Compyl
Request Demo
Start here Platform Overview A guided, top-to-bottom tour of the entire GRC platform, one connected system, not point tools. Take the tour → 125+ connectorsIntegrationsConnect your cloud, identity, ticketing & security tools, evidence flows in automatically.Explore integrations →
Govern
Policy ManagementCurrent, control-aligned policiesContract ManagementTrack every obligationAsset ManagementProtect critical assets
Comply & audit
ComplianceTest once, satisfy manyEvidence StudioAutomated, live evidenceTrust CenterShare your security postureUser Access ReviewsFast, accurate access reviews
Risk & third-party
Risk ManagementRisk in dollars, via FAIRThird Party InsightsObjective vendor risk in minutesVendor Risk ManagementManage third-party risk end to end
Compyl AI
Compyl AIAgentic AI across the platformCompyl CopilotAsk your GRC data anythingQuestionnaire AssistAI-drafted questionnaire answers
125+ integrations, connect your stackRequest a demo →
By industryIndustriesGRC tailored to the exact regulators and frameworks your industry answers to, one control library, mapped to all of them.Explore industries →
Financial ServicesSOX, GLBA, PCI, NYDFS, DORAHealthcareHIPAA, HITECH, PHI, BAAsLegalSOC 2, ISO 27001, OCG, privilege
InsuranceNAIC, GLBA, Model Audit RuleEnergy & UtilitiesNERC CIP, IEC 62443, TSAHigher EducationFERPA, GLBA, NIST 800-171
Six industries, mapped to your regulatorsRequest a demo →
One control library Every framework, mapped Map a single control to every framework it satisfies, test once, prove many. See all frameworks →
Popular
SOC 2ISO 27001HIPAAPCI DSS
Standards
GDPRNIST CSFNIST SP 800-53ISO 42001
More
CCPAMASNIS2
Compliance, automated, how Compyl maps controlsRequest a demo →
Latest Inside Compyl 26.2 AI-powered GRC, from risk to audit, what's new in the platform. Read the post →
Learn
All ResourcesBrowse the full GRC libraryGRC Learning CenterThe complete guide to GRCBlogInfoSec & compliance, trendingGuidesStep-by-step playbooks
Watch & grow
Security SessionsOn-demand episodesCase StudiesResults from real teams
Network
Partner NetworkCompyl Connect partners
Company Built by CISOs Our mission: make GRC adapt to how you work, not the other way around. About Compyl →
Company
About UsMission & teamCareersJoin the team
Trust
Our SecurityHow we protect youContact UsTalk to us
Industries · Insurance

GRC for insurance, one program, every state.

Insurers protect policyholder PII and claims data under a patchwork of state data-security laws built on the NAIC model, plus GLBA, the Model Audit Rule, and PCI. Compyl maps one control library to all of them, so you stay exam-ready across every state from a single program.

Request a Demo → See all frameworks
What does compliance for insurance require?

Insurers must protect policyholder PII and claims data under state data-security laws modeled on the NAIC Insurance Data Security Model Law (MDL-668), alongside the GLBA Safeguards Rule, the Model Audit Rule (financial-reporting controls), and PCI DSS for payments. Insurers operating in New York also fall under NYDFS 23 NYCRR 500. Compyl maps one control library across every state adoption and framework, with continuous evidence.

The challenge

Why GRC is harder in insurance

50 states, one model, many variations

State adoptions of the NAIC model security law differ in timing and detail, so multi-state insurers track overlapping but non-identical requirements.

Policyholder PII & claims data

You hold deeply sensitive personal, financial, and health-adjacent data that regulators and customers expect you to protect and prove.

Model Audit Rule controls

The Model Audit Rule brings SOX-style financial-reporting control requirements that must be evidenced and tested each year.

How Compyl helps

One platform for every insurance regulator

Map one control library to every state and framework

Define controls once and cross-map them to the NAIC model law, GLBA, NYDFS, the Model Audit Rule, and PCI, evidence collected once satisfies every adoption.

  • No duplicate work across states or regulators.
  • New state adoptions reuse controls you already have.
Encryption of policyholder data
pulled automatically from your stack
↳ ONE EVIDENCE ITEM · 5 REQUIREMENTS
NAIC §4(D)GLBA 314.4NYDFS 500.15MAR ITGCPCI DSS 3.5

Stay continuously exam-ready

Integrations pull evidence from your policy admin, cloud, and identity systems around the clock, and Evidence Health flags stale proof before a market-conduct or financial exam.

  • Produce state certifications with current proof.
  • Surface gaps weeks before an examiner asks.
Exam readiness
continuous control monitoring
Access reviewsCurrent
EncryptionCurrent
MAR control testDue 30d

Report risk in dollars and watch every vendor

Quantify cyber and vendor risk in financial terms with FAIR for the board, and continuously monitor TPAs, brokers, and SaaS vendors that touch policyholder data.

  • FAIR-based risk quantification, board-ready.
  • Continuous third-party monitoring & vendor risk.
Third-party risk
TPAs, brokers & vendors
Claims TPACritical
Broker portalMedium
Analytics SaaSLow
Coverage

Frameworks that govern insurance

All cross-mapped to one control library, explore each, or see the full library of 70+.

NAIC Data Security Model LawGLBA Safeguards RuleModel Audit RuleNYDFS 23 NYCRR 500PCI DSSSOC 2ISO 27001NIST CSFView all 70+ →
Why Compyl

Built for the way insurance GRC actually works

One source of truth

Controls, evidence, risk, and vendors in one connected system, across every regulator you answer to.

Continuous, not point-in-time

Evidence refreshes automatically and is scored for health, so you're audit-ready every day of the year.

Agentic AI, human approved

AI drafts evidence, maps controls, and triages risk; your experts approve every decision.

Insurance FAQ

Common questions

Insurers must protect policyholder data under state data-security laws based on the NAIC Insurance Data Security Model Law, plus the GLBA Safeguards Rule, the Model Audit Rule for financial-reporting controls, and PCI DSS for payments. Insurers in New York also fall under NYDFS 23 NYCRR 500. Compyl maps one control library to all of them.

Compyl maintains one control library and cross-maps it to each state's adoption of the NAIC Insurance Data Security Model Law. Because the underlying controls overlap, evidence collected once satisfies every state where you operate, and new adoptions reuse controls you already have.

Yes. Compyl manages the IT general controls behind the Model Audit Rule, schedules and tracks control testing, and continuously collects evidence, so the annual MAR requirements are met with current proof instead of a year-end scramble.

Yes. With cross-mapping, evidence that MFA is enforced can satisfy the NAIC model law, GLBA Safeguards, NYDFS 500.12, the Model Audit Rule, SOC 2, and PCI DSS at once, collected a single time and counted everywhere it applies.

GRC Your Way

See Compyl mapped to your policyholder data

One control library, every regulator, continuous evidence, and agentic AI that removes the busywork, with your experts in control.

Request a Demo →
By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies
Accept