Skip to content

Comply with 23 NYCRR 500

Part of complying will require performing due diligence on producers, agencies and brokers doing business in New York, to make sure that they are taking precautions to protect your data. Due Diligence means essentially investigating, asking them questions, and finding out what they’re doing to keep your data safe.

Managing the distribution and collection of the information required to do this risk assessment will be time consuming and place a burden on both carriers and on agents and their firms, who will be required to provide this information to potentially multiple Covered Entities.

LIMRA can help.

How will this help us comply?

  • The LIMRA NY Cybersecurity Due Diligence Questionnaire (DDQ) will collect the cybersecurity information needed by Covered Entities from producers, agencies, and brokers (considered Third Party Service Providers – TPSPs).
  • With the program’s unique identifier process, you can decide whether you need to get information from firms, brokers, or individual producers.
  • The questionnaire is designed to collect the specific information companies need to comply.
  • Over 30 carriers participated in the design of the DDQ to get it just right.


How does this work?

  • Carriers will determine who needs to complete the DDQ, and will upload the responder’s information – name, email address, NPN or Tax ID, to the program, via a secure website.
  • The LIMRA NY Cybersecurity Due Diligence Questionnaire Program takes it from there.
    • Those assigned the DDQ will be notified via email and given instructions for login.
    • Assigned agencies, producers, or brokers will log in using either their NPN (individual producers) or Tax ID number (agencies) to complete the questionnaire.
    • They will need to complete the DDQ only one time to meet the needs of multiple carriers.
    • Follow-up reminders will be sent to those who haven’t completed the questionnaire.
  • Carriers will be able to access complete information collected through their secure admin login.


What makes the LIMRA Cybersecurity Due Diligence Questionnaire program unique?

  • The questionnaire was developed by an industry working group of over 30 companies, who came to a consensus on the information needed to meet regulatory requirements.
  • It’s designed with the “LIMRA model” – as a shared solution.
    • Economies of scale keep costs down
    • The once and done assignment to firms or producers makes it more convenient for them to comply.
  • You’ll collect rich data that you can use to track over time to help you get better at identifying risk factors.
  • You set the cadence of your regulatory scheduled reviews – some carriers will require a yearly DDQ, others every other year. You decide what works best for you.
  • You can download the responses to the DDQ as they come in, and will have access to the data on our secure site as long as you participate in the program.