Playbook: How a Small Insurance Agency Should Build a NIST CSF-Mapped WISP for Carrier Questionnaires

This is a playbook for a scenario we structure engagements around regularly across the Inland Empire. The agency described is a composite — no specific client. The mechanics, controls, and remediation steps are the real engagement structure we use.

Picture a seven-person independent insurance agency in Ontario — one principal, three producers, two account managers, and one office administrator. Mixed book: commercial lines (50%), personal lines (30%), life and health (20%). They place business across roughly a dozen carriers, with one carrier accounting for about 35% of their annual premium volume.

The stack: a cloud agency management system for clients, policies, and downloads, M365 for email and file storage, and a comparative rater for personal lines quoting. Light on-prem footprint — no on-site server, no domain controller, just laptops and a network printer.

The triggering scenario: the principal opens her email to find the annual security questionnaire from the agency's largest carrier. The questionnaire has grown from 12 questions the previous year to 84 questions this year. Most of the new questions reference NIST CSF subcategories by ID — identifiers like ID.AM-1, PR.AC-1, DE.CM-1, RS.RP-1, RC.RP-1.

The cover memo gives the agency 60 days to respond. The implicit consequence of a poor response is a tightening of the carrier's underwriting appetite for the agency's submissions — not formally a breach of contract, but practically the kind of thing that erodes an agency's most important carrier relationship over a quarter.

The agency's old IT vendor offers to "fill out a questionnaire" for $400. The principal asks us what filling it out honestly would actually require. The honest answer is "a five-week project."

A one-week discovery to document the agency's actual current state is non-negotiable. At an agency this size the picture is almost always the same.

M365 is typically on Business Standard. MFA is on for the principal, off for the producers and account managers, off for the office administrator. The previous IT vendor set up MFA for the principal as part of carrier login security but never extended it because "it would be a hassle for the team." Conditional Access off. Defender for Office 365 off because the license does not include it.

The agency management system has individual logins for every staff member, MFA available but not enabled, password policy at the platform default.

Laptops are usually a mix of personal-purchase and agency-purchase machines, none enrolled in a central management platform, no consistent encryption posture (some laptops have BitLocker on, the rest do not), antivirus is the consumer-grade product that came with the laptop.

The agency has a one-page "information security policy" the principal downloaded from an industry forum years earlier. It mentions passwords and "appropriate technical safeguards" and is signed by a managing partner who is no longer with the agency.

There is no vendor list. There is no documented offboarding process. There is no incident response plan. There is no training record. The agency has been carrying cyber insurance for a couple of years; the carrier has begun asking similar questions on the renewal application.

Walking through the carrier questionnaire question by question, the principal can typically answer maybe 18 of the 84 questions with a confident "yes." Roughly 50 are honest "no"s. The remaining 16 are "we are not sure what this is asking."

Mapping an agency like this against NIST CSF (Identify, Protect, Detect, Respond, Recover) will typically surface eight gaps that matter for the questionnaire:

• ID.AM (Asset Management) — no documented inventory of devices, software, or data. The carrier questionnaire's first block asks for a maintained inventory of hardware (ID.AM-1), software (ID.AM-2), and data flows (ID.AM-3). The agency cannot produce any of these.
• ID.GV (Governance) — no written information security program (WISP). A state-required document for many insurance entities under the NAIC Insurance Data Security Model Law (adopted in California in modified form and in many other states), and a baseline requirement of every modern carrier questionnaire.
• PR.AC (Identity Management and Access Control) — MFA off on most staff accounts. PR.AC-1, PR.AC-3, PR.AC-7 all map to MFA, least-privilege access, and authentication strength. The agency sits at default on all of them.
• PR.DS (Data Security) — inconsistent encryption posture on laptops. PR.DS-1 (data-at-rest protection) is a clear gap when only some of the laptops are on BitLocker.
• PR.IP (Information Protection Processes) — no documented baseline configuration, no backup posture for M365 data, no documented incident response plan. Three separate PR.IP subcategories ungrounded.
• PR.AT (Awareness and Training) — no security training record. The carrier asks for evidence of annual training. The agency has none.
• DE.CM (Continuous Monitoring) — no EDR, no SIEM, no centralized logging. The agency has consumer antivirus on each laptop and no central visibility.
• RS.RP (Response Planning) and RC.RP (Recovery Planning) — no documented incident response or recovery plans. A "call the IT vendor when something breaks" posture is not what NIST CSF asks for.

A generic one-page security policy downloaded from an industry forum is worse than no policy — it states a posture the agency does not actually have, which becomes a documentation contradiction in the carrier post-mortem.

The engagement runs as a five-week sprint. The carrier deadline forces the sequence — documentation work and technical work happen in parallel so the WISP describes controls that actually exist by the time the questionnaire goes back.

1. Write the WISP against NIST CSF as the controlling framework. A 20+ page document organized around the five NIST CSF functions (Identify, Protect, Detect, Respond, Recover) and the relevant subcategories. Each subcategory names the specific control in place at the agency, the responsible person, and the review cadence. The WISP is signed by the agency principal and reviewed annually.

2. Build the asset inventory. Hardware inventory (every laptop, every printer, every router) with model, serial number, OS version, and assigned user. Software inventory across the laptops via the M365 admin center after Intune enrollment. Data-flow inventory describing where client PII lives (agency management system, M365 mailboxes, OneDrive, the comparative rater) and what each platform's role is. The inventory is maintained in a shared OneDrive workbook with a quarterly review owner.

3. Upgrade M365 to Business Premium and turn on the controls. Conditional Access requiring MFA on every sign-in for every user, blocking sign-ins from countries the agency does not work in, requiring a compliant device for OneDrive and SharePoint. Defender for Office 365 with Safe Links, Safe Attachments, and anti-phishing impersonation rules tuned for insurance-vertical lookalikes (carrier domains, comparative-rater vendor, agency management system vendor). Intune enrollment for every laptop with BitLocker enforced, EDR running, and a baseline policy.

4. Enable MFA on the agency management system, the comparative rater, and every carrier portal. The producers and account managers each get a guided login walk-through. Document the MFA posture on every system with a date and a screenshot for the questionnaire response.

5. Build the vendor oversight register. Every vendor that touches client PII or carrier data — agency management system, M365, comparative rater, e-signature, document storage, payroll, the agency's E&O carrier, and the IT vendor — is documented with scope of access, SOC 2 report status, contract expiration, security-questionnaire cadence (annual), and BAA or equivalent on file where applicable.

6. Write the incident response and recovery plans. A multi-page IR/RC plan covering three scenarios (ransomware, account compromise, vendor breach) with named responsible parties (incident-response lead, communications lead, legal counsel, E&O carrier contact), notification timelines, and a tabletop test schedule (every 12 months). The recovery plan documents the backup posture for the agency management system data, M365 mailboxes and files, and the RTO/RPO targets the carrier asks about.

7. Build the training and awareness program. A one-hour live session on phishing, password hygiene, and incident reporting, plus a one-page written reference. Documented attendance with signed acknowledgments. Annual renewal on the principal's calendar.

When this playbook runs cleanly, here is what the agency exits with.

The carrier questionnaire goes back 48 hours before the deadline with the large majority of the 84 questions answered "yes" with documented evidence. The remaining handful are "in progress" with a documented target date inside 90 days. The carrier's underwriting team typically responds with a one-line email confirming receipt and no follow-up questions.

The WISP is a living document. It maps to NIST CSF subcategories, names the specific controls in place, and is signed by the principal. The next carrier questionnaire — from the agency's second-largest carrier, due months later — gets answered from the same document.

The asset inventory is maintained. MFA is on across every system that touches client or carrier data. Every laptop is encrypted, patched, and running EDR. Conditional Access blocks sign-in attempts from countries outside the U.S.

The incident response plan exists, has been tabletop-tested, and has a 12-month review cadence. Agencies that complete this work give their carrier something concrete to verify during underwriting review — which is the part that meaningfully moves the renewal conversation.

The principal's relationship with the largest carrier is unchanged — which is the whole point. The next questionnaire is a Tuesday's worth of work, not a five-week scramble.

Three things worth taking from this.

First — the carrier security questionnaire is the new compliance gate. NAIC Insurance Data Security Model Law (adopted in modified form across many states) and state-specific insurance regulator requirements have given carriers explicit authority to ask agencies these questions. They are not asking out of curiosity. The next questionnaire will be longer than the current one. Agencies that get ahead of NIST CSF mapping now will spend a Tuesday on each subsequent questionnaire; agencies that wait will spend the 60 days before the deadline scrambling.

Second — a generic one-page "information security policy" downloaded from an industry forum is worse than no policy. It states a posture the agency does not actually have, which means a real incident becomes a documentation contradiction in the carrier and regulator post-mortem. A real WISP names the specific controls in place, the specific responsible people, and the specific review cadence. It is a living document, not a relic.

Third — the controls and the documentation have to be built in parallel. A WISP that describes controls the agency does not actually have is an exam finding. The five-week sequence above works because the documentation work and the technical work were happening at the same time; by week five, the WISP described what was actually in place.

If you are running an independent insurance agency in the Inland Empire and the carrier questionnaire has landed in your inbox, our financial services overview covers the framework mapping at a high level, our security baseline assessment is the structured way through the audit, and our free 12-question self-check gives a rough grade in three minutes.