Illustration of an IT quarterly review meeting covering security risks, backups, compliance, and staff awareness.

6 Questions Your Insurance Agency Should Ask Its IT Provider Every Quarter

July 13, 2026

6 Questions Your Insurance Agency Should Ask Its IT Provider Every Quarter

If your IT provider tells you, "Everything looks fine," that is not an answer.

It is a feeling.

And feelings do not satisfy a cyber insurance questionnaire. They do not help during a carrier security review. They do not prove your backups work. They do not show that MFA is enforced, access is reviewed, vendors are documented, or client data is protected.

In an insurance agency, IT is not just support. It touches client files, renewals, claims, producer access, email, phones, Applied Epic, AMS360, Microsoft 365, e-signatures, backups, cyber insurance controls, GLBA safeguards, HIPAA workflows, FTC Safeguards Rule expectations, NAIC-related security obligations, and carrier requirements.

That is why quarterly IT reviews matter.

Not because you need another meeting on the calendar.

Because you need proof you can use.

A strong quarterly review should give you clear answers, current risk visibility, documented next steps, and evidence you can hand to leadership, a carrier, a cyber insurer, or an auditor without scrambling.

Here's how we make that easier.

The Goal Of A Quarterly IT Review

A quarterly IT review should answer one simple question:

Can your agency prove that its technology, security, backups, and compliance controls are being actively managed?

Not assumed.

Not hoped for.

Managed.

For an insurance agency, that means your IT provider should be able to show:

What risks exist right now

What has been fixed since the last review

What still needs attention

Which controls support cyber insurance and compliance expectations

Whether backups have actually been tested

Whether access is appropriate

Whether staff behavior is creating risk

What leadership should budget for next

Who owns each action item

When each item will be completed

That last part matters.

A quarterly review without owners and due dates is just a conversation. A quarterly review with evidence becomes a control.

The Quarterly IT Proof Checklist

Bring this checklist to your next IT provider meeting.

For each area, ask your provider to answer in one of three ways:

Complete and documented

In progress, with owner and due date

Not addressed yet, with risk explained

If they cannot answer clearly, that is not a small gap. That is the first finding.

1. What Security Risks Need Attention Right Now?

Every agency has security risk.

The question is whether your provider can see it, explain it, prioritize it, and fix it before it becomes a breach, downtime event, or cyber insurance problem.

Ask your provider:

Which devices are missing critical patches?

Are any users operating without MFA?

Are shared mailboxes, service accounts, or admin accounts properly protected?

Have there been unusual login attempts or suspicious access patterns?

Are Conditional Access policies protecting remote access?

Are endpoints covered by current security monitoring?

Are staff using unauthorized file-sharing, email forwarding, or personal storage tools?

You are not asking for perfection.

You are asking for visibility.

If your provider gives you a vague answer, you are still the one carrying the risk. A good provider should be able to show you what is happening in plain language, without hiding behind dashboards or acronyms.

What A Good Answer Sounds Like

Weak Answer:

"Everything looks good. We haven't seen any major problems."

Strong Answer:

"Three Windows workstations are more than 90 days behind patching. MFA coverage is currently 97%. Two shared mailboxes are not protected by Conditional Access. One former employee account was still present in a disabled state and has now been removed from all groups. Remediation for the shared mailboxes is assigned to Alex and scheduled for completion by July 31."

That is the difference between reassurance and control.

2. Have Our Backups Actually Been Tested?

A backup that has not been tested is not a recovery plan.

It is a hope with a subscription attached.

You need to know whether your agency can restore what matters if ransomware hits, a cloud account is compromised, a server fails, or someone deletes a folder full of client documents.

Ask your provider:

When was the last full recovery test?

What systems were restored?

Were Microsoft 365, SharePoint, OneDrive, email, servers, endpoints, and agency-critical files included?

Were Applied Epic or AMS360-related files, integrations, exports, or supporting systems considered?

How long did the restore take?

Were any gaps found?

Is the backup protected from deletion or encryption by an attacker?

Where is the restore evidence?

This matters because backup success and restore success are not the same thing.

A dashboard may show that backups are "green," but that does not prove your staff can get back to work when a producer needs policy documents, a benefits team is handling time-sensitive enrollment files, or accounting needs access to commission records.

What A Good Answer Sounds Like

Weak Answer:

"Yes, backups are running."

Strong Answer:

"Backups are completing successfully for servers, Microsoft 365, SharePoint, OneDrive, and endpoint folders included in policy. The last restore test was completed on June 18. We restored one SharePoint library, one mailbox, and one server folder. The SharePoint restore took 42 minutes. One excluded document library was identified and added to the backup policy the same day. Evidence is attached to the quarterly report."

That is the kind of answer you can keep in your compliance file.

A Real Agency Example

An independent agency went into its quarterly review believing Microsoft 365 was fully protected.

The provider's dashboard showed backup activity. Everyone assumed that meant the agency could recover if something went wrong.

During the review, the operations manager asked one simple question:

"When was the last time we tested a SharePoint restore?"

The room got quiet.

The backups existed, but no one had tested recovery in over a year. When the provider ran a restore exercise, they discovered that several SharePoint libraries used for client documentation were not included in the correct retention and backup configuration.

That could have been discovered during a ransomware event.

Instead, it was found during a quarterly review.

The provider corrected the configuration, documented the restore test, updated the backup scope, and added quarterly recovery testing to the agency's review process.

That is what a good quarterly review does. It finds the quiet failure before it becomes the loud one.

3. Where Is Technology Slowing Down Our Staff?

Not every IT problem looks like an emergency.

Some problems look like a producer waiting too long for AMS360 to load.

A CSR avoiding a document workflow because it freezes.

A manager not trusting call logs because the phone system does not sync consistently.

A benefits team using email attachments because the secure portal feels too clunky.

A staff member saying, "I'll just save it here for now."

That sentence should make your stomach tighten a little.

When approved systems are slow or frustrating, people create workarounds. Workarounds create compliance drift. Compliance drift creates risk.

Ask your provider:

Which systems generate the most repeat tickets?

Are workstations meeting current standards for Applied Epic, AMS360, Microsoft 365, and daily workflows?

Are there recurring issues with scanning, printing, phones, email, internet, or secure document handling?

Are staff bypassing approved tools because they are too slow or unreliable?

Are cloud phone, call recording, and CRM or AMS integrations working as expected?

What should be optimized before it creates operational or compliance risk?

This question is not about convenience.

It is about control.

Your staff cannot follow security procedures that make their daily work feel impossible. A good IT provider helps you protect the agency without turning every task into a wrestling match.

What A Good Answer Sounds Like

Weak Answer:

"We only know about problems when users submit tickets."

Strong Answer:

"AMS360-related tickets increased 22% this quarter, mostly from the commercial lines team. Four workstations are below the recommended performance standard. We also found inconsistent call logging from the phone system into the agency workflow. Recommended actions: replace four workstations, update the AMS workstation standard, and review the phone integration settings with the vendor. Owner: IT provider for workstation standards; agency operations for workflow validation."

That answer gives you a path forward.

4. Are We Still Aligned With Compliance, Carrier, And Cyber Insurance Expectations?

Compliance does not usually collapse all at once.

It drifts.

A new employee gets access.

A vendor is added without review.

A sharing exception becomes permanent.

A mailbox rule forwards client data.

A benefits workflow starts handling PHI.

A cyber insurance renewal asks for controls you thought were already in place.

A carrier questionnaire asks for evidence your provider has never prepared.

Quarterly reviews help catch drift while it is still manageable.

Ask your provider:

Do our controls support GLBA safeguards expectations?

If we handle PHI, are HIPAA-related safeguards and BAAs addressed?

Are we prepared for FTC Safeguards Rule questions around access, encryption, risk assessment, monitoring, and vendor oversight?

Are we aligned with NAIC-related expectations for security programs and third-party service provider management?

Can we answer cyber insurance questions about MFA, backups, EDR, patching, phishing training, privileged access, and incident response?

Are carrier security questionnaires asking for evidence we do not currently have?

Are access reviews documented?

Is our vendor register current?

Is our incident response plan current and tested?

Compliance is not just about having policies. It is about whether your real environment matches those policies.

If your access control policy says quarterly reviews happen, your provider should be able to show the completed review.

If your incident response plan says backups are tested, your provider should be able to show the restore evidence.

If your cyber insurance application says MFA is enforced, your provider should be able to show coverage.

What A Good Answer Sounds Like

Weak Answer:

"We follow best practices."

Strong Answer:

"This quarter, we completed the access review for all active users and removed two stale accounts. MFA coverage is 100% for standard users and administrators. We confirmed endpoint protection on 96% of managed devices; four laptops are pending agent repair. The vendor register is missing updated documentation for one e-signature provider. The incident response plan exists but has not been tabletop tested this year. Recommended next steps: complete endpoint repair, update vendor documentation, and schedule one tabletop exercise."

That is the kind of answer that gives you something to stand on.

The External Evaluator Lens

Here is the question to ask yourself after every quarterly review:

Would this answer hold up if someone outside the agency asked for proof?

That outside person might be:

A cyber insurance underwriter

A claims adjuster after a ransomware incident

A carrier security team

A regulator

A board member

A managing partner

A client asking about data protection

An auditor reviewing access, backups, or vendor controls

That person will not be impressed by "our provider handles it."

They will ask for evidence.

They will want dates, screenshots, reports, policies, test results, ownership, and remediation notes.

That does not mean you need to live in fear of audits. It means your quarterly review should produce the documentation that lets you breathe when questions come in.

5. What Should We Budget For Next Quarter?

Surprise IT spending is usually a planning problem.

Your provider should help you see what is coming before it becomes urgent, expensive, or embarrassing.

Ask your provider:

Which devices are aging out?

Which warranties, licenses, and subscriptions are coming up?

Are any servers, firewalls, phones, endpoints, or network devices nearing end of support?

Are we underlicensed or overlicensed?

Do we need to plan for Microsoft 365 security improvements, backup expansion, endpoint upgrades, or phone system changes?

Are there carrier, cyber insurance, or compliance expectations that may require budget?

What can wait?

What creates risk if we delay?

This is where a provider becomes more than a help desk.

A good provider helps you defend decisions before leadership asks, "Why do we need this?"

They connect the budget to business risk:

"This firewall is unsupported."

"These laptops cannot reliably run the agency workflow."

"This backup gap affects recovery."

"This security control appears on cyber insurance questionnaires."

"This documentation gap could hurt us during a carrier review."

That is how you move from begging for budget to presenting a clear business case.

What A Good Answer Sounds Like

Weak Answer:

"You may want to upgrade some equipment soon."

Strong Answer:

"Seven workstations are older than the agency standard and are generating a higher support volume. Two firewall licenses renew next quarter. Microsoft 365 backup storage will need expansion if current growth continues. We recommend budgeting for workstation replacement, firewall renewal, and advanced email security improvements. Highest priority: replace unsupported devices first because they affect patching, performance, and cyber insurance control expectations."

That is budget guidance leadership can understand.

6. Where Are We Falling Behind?

This is the question many providers avoid.

Ask it anyway.

A reactive provider waits for tickets.

A strategic provider tells you where your agency is exposed before a carrier, cyber insurer, auditor, or attacker tells you first.

Ask your provider:

Are our current controls still appropriate for our agency size and risk?

Are we behind on MFA, Conditional Access, EDR, email security, patching, logging, backups, or secure file sharing?

Are staff behaviors creating risk?

Are manual processes creating inconsistent handling of client data?

Are AMS, CRM, email, phone, and file workflows properly integrated and protected?

Are we documenting enough to satisfy cyber insurance, carrier, or compliance review expectations?

What would you fix first if this were your agency?

That final question is important.

It forces the provider to move from technical reporting into judgment.

You deserve judgment.

You deserve someone willing to say, "This is the issue I would not ignore."

What A Good Answer Sounds Like

Weak Answer:

"You're in pretty good shape compared to other agencies."

Strong Answer:

"You are strongest in MFA adoption and endpoint coverage. You are weakest in documented vendor oversight, restore testing, and incident response practice. If this were our agency, we would prioritize restore testing first, then vendor documentation, then a tabletop exercise. Those three items support cyber insurance readiness, carrier questions, and internal confidence."

That is the kind of candor that makes a quarterly review worth having.

The Numbers Your Provider Should Track Every Quarter

If your provider is not measuring the basics, they cannot manage the basics.

Ask for these metrics every quarter:

Average ticket response time

Average ticket resolution time

Open critical tickets

Repeat tickets by system or department

Patch compliance percentage

MFA coverage percentage

Endpoint protection coverage

Backup success percentage

Last restore test date and result

Critical vulnerability count

Phishing test results

Security awareness training completion

User access review completion

Number of stale or disabled accounts removed

Vendor documentation status

Incident response plan status

Cyber insurance control gaps

Budget items coming due

Do not let this become a 40-page report nobody reads.

You want a clear summary that helps you make decisions.

If a metric is red, you need the owner, the fix, and the due date.

Quarterly IT Health Score

Use this simple framework to score where your agency stands.

Backups

Green: Restore tested within the last 90 days, evidence documented, critical systems included.

Yellow: Backups are running, but restore testing is older than 90 days or only partially documented.

Red: Backups have never been tested, or no one can show restore evidence.

MFA And Access Control

Green: MFA is enforced for 100% of users, administrators, remote access, and key cloud systems.

Yellow: MFA coverage is 90% to 99%, with exceptions documented and scheduled for remediation.

Red: MFA is below 90%, exceptions are undocumented, or shared accounts are not properly controlled.

Patch And Endpoint Protection

Green: Patch compliance is above 95%, endpoint protection is active, and unsupported devices are tracked.

Yellow: Patch compliance is 80% to 95%, with aging devices identified.

Red: Patch compliance is below 80%, unsupported devices are active, or endpoint coverage is unclear.

Cyber Insurance Readiness

Green: Required controls are documented, reviewed, and supported with evidence.

Yellow: Most controls exist, but documentation is incomplete or scattered.

Red: Application answers rely on assumptions instead of evidence.

Compliance Documentation

Green: Information security policies, access reviews, vendor documentation, incident response plans, and training records are current.

Yellow: Documentation exists but does not fully match the current environment.

Red: Documentation is missing, outdated, or not connected to actual operations.

Incident Response

Green: Incident response plan is current, roles are assigned, and tabletop testing has been completed.

Yellow: Plan exists but has not been tested recently.

Red: No documented plan, unclear roles, or no tabletop history.

Vendor Oversight

Green: Vendor register is current, critical vendors are reviewed, and BAAs or data protection terms are documented where needed.

Yellow: Vendor list exists but is incomplete or not recently reviewed.

Red: No vendor register, no clear documentation, or no consistent review process.

Staff Training

Green: Security and privacy training is current, phishing testing occurs, and staff know where to report suspicious activity.

Yellow: Training happens occasionally but is not tied to measurable results.

Red: No formal training, no phishing testing, or no clear reporting process.

Technology Performance

Green: AMS, phones, email, scanning, file sharing, and endpoint performance are reviewed and improved proactively.

Yellow: Problems are handled by ticket, but trends are not reviewed.

Red: Staff rely on workarounds because core systems are slow or unreliable.

Budget Planning

Green: Upcoming renewals, replacements, and security investments are documented before they become urgent.

Yellow: Some items are tracked, but budget timing is unclear.

Red: IT expenses are mostly reactive.

Sample Quarterly IT Risk Summary

Your quarterly review should produce a one-page summary like this.

Agency Name

Quarterly IT Risk Summary

Reporting Period: Q3

Prepared For: Operations, Compliance, and Leadership

Overall Status

Current Rating: Yellow

Summary: Core security controls are in place, but backup testing, vendor documentation, and incident response evidence need attention before the next cyber insurance renewal.

Top Risks

Risk 1: Backup Restore Testing Is Incomplete

Rating: Red

Impact: Recovery confidence is not fully documented for Microsoft 365 and SharePoint.

Owner: IT Provider

Due Date: July 31

Required Evidence: Restore test report, screenshots, systems tested, time to recover, gaps found.

Risk 2: Vendor Documentation Is Not Current

Rating: Yellow

Impact: Carrier or regulator questions may be harder to answer quickly.

Owner: Agency Operations

Due Date: August 15

Required Evidence: Updated vendor register, BAA status where applicable, security review notes.

Risk 3: Endpoint Patch Compliance Needs Improvement

Rating: Yellow

Impact: Unpatched devices may increase breach risk and cyber insurance exposure.

Owner: IT Provider

Due Date: July 24

Required Evidence: Patch compliance report showing 95% or higher completion.

Backup Status

Backup Success: 98%

Last Restore Test: Not fully documented

Systems Included: Servers, Microsoft 365, SharePoint, OneDrive

Gap: SharePoint restore evidence incomplete

Next Step: Complete restore test and attach evidence to quarterly file

Compliance And Insurance Readiness

GLBA Safeguards Support: Partially documented

HIPAA Considerations: Review needed if PHI is handled by benefits workflows

FTC Safeguards Rule Evidence: Needs clearer access control and vendor oversight packet

NAIC-Related Items: Vendor oversight and incident response documentation need review

Cyber Insurance Controls: MFA documented; backup testing and EDR reporting need stronger evidence

Carrier Security Requirements: No recent questionnaire packet prepared

Training Status

Security Awareness Training: Current for most staff

Phishing Testing: Completed this quarter

Open Gap: New hire training documentation missing for two employees

Owner: Agency Operations

Due Date: August 1

Budget Recommendations

Replace five aging laptops used by service team

Renew firewall licensing next quarter

Expand Microsoft 365 backup storage

Add tabletop incident response exercise to quarterly planning

Completed Since Last Review

Removed four stale user accounts

Enabled MFA for all new employees

Updated email security rules

Resolved recurring printer issue in commercial lines

Closed eight recurring AMS performance tickets

Next-Quarter Priorities

Complete documented restore test

Update vendor register

Repair endpoint protection agents on remaining devices

Conduct access review

Prepare cyber insurance evidence packet

That is what "managed" looks like.

Not perfect.

Managed.

The One Question That Changes The Conversation

At the end of your next quarterly review, ask this:

"If a cyber insurer, carrier, regulator, or board member asked for proof tomorrow, what could we hand them?"

Then be quiet.

Let your provider answer.

If they can show you a clean quarterly summary, backup evidence, MFA coverage, patch reports, training status, access reviews, vendor documentation, and incident response readiness, you are in a much better position.

If they cannot, you now know exactly where to start.

Your Next-Week Action

Next week, ask your IT provider for three things in writing:

Your most recent backup restore test evidence

Your current MFA coverage percentage

Your top three security or compliance risks with owners and due dates

Do not ask for a general update.

Ask for proof.

If they send clear evidence, you have something to build on.

If they send vague reassurance, you have found your first quarterly review gap.

If You Are Not Having These Conversations, That Is The Red Flag

You should not have to chase your IT provider for clarity.

You should not have to translate vague technical updates into business risk.

You should not have to wonder whether your cyber insurance answers are supported by evidence.

And you should not be the only person carrying the weight of security, compliance, uptime, staff frustration, vendor controls, and audit readiness.

This is not about making IT more complicated.

It is about making your agency easier to protect.

A quarterly review gives you structure. A risk summary gives you proof. A health score gives you language leadership can understand. Clear metrics give you a way to hold your provider accountable without sounding alarmist.

You are not asking too much.

You are asking for the evidence a regulated agency should already have.

Schedule Your Review

Schedule your 10 minute discovery call with 911 IT. We'll help you confirm whether your quarterly IT review is producing real evidence around backups, access, compliance, and cyber insurance controls. Leave with a clearer view of what needs attention first.