Skip to content

Comply with 23 NYCRR 500

Part of complying will require performing due diligence on producers, agencies, and brokers doing business in New York, to make sure that they are taking precautions to protect your data. Due Diligence means essentially investigating, asking them questions, and finding out what they’re doing to keep your data safe.

Managing the distribution and collection of the information required to do this risk assessment will be time consuming and place a burden on both carriers and on agents and their firms, who will be required to provide this information to potentially multiple Covered Entities.

LIMRA can help.

How will this help us comply?

  • The LIMRA NY Cybersecurity Due Diligence Questionnaire will collect the cybersecurity information needed by Covered Entities from producers, agencies, and brokers (considered Third Party Service Providers – TPSPs).
  • With the program’s unique identifier process, you can decide whether you need to get information from firms, brokers, or individual producers.
  • The questionnaire is designed to collect the specific information companies need to comply.
  • Over 30 carriers participated in the design of the Due Diligence Questionnaire to get it just right.


How does this work?

  • Carriers will determine who needs to complete the Due Diligence Questionnaire, and will upload the responder’s information – name, email address, NPN or Tax ID, to the program, via a secure website.
  • The LIMRA NY Cybersecurity Due Diligence Questionnaire Program takes it from there.
    • Carriers are provided with a template to notify responders that the invitation to the program is on the way.
    • Those assigned the Due Diligence Questionnaire will be notified via email and provided instructions for login.
    • Assigned agencies, producers, or brokers will log in using either their NPN (individual producers) or Tax ID number (agencies) to complete the questionnaire.
    • They will need to complete the Due Diligence Questionnaire only one time to meet the needs of multiple carriers who are participating in the program.
    • Follow-up reminders will be sent to those who haven’t completed the questionnaire.
  • Carriers can download responses to the Due Diligence Questionnaire as they come in, and will have access to the data on our secure site as long as they participate in the program.


What makes the LIMRA Cybersecurity Due Diligence Questionnaire program unique?

  • The questionnaire was developed by an industry working group of over 30 companies, who came to a consensus on the information needed to meet regulatory requirements.
  • It’s designed with the “LIMRA model” – as a shared solution.
    • Economies of scale keep costs down
    • The once and done assignment to firms or producers makes it more convenient for them to comply.
  • You’ll collect rich data that you can use to track over time to help you get better at identifying risk factors.
  • You set the cadence of your regulatory scheduled reviews – some carriers will require a yearly Due Diligence Questionnaire, others every other year. You decide what works best for you.
  • You can download the responses to the Due Diligence Questionnaire as they come in, and will have access to the data on our secure site as long as you participate in the program.