How to Prepare for Insurance Data Migration 2026: The 12-Item Pre-Migration Readiness Checklist

Why pre-migration readiness matters in 2026

The COO I worked with two months ago - a US P&C carrier, $1.8B GWP, multi-state, three lines of business - told me something I hear in some version every time: “We are six weeks from go-live and we still do not know who owns the rollback decision. If it goes sideways at 3 a.m. Sunday, three different VPs will be on the call with three different opinions.” That carrier did not have a readiness problem at the technical layer. They had a readiness problem at the governance layer. The migration tool was fine. The data was passable. The people were good. What was missing was the document - the one that says, in writing, who decides what, by when, and on what evidence.

How to prepare for insurance data migration is, in my experience, the most underestimated phase of every program I have led or advised on in the last 15 years. Carriers spend the budget on tooling and execution, and they spend the time on cutover. The 90 days before the migration begins - the readiness window - is where the program is actually won or lost.

According to McKinsey’s 2025 State of Insurance research, roughly 38% of mid-tier P&C carriers in the US are now in the middle of a core platform replacement. The Earnix 2024 Industry Trends Report found that 49% of insurers admit they are behind schedule on modernization. Both numbers tell the same story: the carriers in the middle of these programs are not falling behind because the technology is hard. They are falling behind because they entered execution without finishing readiness.

Three forces have made pre-migration readiness a higher-stakes decision in 2026 than it was in 2022:

• Regulatory tightening. The NAIC Insurance Data Security Model Law has been adopted in 26 US states as of early 2026. State DOIs increasingly ask, during examinations, for documented evidence of how migration preserved PII handling and audit trail. A migration that goes into execution without a documented data lineage register is a migration that will have findings.
• Operational continuity scrutiny. COOs and CFOs now want a written rollback plan, a written reconciliation pack design, and a written cutover calendar that excludes CAT season - before the architecture decision record is even signed. I have sat in three board meetings in the last 18 months where the modernization sponsor was asked to produce these documents in real time. Two of them could not.
• Insurtech competitive pressure. Carriers that delay readiness end up either skipping it or rushing it. Both lead to longer execution, not shorter. The carriers I have worked with that invested 90 days in proper readiness finished their full migration in 14 to 18 months. The carriers that compressed readiness to 30 days finished in 24 to 30 months, with significant overrun.

This guide is the playbook I would walk through with you on a Migration Architecture Review. It is written for CIOs, enterprise architects, and COOs at US P&C carriers between $500M and $5B GWP. For the broader picture of what makes insurance data migration uniquely hard, the insurance data migration pillar guide is the strategic read; this article focuses on what to do in the 90 days before the program starts.

How to prepare for insurance data migration - direct answer

To prepare for insurance data migration, complete a structured readiness phase 60 to 120 days before execution begins. The readiness phase covers six dimensions - data, people, process, technology, regulatory, and financial - and produces six deliverables: a data source inventory, a data dictionary, a stakeholder alignment plan, a RACI matrix, a cutover and rollback plan, and a reconciliation pack design. A migration entering execution without all six is, in my experience, the single strongest predictor of overrun.

Knowing how to prepare for insurance data migration in 2026 is no longer optional for any mid-tier P&C carrier serious about modernization. The short version of the readiness gate:

• Profile the legacy data before scoping the program budget.
• Build a data dictionary that maps every source field to a target field with explicit business rules.
• Align Sarah (CIO), Daniel (architect), and David (COO) in a written stakeholder workshop output.
• Block CAT season (June-November for US P&C carriers) from the cutover calendar.
• Write the rollback plan before the architecture decision record (ADR) is signed.
• Design the CFO reconciliation pack before the first test cycle, not the last.

The next sections expand each into a working playbook.

The 12-item pre-migration readiness checklist

This is the checklist I would put in front of any CIO or COO before they sign the migration program charter. It is the working answer to how to prepare for insurance data migration at mid-tier P&C scale. Score yourself. Anything that scores below “complete and signed off” needs work before the program enters execution.

Readiness item 1: Written program charter signed by CEO

Not by the CIO. By the CEO. A migration sponsored only by IT will lose momentum at month 6 when the business pushes back. CEO-sponsored programs survive the pushback because the cost of pulling the plug is higher than the cost of finishing.

Readiness item 2: Data source inventory complete

Every source system catalogued, every table sized, every interface documented. For a mid-tier P&C carrier with around 50 million records, expect 4 to 6 weeks to complete this inventory properly. I have advised carriers that wanted to skip this step “because we know our systems.” They did not.

Readiness item 3: Data dictionary with target mapping in place

Every source field mapped to a target field, with the business rule for the transformation written down. This is the artefact that gets rewritten under fire at 2 a.m. during cutover if it is not built early.

Readiness item 4: Data quality baseline measured

Profile the source data. Report null rate, foreign key integrity, distinct value distribution, and date sentinel values. Data quality on legacy P&C systems sits between 60% and 80% in my experience. You cannot scope the remediation budget without knowing the baseline.

Readiness item 5: Stakeholder workshop output documented

Sarah, Daniel, and David sit in one room for a structured 2-day workshop. The output is a single document that names: success criteria, RTO/RPO targets per domain, rollback decision-maker, escalation path, and communication plan. Section 6 goes deeper.

Readiness item 6: RACI matrix complete and shared

Every workstream, every named role, every decision point. Section 7 has the template. RACI gaps surface at execution as “I thought you owned that.”

Readiness item 7: Cutover calendar excludes CAT season

For US P&C carriers, June through November is off-limits. Cutover should be scheduled for February-April or a narrow window in late November after CAT season closes.

Readiness item 8: Rollback plan written and tested

The rollback plan specifies trigger conditions, the rollback procedure step by step, the data restore approach, the maximum acceptable rollback duration (typically 4 hours), and the named decision-maker. If any of these are missing, the rollback plan is incomplete.

Readiness item 9: Reconciliation pack design signed by CFO

The CFO needs to know, at the start, what reconciliation reports they will sign at the end. Designing the pack backwards from the CFO’s required signature is the fastest path I know. Section 7 of the insurance data migration best practices article has the full template.

Readiness item 10: Test environment provisioned with anonymized production data

For mid-tier P&C carriers, you need a test environment that holds at least 25% of production data volume. For the third dress rehearsal, you need full-volume. Provisioning this takes 6 to 10 weeks - start early.

Readiness item 11: Training plan and communication runway scheduled

Agents, underwriters, claim adjusters all need 4 to 8 hours of training per user before cutover. The training plan and the 90-day communication runway should be locked before execution begins.

Readiness item 12: Vendor and tool decisions made and contracted

If you are still evaluating tools at the readiness gate, you are not at the readiness gate. Tool selection - in-house, generic ETL, or insurance-native migration platform - needs to be closed. For the longer read on this decision, data migration tools - how to choose the right solution covers the framework.

A migration that ticks 10 of 12 boxes is much better than one that ticks 4. A migration that enters execution with all 12 complete is the one I would bet on finishing on time.

The 6-dimension readiness assessment

When carriers ask me how to prepare for insurance data migration, the first practical move is to score themselves across six dimensions. The 12 checklist items roll up into these six. Score each dimension on a 1-5 scale (1 = not started, 5 = complete and signed off). Anything below a 3 is a red dimension that should block program kickoff. The 6-dimension model maps directly onto the underlying insurance data migration challenges covered in the pillar guide.

Dimension 1: Data readiness

Is the source data profiled, cleansed, and documented? Is the data quality baseline known? Is the data dictionary built? In my experience, this is the dimension carriers most often overestimate. The team says it is at a 4; the audit shows it is at a 2.

Dimension 2: People readiness

Are the migration team roles filled? Is the executive sponsor a CEO-level sponsor? Is the COO co-owning operational continuity? Are the right vendors and contractors on contract? People readiness is where carriers underestimate the depth of insurance-domain skill required. Generic ETL skills are not insurance migration skills.

Dimension 3: Process readiness

Is the RACI complete? Is the change management process documented? Is the testing methodology agreed? Is the cutover playbook drafted? Process gaps surface as governance gridlock during execution.

Dimension 4: Technology readiness

Is the target system provisioned? Are the integrations specified? Is the test environment built? Is the tool selection final? Technology readiness is the dimension most teams focus on - and the one that is usually in the strongest shape, because it is the most familiar.

Dimension 5: Regulatory readiness

Are NAIC and state DOI requirements documented? Is the ACORD compliance plan in place? Are NIST Cybersecurity Framework controls mapped? Is the 7-10 year retention strategy agreed? Regulatory readiness is the dimension most often skipped by teams that come from non-insurance migration backgrounds. I recommend bringing compliance into the program at week 1, not week 30.

Dimension 6: Financial readiness

Is the budget approved at the right level? Is the contingency reserve sized at 20-30%? Is the CFO sign-off process documented? Is the reconciliation pack design done? Financial readiness gaps show up at month 9 when the program asks for more contingency and the board says no.

For a carrier scoring across all six dimensions, the minimum gate to enter execution is average 3.5 across the six, with no single dimension below 3. Anything lower means more readiness work before kickoff. I have advised programs to delay execution by 60 days based on this score, and in each case the delay paid for itself.

Section 5: Data source inventory and data dictionary

These two artefacts are the spine of the readiness phase. Without them, the migration team will make 200 small decisions under fire at cutover. With them, the team makes those decisions in advance, with stakeholders in the room.

The data source inventory

For each source system, the inventory captures:

• System name and owner.
• Database technology (e.g., DB2, Oracle, SQL Server, mainframe COBOL files).
• Approximate record count per main domain (policy, claims, party, financial, regulatory).
• Integration points (inbound and outbound interfaces, batch and real-time).
• Retention status (live, archive, candidate for retirement).
• Sensitivity classification (PII, PHI, financial, regulatory).

For a mid-tier P&C carrier I worked with, the inventory uncovered 47 distinct data stores across 14 systems - 9 more systems than the IT leadership had on their initial list. That gap was not a documentation problem; it was an operational reality. Shadow systems built by underwriting and claims over 20 years had become load-bearing.

The data dictionary

The data dictionary is the field-by-field map of every source field to every target field. Minimum contents per row:

• Source system, table, field name, data type.
• Target system, table, field name, data type.
• Transformation rule (one-to-one copy, enum mapping, format change, calculated field, derived field, retained for history only).
• Business owner (the person who owns the rule, not the technical team).
• Regulatory tag (ACORD AL3 field, NAIC reporting field, state DOI filing field, PII, none).

For a typical mid-tier P&C carrier across all lines, expect a dictionary of 4,000 to 12,000 rows. This is not optional documentation. It is the artefact that gets reviewed by every test cycle, signed off by the CFO at reconciliation, and produced under examination by state DOI auditors.

I recommend that the data dictionary be drafted in weeks 1-4 of readiness, reviewed by business owners in weeks 5-8, and signed off by week 10. Anything later than week 10 compresses the test cycle window, which is where bugs surface.

Data lineage as a regulatory artefact

For carriers writing in regulated lines (which is most P&C carriers), the data lineage register is no longer just an internal artefact - it is increasingly something state DOIs ask for. The NAIC’s emphasis on data integrity in the Insurance Data Security Model Law (#668) sets expectations around audit trail and PII handling that the lineage register supports. Build it during readiness; do not build it under examination.

Stakeholder alignment workshop format

In my experience, the single most underestimated piece of pre-migration readiness is the stakeholder alignment workshop. Carriers schedule a half-day “kickoff” and call it alignment. That is not alignment. Alignment is a structured 2-day workshop that produces a written output signed by all participants.

Who is in the room

The 6 mandatory participants:

• Sarah (CIO or equivalent). Final technical decision-maker.
• Daniel (lead enterprise architect). Technical pattern owner; veto rights on architecture.
• David (COO or VP Operations). Operational continuity owner; veto rights on cutover window.
• Lead claims officer or VP claims. Operational stakeholder, signs off on claims data scope.
• Lead underwriting officer or VP underwriting. Operational stakeholder, signs off on policy data scope.
• Compliance director. Regulatory continuity sign-off (NAIC, state DOI, ACORD).

Optional but recommended: CFO representative (for reconciliation pack design), HR/change management lead (for training and communication plan).

Day 1 agenda - what we are migrating and why

• Morning: review of the program charter, scope by line of business, in-scope systems.
• Morning: data source inventory walk-through (output of Section 5).
• Afternoon: success criteria definition. Specifically: what does “done” look like, by domain?
• Afternoon: RTO/RPO targets per domain (e.g., claims under 2 hours, policy admin under 4 hours, billing under 8 hours).

Day 2 agenda - how we will execute and recover

• Morning: migration approach selection (big bang, phased, strangler fig, hybrid).
• Morning: cutover window selection (which weekend, with CAT season exclusion).
• Afternoon: rollback decision criteria. Who decides? On what evidence? Inside what window?
• Afternoon: communication plan and training plan high-level design.

The output document

The workshop produces a single document I will call the Migration Alignment Charter. Minimum contents:

• Program charter summary (1 page).
• Scope by line of business with named owners.
• Success criteria by domain.
• RTO/RPO targets by domain.
• Migration approach selected with rationale.
• Cutover window selected.
• Rollback decision-maker named, with criteria.
• Communication and training plan owners named.
• Risk register with top 10 risks and named owners.

All 6 mandatory participants sign. This document is the reference for every dispute during execution. Without it, every dispute escalates to the CEO. With it, most disputes are resolved by re-reading the relevant section.

Team composition and the migration RACI matrix

The team composition question is, in my experience, where carriers most often underestimate cost. A typical mid-tier P&C carrier migration needs the roles below for 12 to 18 months. Some are full-time, some part-time, some external.

Core team roles

• Migration program director. Full-time, internal preferred. Owns timeline, budget, and risk.
• Lead enterprise architect (Daniel). 50-80% time, internal.
• Data architect. Full-time. Owns data dictionary, data lineage, target data model.
• Data engineer(s). 2 to 6 full-time depending on scale. Build the migration jobs.
• QA lead and test engineers. 1 lead plus 2 to 4 engineers; ramps up for cycles 2 and 3.
• Business analysts by domain. 1 per major domain (policy, claims, billing, party, financial). Internal preferred.
• Compliance liaison. 25-50% time. Sign-off on regulatory artefacts.
• Change management and communication lead. Full-time from month 6 onward.
• Operations war-room lead (David’s representative). Full-time from month 9 onward.

Plus an external migration partner (Decerto or equivalent) bringing tooling, methodology, and senior architects with insurance migration experience. For mid-tier P&C carriers, the external partner is typically 30-50% of program cost.

Sample RACI for the migration program

The pattern to notice: cutover window and rollback plan have dual accountability (CIO and COO). This is intentional. Both veto rights must be exercised in writing.

Migration window selection and rollback success criteria

These two decisions, made together, are the single highest-impact pair of decisions in the readiness phase. Get them right and you have bought yourself runway for the rest of the program. Get them wrong and you are managing a recovery from week 1 of execution.

Migration window selection

Three factors drive the window:

CAT season exclusion (P&C). June through November is off-limits for US P&C carriers writing property lines. Hurricane and wildfire season creates 5-10x claim volume spikes that no migration window should overlap with. David, the COO, has veto rights on this.

Quarter-end and year-end exclusion. Financial close periods (last 5 business days of each quarter, last 10 business days of the year) are off-limits. CFO has veto rights.

Regulatory filing windows. NAIC quarterly Schedule P filings, state DOI rate filings, Schedule F reinsurance reporting - each has its own window. Compliance has veto rights.

What is left, for most US P&C carriers, is roughly:

• Mid-February through mid-April.
• A narrow 2-3 week window in late November after CAT season closes.

Cutover scheduled into either window is workable. Cutover scheduled outside these windows needs an exceptionally strong reason.

Rollback success criteria

The rollback plan is not “we will roll back if we have to.” That is not a plan; it is a sentence. A rollback plan specifies:

• Trigger conditions. Named, observable conditions that initiate the rollback decision (e.g., reconciliation variance over 0.5% on premium written, more than 50 user-facing errors in the first hour, claim payment processing fail rate over 2%).
• Rollback procedure step by step. Pre-written and rehearsed. Not improvised at 3 a.m.
• Data restore approach. How the legacy data is restored. Snapshot, delta replay, parallel-run handover.
• Maximum acceptable rollback duration. Typically 4 hours. If the rollback takes longer than the rollback budget, the situation is worse than a clean rollback - you are now in a degraded mixed state.
• Named decision-maker. Single named person with rollback authority. Typically the CIO or a named delegate. The decision is not made by committee at 3 a.m.
• Communication template. Pre-written messages to agents, adjusters, customers, and regulators.

A rollback plan that does not include all six of these is not a rollback plan I would let into production. I have seen the consequences of incomplete rollback plans personally. They are not subtle.

For the broader downtime planning context, minimizing downtime during insurance data migration goes into RTO/RPO targets by domain.

Common readiness gaps that kill insurance migration projects

I will state this directly: the readiness gaps below are the ones I have personally seen kill carrier migration programs. They are not theoretical. They are recurring patterns. If you are asking how to prepare for insurance data migration without producing any of these gaps, this section is the negative checklist - the things to make sure are not happening.

Readiness gap 1: No CEO-level executive sponsor

A migration sponsored only by the CIO has no authority to hold the line when the business pushes back at month 9. The first thing I check when I assess a program is whether the CEO has signed the charter. If not, that is the first gap to close.

Readiness gap 2: Data dictionary started “after the contract is signed”

The data dictionary should be drafted before the migration contract is signed, because the scope of the dictionary is the strongest predictor of program effort. Carriers that start the dictionary at week 1 of execution find that effort estimates are wrong by month 3.

Readiness gap 3: No RACI, or a RACI with too many “A”s

If two roles share Accountable on the same workstream, neither is accountable. RACI conflicts surface at week 6 of execution as “I thought you were going to do that.”

Readiness gap 4: Tool selection deferred past readiness gate

Tool selection (in-house, generic ETL, insurance-native platform) needs to be closed before the readiness gate. Carriers that keep the tool decision open into execution lose 8 to 12 weeks.

Readiness gap 5: No baseline data quality measurement

If the data quality baseline is “we think the data is mostly clean,” the remediation budget is unbounded. I have advised carriers that thought their data was 95% clean. The audit returned 67%. The remediation budget had to triple.

Readiness gap 6: Cutover scheduled in CAT season “because the date worked for IT”

For US P&C carriers. This is not negotiable. The COO must veto.

Readiness gap 7: Rollback plan as “we will roll back if needed”

Covered in Section 8. If the six specific elements are not in the plan, the plan does not exist.

Readiness gap 8: Compliance brought in at month 9

Compliance must be in the readiness phase from week 1. Bringing compliance in late produces an artefact retrofit that takes longer and costs more than building it in from the start. For the deeper read, insurance data migration challenges covers the regulatory dimension in more detail.

Readiness gap 9: Communication plan compressed to 30 days pre-cutover

Agents and adjusters need 90 days of communication runway and 4-8 hours of training per user. Compression below this produces a Monday morning post-cutover where the helpdesk is overwhelmed.

Readiness gap 10: Test environment provisioned in month 6

The test environment should be provisioned by week 8 of readiness, so that cycle 1 testing can start by week 12. Carriers that defer provisioning lose the ability to run three full test cycles.

Decerto reference - Generali Group Poland acquisition migration

Decerto has worked on 100+ insurance projects since 2003. The reference deployment that most directly illustrates the readiness practices in this article is the Generali Group Poland data migration that Decerto delivered as Generali’s chosen technology partner.

The setup

When Generali Group Poland acquired another insurance company, the project required migrating all insurance products, business processes, and customer data from the acquired company’s IT architecture into Generali’s infrastructure. The data from the acquired company was, in Generali’s own words documented in the published case study, of poor quality and required significant validation and correction before migration.

What readiness looked like in practice

Three readiness practices from this article are visible in how Decerto and Generali ran the program:

Detailed analysis and planning phase. Decerto conducted a field-by-field analysis of all relevant objects and processes across both the legacy systems and Generali’s target architecture. This is the data dictionary practice from Section 5, executed at acquisition scale.

Custom migration tooling, built for the data. Rather than apply a generic ETL platform to insurance-specific data, Decerto built a dedicated migration tool that handled import, validation, correction and standardization, transformation to Generali’s target data model, export, and reporting. This is the tool-selection practice from Section 3, item 12.

Multiple rounds of trial migrations. Decerto and Generali conducted dozens of trial migrations and detailed technical and business testing before go-live. This is the three-cycle test strategy practice from the insurance data migration best practices article, executed end-to-end.

What the readiness work bought

The actual cutover took place over a single weekend. The published outcomes: balance of financial transactions remained intact, no data loss occurred, and data quality improved through validation and correction. For a mid-tier carrier asking whether a 90-day readiness investment is worth it, the Generali reference is the most direct public answer Decerto can point to.

The same methodology applies to mid-tier US P&C carriers between $500M and $5B GWP. The Migration Architecture Review (described in Section 12) is the format we use to translate the methodology into your specific program.

Frequently asked questions

How do you prepare for an insurance data migration project in 2026?

Run a structured 60 to 120-day readiness phase before execution begins, covering six dimensions (data, people, process, technology, regulatory, financial) and producing six artefacts: data source inventory, data dictionary, stakeholder alignment charter, RACI matrix, cutover and rollback plan, and reconciliation pack design. The 12-item checklist in Section 3 is the working list.

What is pre-migration readiness in the insurance industry specifically?

Pre-migration readiness in insurance is the structured assessment and documentation phase that prepares an insurer’s people, processes, data, technology, regulatory posture, and finances for a data migration program. It differs from generic IT readiness in that it explicitly covers ACORD compliance, NAIC retention rules, CAT season exclusion, and reconciliation against regulatory reporting.

What is a migration governance framework for insurance carriers?

A migration governance framework defines the decision rights, escalation paths, sign-off gates, and risk management process for a migration program. For insurance carriers, it explicitly names the CEO, CIO, COO, CFO, and Compliance roles and specifies veto rights for cutover window (COO), rollback (CIO), reconciliation (CFO), and regulatory continuity (Compliance).

How do you assess insurance data quality before migration?

Run a data profiling pass against every source system, reporting at minimum: row count, null rate per column, distinct value distribution per categorical column, date sentinel values, foreign key integrity rate, and enum value distribution. For a mid-tier P&C carrier with around 50 million records, the audit takes 4 to 6 weeks. Data quality baseline typically falls between 60% and 80% clean.

What should be done before insurance data migration execution begins?

Twelve things, covered in Section 3: written program charter, data source inventory, data dictionary, data quality baseline, stakeholder workshop output, RACI matrix, cutover calendar excluding CAT season, rollback plan, reconciliation pack design, test environment provisioned, training and communication plan, and final vendor and tool decisions.

How long does the pre-migration readiness phase take?

For mid-tier P&C carriers learning how to prepare for insurance data migration at the right depth, expect 60 to 120 days for a proper readiness phase. Programs that compress readiness below 30 days typically pay the difference back during execution at a 3 to 5 times multiplier. The carriers I have worked with that invested 90 days in readiness finished full migration in 14 to 18 months.

Who should own the pre-migration readiness phase in an insurance carrier?

A dedicated migration program director, reporting to the CIO with co-sponsorship from the COO and CEO oversight. The program director runs the readiness workstreams, owns the artefact production, and chairs the stakeholder workshop. Without a named owner, readiness becomes everyone’s part-time problem.

What is the most common reason insurance data migration projects fail?

In my experience, the most common single reason is entering execution before readiness is complete. The specific symptom varies (data quality surprise, rollback ambiguity, regulatory gap, RACI confusion), but the root cause is the same: the program crossed the readiness gate with critical items still open.

Talk to Decerto about migration readiness

If you read one section of this article on how to prepare for insurance data migration, I would point you here.

Every quarter a mid-tier P&C carrier delays the readiness work, two costs compound. Legacy maintenance keeps eating IT budget. And the carriers that started readiness 12 months earlier are now in execution, while delayed carriers are still in scoping. The competitive gap is widening month over month, and the carriers I have worked with that recovered from a poor readiness phase recovered slowly. Doing it right the first time is materially cheaper than fixing it later.

A free 30-minute Migration Architecture Review with me (Janusz Januszkiewicz). Vendor-neutral. I bring 15+ years of insurance migration experience plus a senior Decerto architect. You bring your current architecture diagram and your top three readiness questions. We leave with a preliminary score across the six readiness dimensions, a list of the largest gaps, and an honest assessment of whether you are ready to enter execution.

Decerto’s Data Migrator platform and migration services are built for mid-tier P&C carriers between $500M and $5B GWP. We are not the right partner for $5B+ enterprise carriers running on Guidewire ClassicSuite who want a drop-in Guidewire migration accelerator - Guidewire’s own services partners are the right call there. For sub-$250M GWP carriers, the readiness phase is leaner and can often be handled in-house with a 4 to 6-week external consultation. We will tell you which case you are in, in the first 30 minutes.

The methodology in this article is the same one used on the Generali Group Poland acquisition migration, on the Warta agent platform consolidation, on the BNP Paribas Cardif claims handling centralization, and on a number of US-side mid-tier engagements that remain under NDA. The 12-item checklist is not theory. It is the working artefact carriers actually use.

Sources and citations

1. NAIC. (2024). Insurance Data Security Model Law (#668). National Association of Insurance Commissioners.
2. NAIC. (2024). Standards for Safeguarding Customer Information (Model Law #672). National Association of Insurance Commissioners.
3. NIST. (2024). Cybersecurity Framework 2.0. National Institute of Standards and Technology.
4. ACORD. (2025). ACORD Standards - AL3 and XML reference documentation.
5. NY DFS. (2024). 23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies. New York Department of Financial Services.
6. McKinsey & Company. (2025). State of Insurance 2025.
7. Deloitte. (2025). 2026 Insurance Industry Outlook.
8. Aite-Novarica Group. (2024). P&C Insurance Core Modernization Report.
9. Gartner. (2025). Magic Quadrant for Data Integration Tools.
10. AM Best. (2025). Operational Technology and Insurance Carrier Risk.