Serving insurance agencies
Questions? Call (907) 600-0222 Client Portal

INDEPENDENT INSURANCE AGENCIES

Be ready when a carrier, auditor, or examiner says: “Show me.”

Effort doesn’t count. Proof does. Borealis builds and runs a cyber governance program for independent agencies (10–49 employees) and keeps evidence current in Aurora—so carrier renewals stay on track, Department of Insurance (DOI) exams stay calm, and M&A diligence can’t turn gaps into leverage.

Answer “show me” in minutes, not weeks.

Book a 30‑minute Program Review Book a 30‑minute Program Review
Confidential Modeled on carrier + DOI requests ~2 minutes No obligation
PROGRAM SNAPSHOT

Built for insurance reality—not generic compliance

  • Built around carrier questionnaires + insurance data security expectations
  • Works alongside your MSP (managed service provider)—we don’t replace your helpdesk, tools, or ticketing
  • Evidence-first: every requirement is mapped to proof, assigned an owner, and exportable on demand
  • Built for the moments that matter: renewals, DOI exams, M&A diligence

Remote-friendly kickoff. Low disruption for staff.

Good fit if:

  • You regularly receive carrier cyber questionnaires and need answers you can defend
  • You have an MSP, but governance ownership is unclear
  • You want renewals/exams to feel calm and controlled

Not a fit if:

  • You want a provider to replace your MSP/helpdesk or run day-to-day IT operations
  • You want “templates only” without operating a living program

Your MSP runs IT. Governance and evidence are a different job.

Security tools reduce risk. Governance is what turns that work into defensible proof. Most agencies don’t struggle because controls are missing—they struggle because ownership, decisions, and evidence aren’t documented consistently enough to stand up to scrutiny.

The Analogy

Operational IT and governance serve different purposes. Your MSP executes controls. Borealis operates the governance layer that makes those controls defensible—ownership, decisions, and evidence you can produce on demand.

The Shift

Carriers and regulators increasingly treat agencies more like regulated service providers. That requires named responsibility, cadence, documented decisions, and an evidence trail.

Welcome to the compliance squeeze.

Regulators set the baseline. Carriers bake it into agreements. Cyber insurance checks the same boxes. The pressure converges on one place: your agency.

Diagram showing regulators, carrier partners, and the cyber insurance market all pushing compliance requirements toward an independent agency.
Why agencies are squeezed from three sides.

Here’s where it hits first:

Carrier renewals

If proof can’t be produced quickly, renewals slow down, conditions increase, and timelines tighten—right when you can’t afford delays.

DOI exams

When someone asks for documentation, you don’t want to build a defensible story under pressure. You want a system that’s been quietly maintained all year.

M&A Diligence

Weak governance becomes leverage against price, terms, or timeline. Clean governance reduces uncertainty.

How we got here

What used to be “guidance” is now enforced through contracts, audits, and eligibility rules.

Timeline of Regulatory Escalation: From Guidelines to Mandates

Key Milestones (2017–2024)

  • Regulation
  • Breach / Enforcement
  • Industry Standard
  1. 2017
    NAIC Insurance Data Security Model Law (#668)

    NAIC (National Association of Insurance Commissioners) adopts the Insurance Data Security Model Law, establishing a governance-and-evidence baseline many states implement for insurance licensees (including agents).

  2. March 1, 2017
    NYDFS 23 NYCRR 500 Enacted

    The New York Department of Financial Services established cybersecurity requirements for financial services companies. Covered entities include insurance agencies and partnerships operating under licensure.

  3. April 2020
    NYDFS Amendment Tightens Governance Expectations

    Part 500 was amended to tighten expectations for governance, documentation, and reporting.

  4. 2021
    Travelers Agent Portal Exposure

    Travelers agent-portal exposure becomes a case study in what examiners look for: credential misuse, missing MFA, and delayed detection.

  5. November 1, 2023
    NYDFS Stricter Amendments Take Effect

    Amended regulations went into effect, reflecting a landscape where cyberattacks are “easier to perpetrate” and “more expensive to remediate.”

  6. 2024
    NYDFS Enforcement Actions Reinforce Documentation Expectations

    NYDFS enforcement actions against GEICO and Travelers reinforce that regulators will penalize weak cybersecurity programs and documentation—not just “the breach itself.”

The questions you’ll get asked

Who is your designated security owner—and where is that responsibility documented? Named accountability with documented authority
Show your Written Information Security Program (WISP) and when it was last reviewed. Current policy that matches operational reality
Show your risk assessment, risk register, and risk treatment decisions. Owners, dates, and documented remediation
Show incident response readiness: roles, steps, notification timing, and tabletop evidence. Tested and documented response capability
Show vendor oversight: inventory, minimum requirements, and review cadence. Third-party risk management with evidence
Prove this is operated year-round—not assembled the week of the request. Continuous governance with dated evidence
Book a 30‑minute Program Review

The Agency Governance Program

We build a repeatable operating system for governance, and keep it alive month to month. Your program stays current through a defined cadence of reviews, updates, and evidence collection.

Program Spine

  • Written Information Security Program (WISP)—tailored to how your agency actually operates
  • Governance structure: roles, approvals, documented responsibility
  • Policy set written to survive real scrutiny—not templates

Risk System

  • Risk assessment (annual + updated on material changes)
  • Risk register with owners, due dates, and status
  • Remediation roadmap prioritized for your MSP (no busywork)

Incident & Resilience

  • Incident Response Plan with playbooks
  • Business continuity and disaster recovery (BCP/DR) expectations, including recovery objectives (RTO/RPO)
  • Notification readiness for fast windows (no panic math)

People & Vendors

  • Access governance (MFA, joiner/mover/leaver, access reviews)
  • Vendor inventory + minimum requirements + review cadence
  • Security awareness completion evidence

Can you produce evidence on demand?

Every control is mapped to proof. Every proof has an owner. Evidence is collected continuously—not assembled in a panic.

Evidence mapping index
Evidence requests & reminders
Evidence library
Exam Binder package

Everything is tracked in Aurora.

Aurora is your system of record for governance—tasks, decisions, and evidence in one place. You don’t hope you can answer the request. You open the dashboard, see what’s due, and export what’s needed—cleanly.

  • See what’s due before renewal season
  • Assign owners so it doesn’t live in your head
  • Export an Exam Binder package built for auditors
Tour Aurora

SYSTEM OF RECORD

No more spreadsheet chaos.

Aurora is included with all governance programs.

Nationwide Baseline + State Overlays

Aurora is NAIC‑first (National Association of Insurance Commissioners): one core program (WISP, risk assessment, vendor oversight, incident readiness, and evidence) with state overlays where needed—so you build once, operate once, and export to match the request.

State overlay (shipped)
NAIC baseline (all states)

Hover a state to see the summary. Overlay states link to a dedicated requirements page; baseline states link to the nationwide checklist.

What defensible looks like

Short, clear, operated monthly. Evidence collected before it's requested.

Written Program (WISP)

Tailored to your agency size, not a 100-page template that doesn't match reality.

Risk Assessment

Annual assessment with risk register, owners, dates, and treatment decisions.

Vendor Oversight

Inventory your MSP, agency management system (AMS), and cloud providers with minimum requirements and reviews.

Incident Readiness

Response plan, playbooks, notification timelines, and tabletop exercises.

Evidence Library

Mapped to controls, organized for auditors, exportable on demand.

Exam Binder Export

Print-ready workbook + clean export packets when carriers, examiners, or buyers say "show me."

Licensed in multiple states?

Most state laws share the same fundamentals—your written program, risk assessment, vendor oversight, incident readiness, and evidence. We map it once and show you what changes by state.

Book a 30‑minute Program Review

Choose how governance responsibility is handled

ADVISORY TRACK

You retain the Qualified Individual (QI) internally

Best for agencies with an internal leader who can execute tasks but needs structure, cadence, and defensible evidence. Your named security/governance owner keeps the designated role; we provide the system, evidence map, and accountability.

  • We help you select the right framework
  • We provide the governance model
  • We help you design your policies
  • The Aurora portal helps you stay on track
  • You keep the regulatory burden
Show Me the Program

For People Who Want to Run Their Own Show

RECOMMENDED
MANAGED TRACK

We serve as your QI and operate the program

For agencies that want governance operated, not just assigned. We serve as your Qualified Individual, run the cadence, document decisions, and keep a clean evidence trail for renewals, exams, and diligence.

  • We help you establish or refresh your governance program
  • We manage your daily governance model
  • We serve as your Qualified Individual and provide CISO-level advisory services
  • We take the stress off your hands
Show Me the Program

For People Who Want Full Support

Advisory Track gives you the system. Managed Track gives you the system and the operator.

What happens after you book

1

30‑minute Program Review

We discuss your agency size, licensing states, carrier relationships, and current governance posture.

2

Scope & Proposal

You receive a tailored proposal with clear deliverables and timeline.

3

Build Phase Kickoff

Remote-friendly onboarding. We build your program foundation while keeping staff disruption minimal.

Phase 1

The Build

One-time setup. We build the governance engine.

  • Program Scope & Review Program scoping (states, carriers, MSP boundaries).
  • WISP Implementation WISP implementation (draft → finalize).
  • Risk Assessment Risk assessment + initial risk register.
  • Evidence Map Evidence map + Exam Binder structure.
  • Aurora Portal Setup Aurora setup (tasks, library, owners).
Phase 2

The Run

Monthly cadence. We keep you exam-ready.

Advisory Track
  • Monthly accountability check-ins
  • Evidence collection reminders
  • Updates for material changes
  • Guided questionnaire support
QI-as-a-Service Adds
  • QI/vCISO-led governance actions & oversight
  • Higher-touch carrier/exam support
  • Leadership-ready reporting & decision tracking
  • Diligence packaging (clean evidence trail)

Aurora turns governance work into proof.

The Agency Governance Program is operated by Borealis, but the work lives in Aurora. That’s where questionnaires, evidence, owners, and exports stay organized so you can answer “show me” without panic.

Compliance Governance

Turn requirements into an operating system: owners, cadence, decisions, and a single source of truth.

  • Track requirements (including custom)
  • Assign owners and due dates
  • Turn gaps into remediation

Evidence Collection

Map controls to what proves them, keep evidence organized, and export clean proof packets on demand.

  • Evidence library and indexing
  • Requests, reminders, and follow-up
  • Print-ready packets and diligence exports

Questionnaire Prep (service-first)

We help you respond faster without sending “trust me” answers.

  • Reusable response library
  • Evidence-backed answers
  • Clean exports for reviews and renewals

FLAGSHIP AUTOMATION

Evidence-backed questionnaire prep — reviewed by humans, supported by automation

We use automation to draft evidence-backed responses from your approved policies and evidence library—then your Borealis lead and your team review and approve before anything is exported.

Context-Aware

Grounded in your specific policies, evidence, and past approved answers.

Evidence-Backed

Every answer can link to proof—no vague claims.

Continuous Learning

Approved answers become your “golden source” over time.

Every drafted answer is traceable back to the underlying policy section and/or evidence artifact.

Carrier / Insurer Questionnaire
86 questions • Draft ready for review
AI Active
Q47: Do you require MFA for AMS and email?
"Yes. We require MFA for email and our agency management system (AMS). Exceptions are documented with risk acceptance and compensating controls."
Policy: POLICY-MFA
Q48: When was your last access review and who approved it?
"Access reviews are performed on a defined cadence. The most recent review was completed and approved, with follow-up actions tracked to closure."
Evidence: ACCESS-REVIEW-LOG
Analyzing question 49... 48/86

Built for real security questionnaires

Upload what you have today, get immediate coverage signals, then turn the rest into tracked requirements and remediation.

1

Ingest reliably

Bring questionnaires, evidence, and policies into one workspace.

2

See coverage

Know how many questions we can draft answers for right away.

3

Review + edit

Walk through the assessment, attach evidence, and preserve human edits.

4

Export cleanly

Export answers and evidence as structured files and audit-ready bundles.

The Complete Platform

Everything connected. Nothing siloed. One platform that replaces your spreadsheets and manual processes.

Risk Register 2.0

Track risks from identification through remediation with clear ownership.

  • Automatic 5x5 scoring
  • Evidence-linked tracking

Compliance Tracking

Track what you need to meet (and prove) in one place.

  • NAIC & state requirements
  • Tie gaps to remediation

Evidence Library

Centralize screenshots, reports, policies, and vendor documents.

  • Organized by category
  • Audit trails for changes

Vendor Risk

Track vendor details and review status so you know who has access.

  • Automated assessments
  • Risk-based tiering

Guided Assessments

Turn complex requirements into step-by-step assessments.

  • Pre-built templates
  • Automatic task generation

Living Policy Library

Policies that actually get used. Version control and workflows.

  • 50+ policy and standard templates (NAIC‑first)
  • Employee acknowledgment

SEE IT WORK

Get a guided Aurora walkthrough

We’ll show you how questionnaires flow into requirements, how evidence stays organized, and what a print-ready workbook looks like.

Tour Aurora Book a 30‑minute Program Review

FAQ

Do you replace our MSP?

No. Your MSP runs IT operations and security tooling. Borealis runs the governance layer: ownership, cadence, documentation, and evidence that stands up to renewals, exams, and diligence.

Can’t I just download templates?

Templates that aren’t operated become liabilities. Policies that don’t match reality fail under scrutiny in exams, claims, and diligence. We build policies that match your actual operations and create the evidence trail that proves they’re operated year-round.

We’re under 10 employees. Are we exempt?

Some statutes include size-based exemptions, but carrier requirements and contractual obligations often go further than the law. We build the smallest defensible program that matches what carriers and examiners actually ask for.

Our MSP handles security.

Good. Keep them. We’re not competing with ticket queues or endpoint tools. We build the governance layer carriers and examiners expect, and we turn your MSP’s work into defensible documentation and evidence you can produce on demand.

We have HIPAA. Doesn’t that cover us?

HIPAA is not a substitute for insurance data security expectations. We map what you already do into an insurance-ready governance structure and fill the gaps carriers/DOIs typically test.

We already have policies. Do we still need this?

Policies help only when they match reality and can be proven with evidence. We validate what you have, align it to your operations, and build the evidence trail that makes it defensible.

We’re licensed in multiple states. Does that mean multiple programs?

No. We run one core program aligned to NAIC-style expectations and apply state overlays where needed—so you build once, operate once, and export to match the request.

Can we do this without disrupting staff?

Yes. We keep staff asks small and scheduled. Most work is leadership alignment, documentation, and evidence organization—done remotely with minimal interruptions.

I plan to sell my agency in 3–5 years. Is this worth it?

Yes. Clean governance reduces diligence risk, prevents last-minute scrambles, and removes uncertainty buyers use to push price, terms, or timelines.

Do you work nationwide even though you’re Alaska-based?

Yes. The program is designed for remote execution and multi-state licensing realities.

Do you provide legal advice?

No. We operationalize governance and evidence. You retain counsel for legal interpretation where needed.

Ready to turn governance into proof?

Start with a 30‑minute conversation about your agency, your licensing states, and what “exam-ready” looks like for you.

Book a 30‑minute Program Review
Book a 30‑minute Program Review
Book a 30‑minute Program Review Program Review

Get the Executive Brief (PDF)

A 2-page plain-English summary explaining why carriers, regulators, and cyber insurance are all asking for the same proof, and what to do about it.

We’ll email you the PDF. No spam. Unsubscribe anytime.