Skip to main content
Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch

For US Insurance Carriers, Brokers + Reinsurers

Risk management software for insurance that gives every state examiner a package built for their state, from one evidence vault.

A multi-state carrier answers to more than 50 insurance departments, each on its own exam cycle with its own expectations, on top of an annual solvency filing and an ICFR audit. Run that state by state and you are rebuilding the same evidence in a new spreadsheet every time a new department adopts the model law. RiskWatch keeps one library underneath all of it and hangs state-specific overlays on top, so the California examiner sees a California package and the Texas examiner sees a Texas one, both current, neither rebuilt from scratch. (Covers the NAIC Insurance Data Security Model Law adopted in 25+ states, NYDFS Part 500, MAR ICFR, ORSA, plus HIPAA for health insurers and RESPA for title carriers.)

Trusted by US insurance carriers + brokers managing NAIC, NYDFS, MAR, ORSA programs across P&C, L&H, title, reinsurance, and broker-distribution institutions.

AonBoseIberdrola USAJohnson & JohnsonPfizerPuma North America
4.7G2 Crowd·120+
4.7Capterra·80+
4.6Gartner Peer Insights·60+

Why Insurance Compliance Teams Pick RiskWatch

One library underneath. A package for every state on top.

RiskWatch runs every state department exam, the annual solvency filing, and the ICFR audit off one control library, with state-specific overlays on top and a single DOI examiner-ready evidence trail underneath. The multi-state spreadsheet program goes away, and when the next department adopts the model law, it shows up as a coverage gap to close rather than a fresh program to build. (Covers the NAIC Insurance Data Security Model Law, NYDFS Part 500, MAR ICFR, ORSA capital adequacy, and state-by-state insurance department examination.)

A new state adoption is a gap to close, not a program to build

One control library, state-specific overlays for each jurisdiction, so the next department to adopt the model law surfaces as a coverage gap rather than a separate program build. (Tracks NAIC Model Law adoption across 25+ states.)

Your solvency filing reuses what audit already captured

Capital adequacy, ICFR, and cyber controls share one evidence vault, so internal audit captures once and the annual solvency refresh pulls from the same source instead of starting over. (ORSA and MAR ICFR on the same library as cyber.)

Your segment's extra rules sit on the same library

Health carriers layer on the HIPAA Privacy and Security Rules and title carriers layer on RESPA and state title-insurance regs, as segment-specific overlays on the same foundation, not a second system.

The Insurance Regulatory Landscape

Insurance compliance is state-by-state. The numbers prove it.

NAIC Insurance Data Security Model Law has been adopted in 25+ US states and counting. Insurance carriers answer to 50+ state insurance departments simultaneously. ORSA capital adequacy filings happen annually. MAR Section 404 ICFR overlaps with state-by-state financial reporting requirements. Multi-state insurers run parallel programs unless evidence is unified.

25+
US states that have adopted the NAIC Insurance Data Security Model Law
50+
state insurance departments multi-state carriers answer to simultaneously
Annual
ORSA filing cadence, Own Risk and Solvency Assessment
72hr
NYDFS Part 500 cybersecurity event notification clock

Three Domains, One Platform

Insurance risk lives in three concrete domains

RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single ORSA evidence package satisfies state insurance department exams in 50+ jurisdictions, plus NAIC Model Law where adopted, plus MAR for ICFR.

Risk

ORSA + Enterprise Risk

Survey-based risk assessment across underwriting, claims, investment, operational, and reinsurance risk, scored against ORSA + ERM frameworks.

  • ORSA capital adequacy modeling
  • ERM 3-lines-of-defense + risk appetite
  • Reinsurance + ceded risk register
Explore Risk Management
Compliance

NAIC + NYDFS + MAR + State DOIs

NAIC Insurance Data Security Model Law, NYDFS Part 500, MAR Section 404 ICFR, and state-by-state insurance department exam in one cross-mapped library.

  • State-overlay coverage tracking
  • MAR ICFR + ORSA filing workflow
  • DOI examiner-ready evidence vault
Explore NYDFS Part 500
Security

Cyber + Privacy + HIPAA

Cybersecurity controls + privacy compliance aligned to NAIC Model Law, GLBA, HIPAA (health insurers), and state-specific privacy laws.

  • HIPAA for health insurance carriers
  • GLBA Safeguards 2024 amendments
  • 13+ state consumer privacy laws
Explore Cybersecurity

The Coverage Gap

Most insurance software covers one mandate

Insurance GRC platforms cover ERM. ORSA specialists cover capital adequacy. NAIC Model Law assessors cover that one. State DOI vendors cover one jurisdiction. Each does one job. Multi-state insurance compliance teams still operate a parallel program per state.

Platform CategoryNAIC Model LawNYDFS 500MAR ICFRORSAMulti-state DOIsHIPAA (Health)
Insurance GRC PlatformsRSA Archer, MetricStreamPartialPartialYesPartialPartial·
ORSA Specialty ToolsCapital adequacy + actuarial···Yes··
NAIC Model Law AssessorsState adoption trackingYes···Partial·
Internal Audit ToolsWorkiva, AuditBoard··Yes···
Health Insurer PlatformsHIPAA + claims compliancePartial····Yes
Spreadsheets & Email······
RiskWatchThe unified state-aware platformYesYesYesYesYesYes

RiskWatch is the only platform covering all six insurance compliance domains: NAIC Model Law, NYDFS Part 500, MAR ICFR, ORSA, multi-state DOIs, and HIPAA for health insurers. Insurance GRC platforms cover ERM. ORSA specialty tools cover capital adequacy. NAIC assessors cover Model Law adoption. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.

How It Works

One platform. Multi-state insurance compliance + ORSA + MAR.

RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture cybersecurity, privacy, ICFR, and capital-adequacy evidence in a consistent format, then scored against every framework you certify against.

For insurance carriers, that workflow runs continuously across NAIC Insurance Data Security Model Law (state-by-state), NYDFS Part 500, MAR Section 404 ICFR, and ORSA. A single access-review record scores against §500.7, NAIC Section 4.D, MAR ITGC, and GLBA §314.4 simultaneously. ORSA refreshes annually pulling from the same evidence vault.

The same platform runs all of it, surfaces gaps before each state DOI exam, assigns remediation owners, and tracks completion. Replace the parallel programs with one library and state-specific overlay metadata.

The Workflow

  1. 01
    Assess
    Survey-based questionnaires capture cyber, privacy, ICFR, ORSA capital, and reinsurance posture across the carrier.
  2. 02
    Score
    Responses score against your chosen framework: NAIC Model Law (per state), NYDFS Part 500, MAR ICFR, ORSA, HIPAA, NIST CSF 2.0, or custom.
  3. 03
    Remediate
    Gaps become assigned tasks. Owners get deadlines. State-specific findings cascade to the appropriate DOI examiner package automatically.
  4. 04
    Audit
    Evidence trails export to PDF, DOI examiner-ready format, ORSA filing template, or MAR ICFR documentation. Audit-ready in minutes.
NAICORSAMARHIPAAState DOIs

Built For Your Role

Who uses RiskWatch in an insurance organization

Insurance CISO / VP Information Security

Owns NAIC Model Law cybersecurity, NYDFS §500.17 dual cert, ransomware defense, and state-by-state insurance dept exam response.

One controls library covering NAIC + NYDFS + GLBA. State-specific overlay surfaces gaps per jurisdiction. §500.17 cert evidence year-round.

Chief Compliance Officer

Owns multi-state regulatory exam calendar, NAIC Model Law adoption tracking, and DOI examiner relationships.

DOI examiner-ready packages per state on demand. Score one control once, satisfy 25+ state regulators. Audit prep cycles compressed.

Chief Risk Officer (ORSA Owner)

Owns ORSA filing, enterprise risk register, capital adequacy modeling, and risk appetite framework.

ORSA refreshed annually from the same evidence vault. Capital modeling tied to operational + cyber + reinsurance risk.

Chief Privacy Officer / DPO

Owns HIPAA (for health insurers), GLBA Safeguards, NAIC Privacy Model Act, state consumer privacy laws.

HIPAA + GLBA + 13-state privacy laws on the same library. Privacy program survives multi-state expansion.

Internal Audit Director (MAR)

Owns MAR Section 404 ICFR testing, NAIC Annual Financial Reporting Model Regulation, and audit committee reporting.

MAR ICFR + ORSA + cyber on one library. Internal audit captures once, feeds three regulatory cycles.

State Insurance Dept Liaison

Owns state DOI examiner coordination, market-conduct exam response, and rate-and-form filing risk.

State-specific overlay surfaces examiner expectations per jurisdiction. Examiner walks in to a current package.

Built For Your Segment

Insurance segments RiskWatch supports

Property & Casualty Carriers

Multi-state P&C exams, NAIC Model Law cybersecurity, MAR ICFR, ORSA capital adequacy, and reinsurance risk register.

Life & Health Carriers

HIPAA Privacy + Security Rules, NAIC Model Law, state DOI exams, claims-data privacy, and ORSA for L&H-specific capital risk.

Title Insurance

RESPA compliance, state title-insurance regulations, ALTA Best Practices, and GLBA Safeguards for closing-data privacy.

Insurance Brokers + Agencies

Surplus lines compliance, broker E&O, state agent licensing, and consumer privacy across the placement workflow.

Reinsurance Carriers

Reinsurance accounting, NAIC reinsurance disclosures, ceded risk register, and global solvency frameworks (Solvency II overlap).

InsurTech + Digital MGAs

Tech-stack security (SOC 2 + ISO 27001), state surplus-lines + admitted-market overlap, fronting carrier oversight, and BaaS-style partner risk.

Standards & Frameworks

Built for the regulations US insurance carriers actually face

Generic GRC tools were built for office IT. RiskWatch was built for state-by-state insurance department exam reality and the NAIC Model Law adoption wave.

Regulatory

NAIC Insurance Data Security
NAIC Model Law adopted in 25+ US states. State-specific overlays.
NYDFS Part 500
23 NYCRR 500 cybersecurity regulation. §500.17 dual-signature CISO + CEO certification.
ORSA
Own Risk and Solvency Assessment annual filing, capital adequacy + ERM.
MAR Section 404
NAIC Model Audit Rule for Annual Financial Reporting (parallels SOX 404 ICFR).
HIPAA
Federal health information rules for health insurance carriers + plans.
GLBA Safeguards
Federal Trade Commission Standards for Safeguarding Customer Information.

Industry

NAIC Privacy Model Act
Insurance Information and Privacy Protection Model Act, state-by-state adoption.
NIST CSF 2.0
Cybersecurity Framework with the GOVERN function added in 2024.
ISO 27001
Information security management for insurance technology + reinsurance partners.
Solvency II
EU insurance solvency framework, reinsurance + multinational carrier overlap.
ALTA Best Practices
American Land Title Association best-practices framework for title insurers.
RESPA
Real Estate Settlement Procedures Act compliance for title + closing.

Trusted by 500+ risk and compliance teams

Aon
Bose
The Coca-Cola Company
Iberdrola USA
Johnson & Johnson
Pfizer
Puma North America
SeaWorld Entertainment
TE Connectivity
Aon
Bose
The Coca-Cola Company
Iberdrola USA
Johnson & Johnson
Pfizer
Puma North America
SeaWorld Entertainment
TE Connectivity
Our compliance posture for NAIC ORSA, GLBA, and Solvency II used to require three separate binders of evidence. The platform pulled them into one library the actuarial team, the privacy office, and our reinsurance counterparties all reference. Time-savings hit 76% in the first year. Compliance scoring reached 96% across the program. The MAR audit committee got the cleanest ICFR package we've ever produced.
U.S. mutual insurer
Chief Risk Officer, America's oldest insurance provider
76%time savings, first-year operationalization
96%overall compliance score across the program
70%efficiency gain on regulatory filings
FAQ

Frequently asked questions

See It In Action

See how carriers run NAIC, NYDFS, MAR, ORSA on one platform

Most demos run 15 minutes. Bring a recent state DOI exam response, a recent ORSA filing, or a recent MAR audit committee finding. We will show you how RiskWatch would have surfaced the gap, scored the exposure, and tracked the remediation across every state regulator and capital-adequacy framework at once.

Or call US: +1 (800) 360-1898

Request a Demo