INDEPENDENT INSURANCE AGENCIES
Cyber governance for independent insurance agencies
Reviewers can’t grade effort—only documented proof. Borealis builds and runs a cyber governance program for independent agencies (10–49 employees).
We keep evidence current in Aurora Command (the compliance portal). So renewals stay on track, exams stay calm, and diligence doesn’t surface surprises late.
Respond faster with a maintained evidence set you can export.
Confidential • Based on carrier + Department of Insurance questionnaires • No obligation
Built for insurance reality - not generic compliance
- Built around carrier questionnaires and insurance data security expectations
- Works alongside your MSP (managed service provider) - we don’t replace your helpdesk, tools, or ticketing
- Evidence-first: every requirement is mapped to proof, assigned an owner, and exportable on demand
- Built for the moments that matter: renewals, DOI exams, M&A diligence
Remote-friendly kickoff. Low disruption for staff.
Good fit if:
- You regularly receive carrier cyber questionnaires and need answers you can defend
- You have an MSP, but governance ownership is unclear
- You want renewals/exams to feel calm and controlled
Not a fit if:
- You want a provider to replace your MSP/helpdesk or run day-to-day IT operations
- You want “templates only” without operating a living program
What reviewers ask for
Carrier renewals, Department of Insurance exams, and diligence tend to ask for the same core proof.
- A current written program (WISP) with ownership and annual review
- Risk assessment + risk register (findings, owners, decisions)
- Vendor oversight (MSP, AMS, cloud providers) with review notes
- Incident readiness with breach notification checklist
- Training records and policy approvals (where applicable)
- An export-ready evidence packet you can send when asked
Your MSP runs IT. Governance and evidence are a different job.
Security tools reduce risk. Governance is what turns that work into defensible proof. Most agencies don’t struggle because controls are missing. They struggle because ownership, decisions, and evidence aren’t documented consistently enough to stand up to scrutiny.
The Analogy
Operational IT and governance serve different purposes. Your MSP executes controls. Borealis operates the governance layer that makes those controls defensible - ownership, decisions, and evidence you can produce on demand.
The Shift
Carriers and regulators increasingly treat agencies more like regulated service providers. That requires named responsibility, cadence, documented decisions, and an evidence trail.
What you get (deliverables)
- Written Information Security Program (WISP) tailored to your operations
- Risk register with owners, dates, and documented decisions
- Vendor oversight list + review cadence notes (including MSP and key platforms)
- Incident readiness plan + notification checklist (roles and timeline capture)
- Evidence map (what proof exists, who owns it, where it lives)
- Export-ready reviewer packet structure (including an Exam Binder export)
Why agencies are getting squeezed (and what reviewers now expect)
Regulators set the baseline. Carriers bake it into agreements. Cyber insurance checks the same boxes. The pressure converges on one place: your agency.
Here’s where it hits first:
Carrier renewals
If proof can’t be produced quickly, renewals slow down, conditions increase, and timelines tighten - right when you can’t afford delays.
DOI exams
When someone asks for documentation, you don’t want to build a defensible story under pressure. You want a system that’s been quietly maintained all year.
M&A Diligence
Reduce diligence surprises buyers use to slow or re-price deals. Clean governance reduces uncertainty.
How we got here
What used to be “guidance” is now enforced through contracts, audits, and eligibility rules.
Timeline of Regulatory Escalation: From Guidelines to Mandates
Key Milestones (2017–2024)
- Regulation
- Breach / Enforcement
- Industry Standard
-
2017NAIC Insurance Data Security Model Law (#668)
NAIC (National Association of Insurance Commissioners) adopts the Insurance Data Security Model Law. It establishes a governance and evidence baseline that many states apply to insurance licensees, including agents.
-
March 1, 2017NYDFS 23 NYCRR 500 Enacted
The New York Department of Financial Services established cybersecurity requirements for financial services companies. Covered entities include insurance agencies and partnerships operating under licensure.
-
April 2020NYDFS Amendment Tightens Governance Expectations
Part 500 was amended to tighten expectations for governance, documentation, and reporting.
-
2021Travelers Agent Portal Exposure
Travelers agent-portal exposure becomes a case study for examiners. They look for credential misuse, missing multi-factor authentication, and delayed detection.
-
November 1, 2023NYDFS Stricter Amendments Take Effect
Amended regulations went into effect. They reflect a landscape where cyberattacks are “easier to perpetrate” and “more expensive to remediate.”
-
2024NYDFS Enforcement Actions Reinforce Documentation Expectations
NYDFS enforcement actions against GEICO and Travelers reinforce the expectation of strong documentation. Regulators penalize weak programs, not only “the breach itself.”
The questions you’ll get asked
The Agency Governance Program
We build a repeatable operating system for governance, and keep it alive month to month. Your program stays current through a defined cadence of reviews, updates, and evidence collection.
Program Spine
- Written Information Security Program (WISP) - tailored to how your agency actually operates
- Governance structure: roles, approvals, documented responsibility
- Policy set written to survive real scrutiny - not templates
Risk System
- Risk assessment (annual, and updated after material changes)
- Risk register with owners, due dates, and status
- Remediation roadmap prioritized for your MSP (no busywork)
Incident & Resilience
- Incident Response Plan with playbooks
- Business continuity and disaster recovery (BCP/DR) expectations, including recovery objectives (RTO/RPO)
- Notification readiness for fast windows (no panic math)
People & Vendors
- Access governance (MFA, joiner/mover/leaver, access reviews)
- Vendor inventory, minimum requirements, and review cadence
- Security awareness completion evidence
Can you produce evidence on demand?
Every control is mapped to proof. Every proof has an owner. Evidence is collected continuously - not assembled in a panic.
Keep evidence current in Aurora Command
Aurora Command keeps tasks, decisions, and evidence in one place so renewals and exams don’t become a scramble. Track what’s due, assign owners, and export an Exam Binder packet when asked.
- See what’s due before renewal season
- Assign owners so it doesn’t live in your head
- Export an Exam Binder package built for auditors
COMPLIANCE PORTAL
No more spreadsheet chaos.
Borealis is the managed governance service. Aurora Command is the compliance portal that keeps your policies and evidence current. If you prefer to run the program in-house, Aurora Command can also be used self‑serve.
Nationwide Baseline and State Overlays
Aurora Command is built around NAIC-style insurance governance requirements (National Association of Insurance Commissioners). Your core program aligns to the NAIC model-law baseline (often referenced as “668”): WISP (your written program), risk assessment (your documented evaluation), vendor oversight, incident readiness, and evidence. State overlays are added as states adopt them, so you build once, operate once, and export to match the request. Examples include Alaska and South Carolina.
Hover or click a state to see the summary. Overlays are highlighted so you can focus on what changes.
What defensible looks like
Short, clear, operated monthly. Evidence collected before it's requested.
Written Program (WISP)
Tailored to your agency size, not a 100-page template that doesn't match reality.
Risk Assessment
Annual assessment with risk register, owners, dates, and treatment decisions.
Vendor Oversight
Inventory your MSP, agency management system (AMS), and cloud providers with minimum requirements and reviews.
Incident Readiness
Response plan, playbooks, notification timelines, and tabletop exercises.
Evidence Library
Mapped to controls, organized for auditors, exportable on demand.
Exam Binder Export
Print-ready workbook and clean export packets when carriers, examiners, or buyers say "show me."
Licensed in multiple states?
Most state laws share the same fundamentals - your written program, risk assessment, vendor oversight, incident readiness, and evidence. We map it once and show you what changes by state.
Choose how governance responsibility is handled
Qualified Individual (QI) = the named person responsible for the security program. vCISO (virtual CISO) = ongoing security leadership without a full-time hire.
You retain the Qualified Individual (QI) internally
Best for agencies with an internal Qualified Individual (QI)—the named person responsible for the security program—who can execute tasks but needs structure, cadence, and defensible evidence. Your program owner stays internal; we provide the system, evidence map, and accountability.
- We help you select the right framework
- We provide the governance model
- We help you design your policies
- Aurora Command helps you stay on track
- You remain the program owner (we provide structure + evidence mapping)
For teams who want to run the program in‑house
We serve as your QI and operate the program
For agencies that want governance operated, not just assigned. We serve as your Qualified Individual, run the cadence, document decisions, and keep a clean evidence trail for renewals, exams, and diligence.
- We help you establish or refresh your governance program
- We manage your daily governance model
- We serve as your Qualified Individual and provide CISO-level advisory services
- We take the stress off your hands
For teams who want full support
Advisory Track gives you the system. Managed Track gives you the system and the operator.
What happens after you book
30‑minute Program Review
We discuss your agency size, licensing states, carrier relationships, and current governance posture.
Scope & Proposal
You receive a tailored proposal with clear deliverables and timeline.
Build Phase Kickoff
Remote-friendly onboarding. We build your program foundation while keeping staff disruption minimal.
The Build
One-time setup. We build the governance engine.
-
Program Scope & Review Program scoping (states, carriers, MSP boundaries).
-
WISP Implementation WISP implementation (draft → finalize).
-
Risk Assessment Risk assessment and initial risk register.
-
Evidence Map Evidence map and Exam Binder structure.
-
Aurora Command Setup Aurora setup (tasks, library, owners).
The Run
Monthly cadence. We keep you exam-ready.
- Monthly accountability check-ins
- Evidence collection reminders
- Updates for material changes
- Guided questionnaire support
- QI/vCISO-led governance actions & oversight
- Higher-touch carrier/exam support
- Leadership-ready reporting & decision tracking
- Diligence packaging (clean evidence trail)
Aurora turns governance work into proof.
The Agency Governance Program is operated by Borealis, but the work lives in Aurora. That’s where questionnaires, evidence, owners, and exports stay organized so you can answer “show me” without panic.
Compliance Governance
Turn requirements into an operating system: owners, cadence, decisions, and a single source of truth.
- Track requirements (including custom)
- Assign owners and due dates
- Turn gaps into remediation
Evidence Collection
Map controls to what proves them, keep evidence organized, and export clean proof packets on demand.
- Evidence library and indexing
- Requests, reminders, and follow-up
- Print-ready packets and diligence exports
Questionnaire Prep (service-first)
We help you respond faster without sending “trust me” answers.
- Reusable response library
- Evidence-backed answers
- Clean exports for reviews and renewals
Built for real security questionnaires
Upload what you have today, see what’s covered, then turn the rest into tracked requirements and remediation.
Ingest reliably
Bring questionnaires, evidence, and policies into one workspace.
See coverage
See how many questions can be drafted from your approved policies and evidence.
Review and edit
Walk through the assessment, attach evidence, and preserve human edits.
Export cleanly
Export answers and evidence as structured files and audit-ready bundles.
The Complete Platform
Everything connected. Nothing siloed. One platform that replaces your spreadsheets and manual processes.
Risk Register 2.0
Track risks from identification through remediation with clear ownership.
- Automatic 5x5 scoring
- Evidence-linked tracking
Compliance Tracking
Track what you need to meet (and prove) in one place.
- NAIC & state requirements
- Tie gaps to remediation
Evidence Library
Centralize screenshots, reports, policies, and vendor documents.
- Organized by category
- Audit trails for changes
Vendor Risk
Track vendor details and review status so you know who has access.
- Automated assessments
- Risk-based tiering
Guided Assessments
Turn complex requirements into step-by-step assessments.
- Pre-built templates
- Automatic task generation
Living Policy Library
Policies that actually get used. Version control and workflows.
- 50 policy and standard templates (NAIC‑first)
- Employee acknowledgment
SEE IT WORK
Get a guided Aurora Command walkthrough
We’ll show you how questionnaires flow into requirements, how evidence stays organized, and what a print-ready workbook looks like.
FAQ
Do you replace our MSP?
No. Your MSP runs IT operations and security tooling. Borealis runs the governance layer: ownership, cadence, documentation, and evidence that stands up to renewals, exams, and diligence.
Can’t I just download templates?
Templates that aren’t operated become liabilities. Policies that don’t match reality fail under scrutiny in exams, claims, and diligence. We build policies that match your actual operations and create the evidence trail that proves they’re operated year-round.
We’re under 10 employees. Are we exempt?
Some statutes include size-based exemptions, but carrier requirements and contractual obligations often go further than the law. We build the smallest defensible program that matches what carriers and examiners actually ask for.
Our MSP handles security.
Good. Keep them. We’re not competing with ticket queues or endpoint tools.
We build the governance layer carriers and examiners expect. We turn your MSP’s work into defensible documentation and evidence you can produce on demand.
We have HIPAA. Doesn’t that cover us?
HIPAA is not a substitute for insurance data security expectations. We map what you already do into an insurance-ready governance structure and fill the gaps carriers/DOIs typically test.
We already have policies. Do we still need this?
Policies help only when they match reality and can be proven with evidence. We validate what you have, align it to your operations, and build the evidence trail that makes it defensible.
We’re licensed in multiple states. Does that mean multiple programs?
No. We run one core program aligned to NAIC-style expectations.
We apply state overlays where needed, so you build once, operate once, and export to match the request.
Can we do this without disrupting staff?
Yes. We keep staff asks small and scheduled. Most work is leadership alignment, documentation, and evidence organization - done remotely with minimal interruptions.
I plan to sell my agency in 3–5 years. Is this worth it?
Yes. Clean governance reduces diligence risk, prevents last-minute scrambles, and removes uncertainty buyers use to push price, terms, or timelines.
Do you work nationwide even though you’re Alaska-based?
Yes. The program is designed for remote execution and multi-state licensing realities.
Do you provide legal advice?
No. We operationalize governance and evidence. You retain counsel for legal interpretation where needed.
Ready to turn governance into proof?
Start with a 30‑minute conversation about your agency, your licensing states, and what “exam-ready” looks like for you.
Free • confidential • no obligation