changes by org type. Carriers carry full Insurance Data Security Model Law obligations, MGAs sit on carrier paper and inherit a slice, and agencies face the same ransomware and BEC exposure with thinner IT staff. We scope to fit.
-
How do you handle third-party risk on claims and policy admin systems?
Claims, policy admin, and rating systems are almost always SaaS or hosted by a vendor. We inventory the critical third parties, review their attestations (SOC 2 Type II, ISO 27001, HITRUST where applicable), monitor identity and federation between your tenant and theirs, and put response runbooks in place for vendor-side incidents — including notification obligations that flow back to your policyholders.
-
What happens to our business if claims systems are taken offline by ransomware?
Claims downtime is the headline business-continuity risk for insurance — payments stop, regulators notice, and policyholder trust erodes fast. We harden identity and endpoint to reduce the chance of a successful intrusion, segment the claims environment, validate immutable backups, and run tabletop exercises against ransomware scenarios so the playbook is rehearsed before it is needed.
-
Can you help us pass cyber-insurance underwriting questions?
Yes — and ironically, insurance carriers are increasingly subject to the same questionnaires they once issued. We produce evidence for MFA on all remote access, EDR coverage, immutable backups, IR plan, vulnerability management cadence, and security awareness training. The same evidence supports state regulator filings and reinsurance treaty conditions.
Talk to a real engineer
Need a security partner who knows what an examiner actually asks for?
Whether you're shoring up after a near-miss, prepping a NYDFS certification of compliance, or scoping a managed SOC for the carrier — we can help.