Cyberuptive
Contact Us

Insurance · Policyholder data · NAIC & NYDFS

Insurers hold the data attackers want — and the regulators expect proof you can protect it.

Carriers, MGAs, and agencies sit on policyholder PII, medical underwriting data, claims history, and the third-party platforms that move all of it. We operate a managed security program built for that picture — aligned to the NAIC Insurance Data Security Model Law, NYDFS 23 NYCRR 500, GLBA, and the state breach-notification statutes that apply to your book.

Start the Insurance Security Assessment Schedule a discovery call All services

Free · ~10 minutes · No email required to see your score.

The threat picture

Ransomware on claims systems, BEC on premium flow, and a long tail of third-party exposure.

Three threat patterns dominate insurance engagements: ransomware that takes claims systems offline at the worst possible time, business email compromise rerouting premium and commission payments, and breaches at a third-party platform — claims TPA, policy admin, rating engine — that flow back as a notification obligation to the carrier or agency.

Our managed services are built for that picture: 24/7 SOC and EDR, identity hardening across Microsoft 365 and Azure, vulnerability management, vendor risk monitoring, and a rehearsed incident response plan with state-by-state notification timelines pre-mapped.

  • 24/7 SOC

    Endpoint, identity, and SaaS telemetry monitored continuously by US-based analysts.

  • EDR + active response

    Endpoint isolation under your authorization rules — contain a host before it reaches the policy or claims environment.

  • Identity hardening

    Conditional Access, MFA, and PIM across M365 and Azure to shut down phishing, BEC, and premium-diversion fraud.

  • Vulnerability management

    Continuous credentialed scanning, prioritization by exploitability, patching cadence aligned to NAIC expectations.

  • Third-party risk

    Inventory of claims, policy admin, and rating vendors with attestation review and federation monitoring.

  • Backup posture review

    Immutable backups and recovery-time validation so claims operations are restored in hours, not weeks.

  • Incident response

    24/7 IR retainer with state breach-notification timelines, regulator-ready evidence, and reinsurer / carrier escalation paths.

  • Regulator-ready evidence

    Documentation packages mapped to NAIC Model Law, NYDFS 500, GLBA Safeguards, and state-specific filings.

Who we serve

Carriers, MGAs, and independent agencies — same threat picture, different scope.

The data attackers want is the same up and down the distribution chain. The control scope, evidence burden, and regulator reach is not. We tune the engagement to fit.

Carriers

Full NAIC Insurance Data Security Model Law and (where applicable) NYDFS 500 obligations. Claims systems, policy admin, rating engines, and underwriting data all in scope.

MGAs & program admins

Sitting on carrier paper with inherited security expectations from the carrier's information-security program. Federated identity and data-flow boundaries matter more than anything.

Independent agencies

Same ransomware and BEC exposure as a small business — with thinner IT and a fiduciary duty over policyholder PII. We deliver the operational controls without the enterprise weight.

Frameworks we map to

Insurance regulators speak in models. Your evidence has to match.

We deliver against the frameworks your domiciliary regulator, your carriers, and your reinsurers actually ask about. Evidence is mapped, dated, and version-controlled.

NAIC Insurance Data Security Model Law

Adopted by 25+ states. Information-security program, risk assessment, third-party oversight, breach notification.

NYDFS 23 NYCRR 500

CISO designation, MFA, encryption, IR plan, third-party security policy, certification of compliance.

GLBA Safeguards Rule

For insurance affiliates of financial holding companies. Risk assessment, access controls, encryption, training.

State breach-notification

All 50 states + DC. Pre-mapped notification timelines, content requirements, and regulator addresses.

NIST CSF 2.0

Govern, Identify, Protect, Detect, Respond, Recover. The cross-walk every insurance examiner recognizes.

SOC 2 / HITRUST (vendor-side)

Attestation review for claims, policy admin, and rating-engine vendors. Trust but verify.

Operational resilience

Designed around the cost of a stopped claims line.

Insurance security is a business-continuity discipline. Every control we recommend is justified against one question: does this reduce the chance — or the duration — of an outage that stops claims payments and triggers a regulator call?

Prevent

Identity hardening, MFA on every remote path, patching, segmentation, and email controls that close the doors attackers actually use.

Detect

EDR + SIEM with 24/7 analyst review and SaaS-aware detections for M365, Azure, and federated insurance platforms.

Recover

Immutable backups, IR retainer, and tabletop exercises so the first time you run the playbook isn't during a regulator call.

Free self-assessment

Where does your insurance program actually stand on policyholder data, regulators, third-party risk, and IR?

Twenty-four questions across six domains — Data Protection, PII Security, Regulatory Compliance, Incident Response, Third-Party Risk, and Business Continuity. Mapped to NAIC Model Law, NYDFS 500, GLBA, and NIST CSF 2.0. Scored locally in your browser. Roughly ten minutes.

Start the assessment

2026 insurance cybersecurity outlook

What's changed for insurance carriers, MGAs, and agencies this year — and what mid-market insurers should do about it

The 2026 threat picture for the U.S. insurance industry is shaped by four reinforcing pressures: ransomware operators are explicitly targeting claims and policy administration systems because the downtime cost is asymmetric; business email compromise crews have moved beyond invoice fraud into premium and commission diversion against agencies; AI-augmented social engineering is reaching the underwriting and claims adjuster workflows that were previously below the threshold of organized attacker attention; and regulators — led by NYDFS Part 500, the NAIC Insurance Data Security Model Law (now adopted in 25+ states with more on the way), and the GLBA Safeguards Rule — are demanding documented evidence of controls, not policy summaries. The mid-market insurance organizations that ranked well on cyber-insurance questionnaires three years ago are increasingly the ones being told by their own carriers that those answers are no longer sufficient.

For carriers, the practical 2026 baseline is: MFA on every remote and administrative path with phishing-resistant methods preferred (FIDO2, certificate-based, or platform passkeys), EDR with 24/7 SOC review rather than alert routing to a generalist help desk, immutable backups with quarterly restore validation tied to claims-system recovery time objectives, third-party security oversight including review of SOC 2 Type II and HITRUST attestations for claims TPAs and policy admin vendors, and a tabletop-rehearsed incident response plan with state-by-state breach notification timelines pre-mapped. For MGAs and program administrators, the same baseline applies with additional emphasis on federated identity hygiene — most MGA breaches originate at the seam between the MGA tenant and the carrier's downstream systems. For independent agencies, the operative question is rarely "do we have the controls?" but "can we prove it to the carrier's information-security questionnaire?" The mid-market answer to that question is typically a managed program rather than internal hires.

How NYDFS Part 500, NAIC Model Law, and cyber-insurance underwriting overlap

One of the more frustrating realities for insurance executives is that NYDFS 23 NYCRR 500, the NAIC Insurance Data Security Model Law, and the cyber-insurance underwriting questionnaire your own carrier sends you are asking for the same controls in three different formats. The CISO designation, written information security program (WISP), MFA, encryption, IR plan, third-party security policy, annual penetration testing, and certification of compliance that NYDFS 500 requires are largely the same controls the NAIC Model Law expects (with state-specific wording) and the same ones a Beazley, AXA XL, AIG, Coalition, At-Bay, or Resilience underwriter will score on the questionnaire. We structure the managed program once, then deliver the evidence in all three formats so a single set of controls satisfies the regulator, the trading carrier, and the cyber-insurance market.

Ransomware against insurance: why downtime is the metric that matters

For most industries, ransomware loss models center on the ransom demand, recovery cost, and breach-notification expense. For insurance, the dominant cost is almost always claims-payment downtime — the operational gap between intrusion and full claims-system restoration. Every day claims aren't paid, regulators in the affected states begin asking questions, agents and brokers begin steering renewals to competing carriers, and the reinsurance market begins repricing the next treaty cycle. Our managed program is engineered around minimizing that downtime window: prevention controls that close the doors attackers most commonly use (identity, email, exposed RDP, unpatched edge appliances), detection coverage that catches lateral movement before it reaches the claims environment, and recovery validation that proves your immutable backups will actually restore the claims database within the hours you've committed to your business continuity plan.

For deeper detail on the service mix behind this program, see our Managed Detection and Response (MDR), SOC-as-a-Service, Vulnerability Management, Penetration Testing, and Managed Firewall pages. For related context, see our Credit Unions in the Crosshairs analysis (the same threat patterns apply to insurance), the MDR vs. MSSP vs. SIEM 2026 buyer's guide for help scoping the right service tier, and the Top MSSP Providers 2026 roundup.

FAQ

Frequently asked

Don't see your question? Talk to a real person — we're 833-92-CYBER.

  • What insurance regulations does Cyberuptive align with?

    Our managed program aligns to the NAIC Insurance Data Security Model Law (adopted by 25+ states), the New York DFS 23 NYCRR 500 cybersecurity regulation, GLBA Safeguards Rule for insurance affiliates, and state-level breach-notification statutes. Where carriers are publicly traded, we also map to SOX IT general controls. Evidence packages are framework-mapped, dated, and version-controlled.

  • Do you work with carriers, MGAs, and independent agencies?

    Yes. The threat picture is similar — policyholder PII, claims data, and third-party platform access — but the controls scope changes by org type. Carriers carry full Insurance Data Security Model Law obligations, MGAs sit on carrier paper and inherit a slice, and agencies face the same ransomware and BEC exposure with thinner IT staff. We scope to fit.

  • How do you handle third-party risk on claims and policy admin systems?

    Claims, policy admin, and rating systems are almost always SaaS or hosted by a vendor. We inventory the critical third parties, review their attestations (SOC 2 Type II, ISO 27001, HITRUST where applicable), monitor identity and federation between your tenant and theirs, and put response runbooks in place for vendor-side incidents — including notification obligations that flow back to your policyholders.

  • What happens to our business if claims systems are taken offline by ransomware?

    Claims downtime is the headline business-continuity risk for insurance — payments stop, regulators notice, and policyholder trust erodes fast. We harden identity and endpoint to reduce the chance of a successful intrusion, segment the claims environment, validate immutable backups, and run tabletop exercises against ransomware scenarios so the playbook is rehearsed before it is needed.

  • Can you help us pass cyber-insurance underwriting questions?

    Yes — and ironically, insurance carriers are increasingly subject to the same questionnaires they once issued. We produce evidence for MFA on all remote access, EDR coverage, immutable backups, IR plan, vulnerability management cadence, and security awareness training. The same evidence supports state regulator filings and reinsurance treaty conditions.

Talk to a real engineer

Need a security partner who knows what an examiner actually asks for?

Whether you're shoring up after a near-miss, prepping a NYDFS certification of compliance, or scoping a managed SOC for the carrier — we can help.

Schedule a discovery call Call 833-92-CYBER