n8n for InsurTech SaaS Vendors: 5 Automations for NAIC Model 668, State Market Conduct Exams, ERISA Welfare Plans, and HIPAA Stop-Loss Compliance
The state insurance examiner opened a market conduct exam. They sent a document production request with a 20-business-day window.
The document request included: all policyholder communications, claims settlement records, underwriting decision logs, and — because your policy administration workflow runs through a cloud automation platform — a subpoena to that automation vendor.
Your outside counsel is not in that conversation. The vendor's legal team is responding to a state insurance department subpoena with your policyholder data, your claims records, and your underwriting logs. The attorney-client privilege that attaches to your internal records does not attach to your cloud automation vendor's server.
This is the compliance architecture problem that InsurTech SaaS vendors encounter the first time their state insurance department opens a market conduct exam: the automation vendor is in scope.
Here is how InsurTech and insurance SaaS vendors are using self-hosted n8n to automate the five workflows that matter most — and keep their compliance records inside their own legal hold.
Why InsurTech SaaS Vendors Choose Self-Hosted n8n Over Cloud iPaaS
The insurance compliance stack has three characteristics that make cloud automation architecturally problematic:
1. NAIC Model 668 §11(A) requires every third-party service provider to be enumerated in your Cybersecurity Program. The NAIC Insurance Data Security Model Law has been adopted in 25+ states. Section 11(A) requires that a licensee exercise due diligence in selecting third-party service providers and include them in the Cybersecurity Program with written security requirements and annual assessments. A cloud automation platform processing policyholder data is a TSP. If it is not enumerated in your Cybersecurity Program, the state insurance examiner will find the gap during the next NAIC Model 668 examination.
2. State market conduct examination subpoena authority extends to cloud automation vendors. Insurance examiners have broad discovery authority over all records related to the insurer's operations, including records held by third parties. When your policy administration, claims processing, or underwriting workflows run through a cloud automation platform, that platform's run logs are in scope for a market conduct document request — and the examiner reaches the vendor directly, outside your review. Self-hosted n8n keeps all workflow run logs inside your legal hold.
3. ERISA §104 document production penalty is $110/day — and the DOL reaches cloud automation vendors. ERISA Section 104(a) requires plan administrators to produce plan documents within 30 days of a DOL request, with a $110/day penalty for failure to produce. If your benefit plan administration workflows run through a cloud automation platform, the DOL document request may include those vendor run logs. Self-hosted automation keeps benefit administration records inside your plan fiduciary's controlled environment.
7 InsurTech SaaS Customer Tiers
Before showing the workflows, here are the seven compliance exposure profiles for InsurTech and insurance SaaS customers:
| Tier | Examples | Primary Compliance Exposure |
|---|---|---|
ENTERPRISE_INSURANCE_CARRIER_SAAS |
P&C, Life, Health carrier platform vendors | NAIC Model 668, NAIC MAR, State market conduct exam, HIPAA (health) |
INSURTECH_MGA_PLATFORM |
MGA software, binding authority platforms | NAIC Model 668 TSP obligations, carrier exam scope, ERISA if group benefit |
POLICY_ADMIN_SAAS |
Policy administration systems, endorsement platforms | NAIC Model 668, carrier contractual SOC 2 requirements, state filing audit trail |
CLAIMS_MANAGEMENT_SAAS |
Claims processing, SIU platforms, TPA systems | State unfair claims practices act timeline documentation, HIPAA (health claims), market conduct exam scope |
EMPLOYEE_BENEFITS_SAAS |
Group benefits admin, enrollment, COBRA platforms | ERISA §402/404 fiduciary, HIPAA stop-loss, ERISA Form 5500, DOL document production |
INSURANCE_ANALYTICS_SAAS |
Actuarial, pricing, underwriting analytics vendors | NAIC MAR actuarial opinion data lineage, state rate filing audit trail, NAIC Model 668 |
INSURTECH_STARTUP |
New digital insurance distribution, embedded insurance | NAIC Model 668 from first license, ERISA + HIPAA from first group product, carrier TSP requirements |
Workflow 1: Tier-Segmented InsurTech Onboarding Drip
When a new InsurTech SaaS customer onboards, their compliance briefing must be specific to their tier — a CLAIMS_MANAGEMENT_SAAS vendor needs to hear about state unfair claims practices act timeline documentation and how market conduct examiners pull claims logs. An EMPLOYEE_BENEFITS_SAAS vendor needs ERISA fiduciary obligations and DOL document production procedures. An INSURTECH_STARTUP needs NAIC Model 668 obligations before their first carrier partner contract.
This workflow fires on new customer signup, parses tier and compliance flags, and delivers three compliance briefing emails: Day 0 (architecture overview), Day 3 (primary regulatory framework), Day 7 (cross-regulation and advanced compliance).
{
"name": "InsurTech Tier-Segmented Onboarding Drip",
"nodes": [
{
"id": "1",
"name": "Webhook",
"type": "n8n-nodes-base.webhook",
"position": [
250,
300
],
"parameters": {
"path": "insurtech-onboard",
"responseMode": "lastNode"
}
},
{
"id": "2",
"name": "Parse Tier & Compliance Flags",
"type": "n8n-nodes-base.code",
"position": [
450,
300
],
"parameters": {
"jsCode": "const tier = $json.tier || 'INSURTECH_STARTUP';\nconst email = $json.email;\nconst flags = $json.compliance_flags || [];\nconst tiers = {\n ENTERPRISE_INSURANCE_CARRIER_SAAS: { day0: 'NAIC Model 668 \u00a711(A): every third-party service provider processing nonpublic information must be enumerated in your Cybersecurity Program with written security requirements. Cloud automation platform = undocumented TSP = state examiner finding. NAIC MAR: annual audited financial statements require documentation of all material IT systems in scope.', day3: 'State Market Conduct Exam: insurance examiners have subpoena authority over third-party vendors in your automation chain. Cloud iPaaS run logs are exam-discoverable records not inside your legal hold. Production window: 10\u201330 business days from request.', day7: 'NAIC MCAS: Market Conduct Annual Statement data quality depends on automation pipeline integrity. Cloud vendor outage during filing period = MCAS submission gap = state regulator inquiry. Self-hosted automation keeps MCAS pipeline inside your control boundary.' },\n INSURTECH_MGA_PLATFORM: { day0: 'NAIC Model 668: MGAs processing policyholder nonpublic information are licensees under state adoption. Your Cybersecurity Program must enumerate every TSP \u2014 including automation platforms \u2014 with written security requirements and annual risk assessments.', day3: 'State market conduct exam scope extends to MGA operations and their IT vendor chain. If your binding authority workflows run through a cloud automation platform, those run logs are in scope for carrier and state examiner review.', day7: 'ERISA \u00a7402: if your MGA platform administers group benefit riders, welfare plan fiduciary obligations apply to plan data. Cloud automation handling plan data without a plan fiduciary authorization creates an ERISA \u00a7402 structure gap.' },\n POLICY_ADMIN_SAAS: { day0: 'NAIC Model 668 \u00a75: you are a licensee if you are an insurance company or other person licensed or required to be licensed or authorized or required to be authorized by a state insurance department. Policy admin SaaS processing carrier data may trigger Model 668 as a TSP to carriers \u2014 carriers will require your Cybersecurity Program documentation.', day3: 'Policy lifecycle events (issuance, endorsement, cancellation, renewal) generate audit trail records that state examiners review during market conduct exams. Cloud automation in this pipeline = examiner document request reaches your cloud vendor.', day7: 'SOC 2 Type II + Model 668 compliance documentation: carriers increasingly require both before contract signature. Your cloud automation vendor SOC 2 scope may not cover policy data processing \u2014 gap in your carrier contract representations.' },\n CLAIMS_MANAGEMENT_SAAS: { day0: 'NAIC Model 668: claims data is nonpublic information under \u00a73(N). Every automation platform touching claims records is a TSP requiring written security measures in your Cybersecurity Program. Cloud vendor breach = your notification obligation to policyholders and Insurance Commissioner.', day3: 'State unfair claims practices acts: settlement timeline compliance is documented in your claims automation logs. State examiners pull these logs directly during market conduct exams. Cloud iPaaS logs are outside your legal hold and discoverable by the examiner without your review.', day7: 'HIPAA: if your claims platform processes health insurance claims, PHI is in scope. Cloud automation handling PHI without a HIPAA Business Associate Agreement (BAA) = HIPAA violation. Most cloud iPaaS platforms provide BAAs but with significant data processing carve-outs that create PHI scope gaps.' },\n EMPLOYEE_BENEFITS_SAAS: { day0: 'ERISA \u00a7404(a): benefit plan fiduciaries must act prudently and solely in the interest of plan participants. Automation platforms processing plan data must operate within the fiduciary control boundary. Cloud automation handling benefit election, enrollment, or claims data = plan data outside fiduciary-controlled environment.', day3: 'ERISA \u00a7104: plan document and SPD production within 30 days of DOL request. $110/day penalty for failure to produce. Cloud automation vendor holds the run logs for your benefit administration workflows \u2014 DOL document request may reach the vendor, not you.', day7: 'HIPAA stop-loss integration: if your benefits platform interfaces with stop-loss carriers, PHI flows are in scope for both ERISA and HIPAA. Cloud automation in the stop-loss data exchange = HIPAA BAA required with cloud vendor for each PHI-touching workflow.' },\n INSURANCE_ANALYTICS_SAAS: { day0: 'NAIC Model 668: actuarial and pricing models processing nonpublic policyholder data are within Model 668 scope. Cloud analytics automation = TSP processing nonpublic information = required in carrier Cybersecurity Program documentation.', day3: 'NAIC Actuarial Opinion Memo: for life carriers, the appointed actuary opinion covers reserve adequacy. If automation pipelines feeding actuarial models run through cloud iPaaS, data lineage documentation for the opinion becomes cloud-vendor-dependent.', day7: 'State rate filing: rate and form filings include supporting actuarial data. Cloud automation in the rate calculation pipeline = regulatory examiner can subpoena cloud vendor run logs as part of rate filing investigation. Self-hosted keeps rate model data inside your filing privilege.' },\n INSURTECH_STARTUP: { day0: 'NAIC Model 668 is enacted in 25+ states and is functionally national for any insurer with multi-state business. Even as a startup, if you hold an insurance license in a Model 668 state, your Cybersecurity Program is due within the adoption timeline \u2014 and must enumerate every TSP including automation platforms.', day3: 'Carrier partnership contracts: incumbent carriers require NAIC Model 668 compliance documentation, SOC 2 Type II, and TSP enumeration before binding authority or fronting agreements. Build the Cybersecurity Program with TSP documentation from Day 1 \u2014 not 18 months after launch.', day7: 'ERISA + HIPAA: if your product touches employer group benefits or health insurance, ERISA welfare plan and HIPAA compliance apply from your first plan sponsor customer. Self-hosted automation stack eliminates cloud iPaaS as an undocumented TSP and HIPAA BAA complexity from Day 1.' }\n};\nconst cfg = tiers[tier] || tiers.INSURTECH_STARTUP;\nreturn { tier, email, flags, ...cfg };\n"
}
},
{
"id": "3",
"name": "Day 0 Email",
"type": "n8n-nodes-base.gmail",
"position": [
650,
200
],
"parameters": {
"to": "={{$json.email}}",
"subject": "={{$json.tier}}: InsurTech Compliance Architecture Briefing",
"message": "={{$json.day0}}"
}
},
{
"id": "4",
"name": "Wait 3 Days",
"type": "n8n-nodes-base.wait",
"position": [
650,
350
],
"parameters": {
"amount": 3,
"unit": "days"
}
},
{
"id": "5",
"name": "Day 3 Email",
"type": "n8n-nodes-base.gmail",
"position": [
850,
350
],
"parameters": {
"to": "={{$json.email}}",
"subject": "={{$json.tier}}: NAIC Model 668 + State Exam Deep Dive",
"message": "={{$json.day3}}"
}
},
{
"id": "6",
"name": "Wait 4 Days",
"type": "n8n-nodes-base.wait",
"position": [
1050,
350
],
"parameters": {
"amount": 4,
"unit": "days"
}
},
{
"id": "7",
"name": "Day 7 Email",
"type": "n8n-nodes-base.gmail",
"position": [
1250,
350
],
"parameters": {
"to": "={{$json.email}}",
"subject": "={{$json.tier}}: ERISA + HIPAA Week 1 Review",
"message": "={{$json.day7}}"
}
},
{
"id": "8",
"name": "Log to Sheets",
"type": "n8n-nodes-base.googleSheets",
"position": [
1450,
350
],
"parameters": {
"operation": "appendOrUpdate",
"sheetId": "insurtech_onboarding",
"columns": {
"tier": "={{$json.tier}}",
"onboard_ts": "={{$now.toISO()}}",
"flags": "={{$json.flags.join(',')}}"
}
}
}
],
"connections": {
"Webhook": {
"main": [
[
{
"node": "Parse Tier & Compliance Flags",
"type": "main",
"index": 0
}
]
]
},
"Parse Tier & Compliance Flags": {
"main": [
[
{
"node": "Day 0 Email",
"type": "main",
"index": 0
},
{
"node": "Wait 3 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 3 Days": {
"main": [
[
{
"node": "Day 3 Email",
"type": "main",
"index": 0
}
]
]
},
"Day 3 Email": {
"main": [
[
{
"node": "Wait 4 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 4 Days": {
"main": [
[
{
"node": "Day 7 Email",
"type": "main",
"index": 0
}
]
]
},
"Day 7 Email": {
"main": [
[
{
"node": "Log to Sheets",
"type": "main",
"index": 0
}
]
]
},
"Log to Sheets": {
"main": [
[]
]
}
}
}
Workflow 2: NAIC / ERISA / HIPAA Compliance Deadline Tracker
InsurTech compliance has 12 deadline types spanning three regulatory frameworks: NAIC state insurance law (Model 668, MAR, MCAS, market conduct), federal benefits law (ERISA), and federal health privacy law (HIPAA). The fastest recurring window — NAIC Model 668 cybersecurity event notification — is 72 hours. The fastest recurring filing — NAIC MCAS — is annual on May 1.
This workflow runs daily at 8 AM, reads compliance deadlines from a Google Sheet, classifies each by urgency (OVERDUE / CRITICAL ≤7d / URGENT ≤14d / WARNING ≤30d), and fires Slack alerts and email notifications for anything not in OK status.
Deadline coverage:
| Deadline Type | Citation | Window |
|---|---|---|
NAIC_668_CYBERSECURITY_EVENT_72H |
NAIC Model Law 668 §9(A) | 72 hours from determination |
NAIC_668_ANNUAL_PROGRAM_REVIEW |
NAIC Model Law 668 §4(A) | Annual |
NAIC_668_TSP_ANNUAL_ASSESSMENT |
NAIC Model Law 668 §11(A) | Annual |
NAIC_MAR_ANNUAL_AUDIT |
NAIC Model Audit Rule §6 | Annual, June 1 |
STATE_MARKET_CONDUCT_EXAM_RESPONSE |
State insurance code | 10–30 business days |
NAIC_MCAS_ANNUAL_FILING |
NAIC MCAS | Annual, May 1 |
ERISA_FORM_5500_ANNUAL |
ERISA §104 / IRC §6058 | 7th month after plan year |
ERISA_DOL_DOCUMENT_REQUEST_30D |
ERISA §104(a) — $110/day | 30 days |
HIPAA_BREACH_NOTIFICATION_60D |
45 CFR §164.408 | 60 days from discovery |
HIPAA_INDIVIDUAL_NOTIFICATION_60D |
45 CFR §164.404 | 60 days from discovery |
SOC2_TYPE2_RENEWAL |
AICPA Trust Services | Annual |
ANNUAL_PENETRATION_TEST |
NAIC Model Law 668 §4(F)(2) | Annual |
{
"name": "InsurTech NAIC/ERISA/HIPAA Compliance Deadline Tracker",
"nodes": [
{
"id": "1",
"name": "Daily 8AM Trigger",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
250,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * *"
}
]
}
}
},
{
"id": "2",
"name": "Load Compliance Deadlines",
"type": "n8n-nodes-base.googleSheets",
"position": [
450,
300
],
"parameters": {
"operation": "readRows",
"sheetId": "insurtech_deadlines"
}
},
{
"id": "3",
"name": "Classify Urgency",
"type": "n8n-nodes-base.code",
"position": [
650,
300
],
"parameters": {
"jsCode": "const items = $input.all();\nconst now = new Date();\nconst results = [];\nconst DEADLINE_TYPES = {\n NAIC_668_CYBERSECURITY_EVENT_72H: { label: 'NAIC Model 668 \u00a79(A) Cybersecurity Event Commissioner Notification', citation: 'NAIC Insurance Data Security Model Law \u00a79(A)', period: 'event-based', window: '72 hours' },\n NAIC_668_ANNUAL_PROGRAM_REVIEW: { label: 'NAIC Model 668 \u00a74 Annual Cybersecurity Program Review', citation: 'NAIC Model Law 668 \u00a74(A)', period: 'annual' },\n NAIC_668_TSP_ANNUAL_ASSESSMENT: { label: 'NAIC Model 668 \u00a711 Third-Party Service Provider Annual Assessment', citation: 'NAIC Model Law 668 \u00a711(A)', period: 'annual' },\n NAIC_MAR_ANNUAL_AUDIT: { label: 'NAIC Model Audit Rule Annual Audited Financial Statement', citation: 'NAIC Model Audit Rule \u00a76', period: 'annual', deadline: 'June 1' },\n STATE_MARKET_CONDUCT_EXAM_RESPONSE: { label: 'State Insurance Department Market Conduct Exam Document Response', citation: 'State insurance code (varies)', period: 'event-based', window: '10\u201330 business days from request' },\n NAIC_MCAS_ANNUAL_FILING: { label: 'NAIC Market Conduct Annual Statement Filing', citation: 'NAIC MCAS', period: 'annual', deadline: 'May 1' },\n ERISA_FORM_5500_ANNUAL: { label: 'ERISA Form 5500 Annual Plan Report', citation: 'ERISA \u00a7104 / IRC \u00a76058', period: 'annual', deadline: '7th month after plan year end' },\n ERISA_DOL_DOCUMENT_REQUEST_30D: { label: 'ERISA \u00a7104 DOL Document Production Request', citation: 'ERISA \u00a7104(a) \u2014 $110/day penalty', period: 'event-based', window: '30 days' },\n HIPAA_BREACH_NOTIFICATION_60D: { label: 'HIPAA Breach Notification to HHS OCR', citation: '45 CFR \u00a7164.408', period: 'event-based', window: '60 days from discovery' },\n HIPAA_INDIVIDUAL_NOTIFICATION_60D: { label: 'HIPAA Individual Breach Notification', citation: '45 CFR \u00a7164.404', period: 'event-based', window: '60 days from discovery' },\n SOC2_TYPE2_RENEWAL: { label: 'SOC 2 Type II Report Renewal', citation: 'AICPA Trust Services Criteria', period: 'annual' },\n ANNUAL_PENETRATION_TEST: { label: 'Annual Penetration Test (NAIC 668 \u00a74(F)(2) / SOC 2)', citation: 'NAIC Model Law 668 \u00a74(F)(2)', period: 'annual' }\n};\nfor (const item of items) {\n const d = item.json;\n const due = new Date(d.due_date);\n const daysLeft = Math.ceil((due - now) / 86400000);\n let urgency = 'OK';\n if (daysLeft < 0) urgency = 'OVERDUE';\n else if (daysLeft <= 7) urgency = 'CRITICAL';\n else if (daysLeft <= 14) urgency = 'URGENT';\n else if (daysLeft <= 30) urgency = 'WARNING';\n if (urgency !== 'OK') {\n const cfg = DEADLINE_TYPES[d.deadline_type] || {};\n results.push({ ...d, urgency, daysLeft, label: cfg.label || d.deadline_type, citation: cfg.citation || '' });\n }\n}\nreturn results.length > 0 ? results : [{ skip: true }];\n"
}
},
{
"id": "4",
"name": "Skip if Empty",
"type": "n8n-nodes-base.if",
"position": [
850,
300
],
"parameters": {
"conditions": {
"boolean": [
{
"value1": "={{$json.skip}}",
"value2": true
}
]
}
}
},
{
"id": "5",
"name": "Slack #compliance-alerts",
"type": "n8n-nodes-base.slack",
"position": [
1050,
200
],
"parameters": {
"channel": "compliance-alerts",
"text": "={{$json.urgency}}: {{$json.label}} \u2014 {{$json.daysLeft}} days. Citation: {{$json.citation}}. Customer: {{$json.customer_name}}"
}
},
{
"id": "6",
"name": "Gmail Compliance Contact",
"type": "n8n-nodes-base.gmail",
"position": [
1050,
350
],
"parameters": {
"to": "={{$json.compliance_contact_email}}",
"subject": "[{{$json.urgency}}] {{$json.label}} \u2014 {{$json.daysLeft}} days remaining",
"message": "={{$json.label}} is due {{$json.due_date}}. Citation: {{$json.citation}}. Customer: {{$json.customer_name}}."
}
},
{
"id": "7",
"name": "Log to Sheets",
"type": "n8n-nodes-base.googleSheets",
"position": [
1050,
500
],
"parameters": {
"operation": "appendOrUpdate",
"sheetId": "insurtech_deadline_log",
"columns": {
"customer": "={{$json.customer_name}}",
"deadline_type": "={{$json.deadline_type}}",
"urgency": "={{$json.urgency}}",
"days_left": "={{$json.daysLeft}}",
"notified_ts": "={{$now.toISO()}}"
}
}
}
],
"connections": {
"Daily 8AM Trigger": {
"main": [
[
{
"node": "Load Compliance Deadlines",
"type": "main",
"index": 0
}
]
]
},
"Load Compliance Deadlines": {
"main": [
[
{
"node": "Classify Urgency",
"type": "main",
"index": 0
}
]
]
},
"Classify Urgency": {
"main": [
[
{
"node": "Skip if Empty",
"type": "main",
"index": 0
}
]
]
},
"Skip if Empty": {
"main": [
[
{
"node": "Slack #compliance-alerts",
"type": "main",
"index": 0
},
{
"node": "Gmail Compliance Contact",
"type": "main",
"index": 0
},
{
"node": "Log to Sheets",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
Workflow 3: InsurTech Platform API Health Monitor (Every 15 Minutes)
Five API endpoints underpin InsurTech compliance, each mapped to a specific regulatory consequence of downtime:
| Endpoint | Compliance Consequence of Downtime |
|---|---|
policy_admin_api |
NAIC Model 668 §4: policy lifecycle record integrity gap = Cybersecurity Program incident |
claims_processing_api |
State unfair claims practices act: settlement clock runs regardless of automation vendor SLA |
underwriting_api |
NAIC MAR: actuarial opinion data lineage requires continuous API availability during close period |
hipaa_data_exchange_api |
HIPAA 45 CFR §164.306: PHI availability = Security Rule requirement — outage = HIPAA Security incident |
regulatory_reporting_api |
NAIC MCAS / state filing: outage during filing period = submission gap + regulatory inquiry |
The claims processing API is the most operationally critical: state unfair claims practices acts impose specific response and settlement timelines, and examiners pull claims automation logs during market conduct exams. If your claims automation is down, the timeline clock still runs — and the examiner will find the gap in your response logs.
{
"name": "InsurTech Platform API Health Monitor",
"nodes": [
{
"id": "1",
"name": "Every 15 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
250,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "*/15 * * * *"
}
]
}
}
},
{
"id": "2",
"name": "Check Policy Admin API",
"type": "n8n-nodes-base.httpRequest",
"position": [
450,
150
],
"parameters": {
"url": "={{$vars.POLICY_API_URL}}/health",
"method": "GET",
"timeout": 10000
}
},
{
"id": "3",
"name": "Check Claims Processing API",
"type": "n8n-nodes-base.httpRequest",
"position": [
450,
250
],
"parameters": {
"url": "={{$vars.CLAIMS_API_URL}}/health",
"method": "GET",
"timeout": 10000
}
},
{
"id": "4",
"name": "Check Underwriting API",
"type": "n8n-nodes-base.httpRequest",
"position": [
450,
350
],
"parameters": {
"url": "={{$vars.UNDERWRITING_API_URL}}/health",
"method": "GET",
"timeout": 10000
}
},
{
"id": "5",
"name": "Check HIPAA Data Exchange API",
"type": "n8n-nodes-base.httpRequest",
"position": [
450,
450
],
"parameters": {
"url": "={{$vars.HIPAA_API_URL}}/health",
"method": "GET",
"timeout": 10000
}
},
{
"id": "6",
"name": "Check Regulatory Reporting API",
"type": "n8n-nodes-base.httpRequest",
"position": [
450,
550
],
"parameters": {
"url": "={{$vars.REG_REPORTING_URL}}/health",
"method": "GET",
"timeout": 10000
}
},
{
"id": "7",
"name": "Evaluate Health",
"type": "n8n-nodes-base.code",
"position": [
700,
350
],
"parameters": {
"jsCode": "const checks = [\n { name: 'policy_admin_api', status: $('Check Policy Admin API').item.json.status, compliance: 'NAIC Model 668 \u00a74: policy lifecycle records are nonpublic information \u2014 data integrity gap during outage = Cybersecurity Program incident', impact: 'HIGH' },\n { name: 'claims_processing_api', status: $('Check Claims Processing API').item.json.status, compliance: 'State unfair claims practices act: settlement timeline clock runs regardless of automation vendor SLA \u2014 examiner will pull downtime logs', impact: 'CRITICAL' },\n { name: 'underwriting_api', status: $('Check Underwriting API').item.json.status, compliance: 'NAIC MAR: underwriting model data lineage required for actuarial opinion \u2014 API outage creates audit trail gap', impact: 'HIGH' },\n { name: 'hipaa_data_exchange_api', status: $('Check HIPAA Data Exchange API').item.json.status, compliance: 'HIPAA 45 CFR \u00a7164.306: PHI availability is a HIPAA Security Rule requirement \u2014 stop-loss data exchange outage = HIPAA Security incident', impact: 'CRITICAL' },\n { name: 'regulatory_reporting_api', status: $('Check Regulatory Reporting API').item.json.status, compliance: 'NAIC MCAS / state filing: regulatory reporting API outage during filing period = MCAS submission gap + state department inquiry', impact: 'HIGH' },\n];\nconst degraded = checks.filter(c => c.status !== 200 && c.status !== 'ok');\nreturn degraded.length > 0 ? degraded : [{ all_healthy: true }];\n"
}
},
{
"id": "8",
"name": "Alert if Degraded",
"type": "n8n-nodes-base.if",
"position": [
900,
350
],
"parameters": {
"conditions": {
"boolean": [
{
"value1": "={{$json.all_healthy}}",
"value2": true
}
]
}
}
},
{
"id": "9",
"name": "Slack #ops-alert",
"type": "n8n-nodes-base.slack",
"position": [
1100,
250
],
"parameters": {
"channel": "ops-alert",
"text": "[{{$json.impact}}] {{$json.name}} DOWN \u2014 {{$json.compliance}}"
}
},
{
"id": "10",
"name": "PagerDuty if CRITICAL",
"type": "n8n-nodes-base.httpRequest",
"position": [
1100,
400
],
"parameters": {
"url": "https://events.pagerduty.com/v2/enqueue",
"method": "POST",
"body": {
"routing_key": "={{$vars.PD_ROUTING_KEY}}",
"event_action": "trigger",
"payload": {
"summary": "={{$json.name}} DOWN: {{$json.compliance}}",
"severity": "={{$json.impact.toLowerCase()}}"
}
}
}
}
],
"connections": {
"Every 15 Minutes": {
"main": [
[
{
"node": "Check Policy Admin API",
"type": "main",
"index": 0
},
{
"node": "Check Claims Processing API",
"type": "main",
"index": 0
},
{
"node": "Check Underwriting API",
"type": "main",
"index": 0
},
{
"node": "Check HIPAA Data Exchange API",
"type": "main",
"index": 0
},
{
"node": "Check Regulatory Reporting API",
"type": "main",
"index": 0
}
]
]
},
"Check Policy Admin API": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 0
}
]
]
},
"Check Claims Processing API": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 0
}
]
]
},
"Check Underwriting API": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 0
}
]
]
},
"Check HIPAA Data Exchange API": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 0
}
]
]
},
"Check Regulatory Reporting API": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 0
}
]
]
},
"Evaluate Health": {
"main": [
[
{
"node": "Alert if Degraded",
"type": "main",
"index": 0
}
]
]
},
"Alert if Degraded": {
"main": [
[
{
"node": "Slack #ops-alert",
"type": "main",
"index": 0
},
{
"node": "PagerDuty if CRITICAL",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
Workflow 4: InsurTech Incident & Exam Response Pipeline (8 Incident Types)
When a compliance incident fires, the routing and escalation depend on which regulatory clock is running. Eight incident types, each with a distinct window and action path:
| Incident Type | Regulatory Window | Fastest Consequence |
|---|---|---|
NAIC_668_CYBERSECURITY_EVENT_DETECTED |
72 hours | NAIC Model 668 §9(A) Insurance Commissioner notification |
STATE_MARKET_CONDUCT_EXAM_OPENED |
IMMEDIATE | Document hold + cloud vendor subpoena scope |
HIPAA_PHI_BREACH_DETECTED |
60 days | HHS OCR notification + individual notification + Wall of Shame (500+ individuals) |
ERISA_DOL_DOCUMENT_REQUEST |
30 days | $110/day ERISA §104(a) penalty |
NAIC_MAR_AUDIT_DEFICIENCY_FOUND |
45 days | Management letter response + remediation plan |
STATE_INSURANCE_DEPT_DATA_CALL |
30 days | Data production with full lineage documentation |
ERISA_PLAN_FIDUCIARY_COMPLAINT |
60 days | DOL escalation or private ERISA §502(a) litigation |
NAIC_MCAS_DATA_QUALITY_ISSUE |
72 hours | State department follow-up inquiry trigger |
{
"name": "InsurTech Market Conduct Exam & Incident Pipeline",
"nodes": [
{
"id": "1",
"name": "Incident Webhook",
"type": "n8n-nodes-base.webhook",
"position": [
250,
300
],
"parameters": {
"path": "insurtech-incident",
"responseMode": "immediately"
}
},
{
"id": "2",
"name": "Classify Incident",
"type": "n8n-nodes-base.code",
"position": [
450,
300
],
"parameters": {
"jsCode": "const type = $json.incident_type;\nconst INCIDENT_MATRIX = {\n NAIC_668_CYBERSECURITY_EVENT_DETECTED: {\n severity: 'CRITICAL', window: '72 hours', deadline_hours: 72,\n regulation: 'NAIC Insurance Data Security Model Law \u00a79(A) \u2014 notify Insurance Commissioner within 72 hours of determining a cybersecurity event occurred. 25+ states adopted.',\n action: 'Engage Chief Compliance Officer immediately. Determine if nonpublic information was accessed or disrupted. 72h clock runs from determination, not discovery. Document when determination was made \u2014 this timestamp is your regulatory defense.',\n channels: ['#cyber-incident', '#legal-urgent', 'CRO', 'Insurance Commissioner Liaison']\n },\n STATE_MARKET_CONDUCT_EXAM_OPENED: {\n severity: 'CRITICAL', window: 'IMMEDIATE', deadline_hours: 0,\n regulation: 'State insurance code market conduct examination \u2014 document production window typically 10\u201330 business days from request. Examiner subpoena authority extends to third-party vendors including cloud automation platforms.',\n action: 'Issue legal hold immediately on all systems in scope. Identify every cloud automation platform touching policyholder data \u2014 those vendors receive examiner document requests directly. Self-hosted automation keeps all run logs inside your legal hold.',\n channels: ['#regulatory-exam', '#legal', 'General Counsel', 'Chief Compliance Officer']\n },\n HIPAA_PHI_BREACH_DETECTED: {\n severity: 'CRITICAL', window: '60 days', deadline_hours: 1440,\n regulation: 'HIPAA 45 CFR \u00a7164.408: notify HHS OCR within 60 days of discovery. \u00a7164.404: individual notification within 60 days. If 500+ individuals affected: media notice required + HHS Wall of Shame.',\n action: 'Engage HIPAA Privacy Officer. Determine breach scope \u2014 number of individuals, PHI elements affected. Notify business associates. If cloud automation is in the breach chain, the BA agreement determines notification obligations between platforms.',\n channels: ['#hipaa-breach', '#legal', 'Privacy Officer', 'CISO']\n },\n ERISA_DOL_DOCUMENT_REQUEST: {\n severity: 'CRITICAL', window: '30 days', deadline_hours: 720,\n regulation: 'ERISA \u00a7104(a) \u2014 $110/day penalty for failure to produce plan documents within 30 days of DOL request. Maximum $1,000/request. Cloud automation vendor run logs for benefit workflows may be in DOL scope.',\n action: 'Identify all plan administration automation workflows. Pull run logs from all systems \u2014 including cloud automation vendors if plan data flowed through them. Legal hold all benefit processing records.',\n channels: ['#erisa-dol', '#legal', 'ERISA Counsel', 'Benefits Administration']\n },\n NAIC_MAR_AUDIT_DEFICIENCY_FOUND: {\n severity: 'HIGH', window: '45 days', deadline_hours: 1080,\n regulation: 'NAIC Model Audit Rule \u00a710: management response to auditor findings due within 45 days of final report. Material weaknesses in IT controls (including automation platforms) are MAR reportable.',\n action: 'Assess whether automation platform controls are in scope for the deficiency. Document remediation plan. If cloud automation is the deficient control, management letter response must address TSP oversight under NAIC Model 668 \u00a711.',\n channels: ['#audit-response', '#compliance', 'CFO', 'External Audit Liaison']\n },\n STATE_INSURANCE_DEPT_DATA_CALL: {\n severity: 'HIGH', window: '30 days', deadline_hours: 720,\n regulation: 'State insurance department data call \u2014 ad hoc data requests from state departments. Production window typically 30 days. Data must be traceable to source systems including automation platforms.',\n action: 'Identify data sources for requested fields. If data flows through automation platforms, pull lineage documentation. Cloud automation vendor data lineage may require vendor cooperation \u2014 self-hosted automation keeps lineage documentation internal.',\n channels: ['#regulatory-data-call', '#compliance', 'Chief Actuary', 'State Affairs']\n },\n ERISA_PLAN_FIDUCIARY_COMPLAINT: {\n severity: 'HIGH', window: '60 days', deadline_hours: 1440,\n regulation: 'ERISA \u00a7502(a) \u2014 plan participant complaint may escalate to DOL or private litigation. ERISA \u00a7404 fiduciary prudence defense requires documentation of plan administration decisions and their compliance basis.',\n action: 'Document fiduciary decision-making process. Pull benefit administration automation logs \u2014 these are the paper trail for fiduciary prudence. If automation ran in a cloud platform, legal team must determine if those logs are discoverable.',\n channels: ['#erisa-complaints', '#legal', 'ERISA Counsel', 'Plan Administrator']\n },\n NAIC_MCAS_DATA_QUALITY_ISSUE: {\n severity: 'MEDIUM', window: '72 hours', deadline_hours: 72,\n regulation: 'NAIC Market Conduct Annual Statement \u2014 data quality failures trigger state department follow-up inquiries. MCAS data flows through claims and policy automation pipelines.',\n action: 'Identify automation workflow generating the anomalous MCAS data. If cloud automation is in the pipeline, pull vendor run logs to isolate the data quality event source.',\n channels: ['#mcas-quality', '#compliance', 'Market Conduct Officer']\n }\n};\nconst cfg = INCIDENT_MATRIX[type] || { severity: 'MEDIUM', window: '24h', regulation: 'Review required', action: 'Standard incident response', channels: ['#compliance'] };\nreturn { ...cfg, incident_type: type, customer: $json.customer, timestamp: new Date().toISOString() };\n"
}
},
{
"id": "3",
"name": "Slack Multi-Channel",
"type": "n8n-nodes-base.slack",
"position": [
700,
200
],
"parameters": {
"channel": "={{$json.channels[0]}}",
"text": "[{{$json.severity}}] {{$json.incident_type}} \u2014 Window: {{$json.window}}. Regulation: {{$json.regulation}}. Action: {{$json.action}}"
}
},
{
"id": "4",
"name": "Gmail Stakeholders",
"type": "n8n-nodes-base.gmail",
"position": [
700,
350
],
"parameters": {
"to": "={{$json.channels.slice(1).join(',')}}",
"subject": "[{{$json.severity}}] {{$json.incident_type}} \u2014 Customer: {{$json.customer}}",
"message": "Regulation: {{$json.regulation}}\n\nRequired Action: {{$json.action}}\n\nDeadline: {{$json.window}}\n\nTimestamp: {{$json.timestamp}}"
}
},
{
"id": "5",
"name": "Log to Postgres",
"type": "n8n-nodes-base.postgres",
"position": [
700,
500
],
"parameters": {
"operation": "insert",
"table": "insurtech_incidents",
"columns": "incident_type,severity,window_hours,customer,regulation,ts",
"values": "={{$json.incident_type}},={{$json.severity}},={{$json.deadline_hours}},={{$json.customer}},={{$json.regulation}},={{$json.timestamp}}"
}
}
],
"connections": {
"Incident Webhook": {
"main": [
[
{
"node": "Classify Incident",
"type": "main",
"index": 0
}
]
]
},
"Classify Incident": {
"main": [
[
{
"node": "Slack Multi-Channel",
"type": "main",
"index": 0
},
{
"node": "Gmail Stakeholders",
"type": "main",
"index": 0
},
{
"node": "Log to Postgres",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5: Weekly InsurTech Platform KPI Dashboard
Every Monday at 8 AM, this workflow queries your Postgres database for 14 metrics spanning commercial performance, compliance incident status, and API uptime — and sends a structured HTML report to your CEO with BCC to CRO.
Metrics include: active customers, carrier + MGA accounts, MRR/ARR, policies issued (7d), claims processed (7d), NAIC 668 events open, market conduct exams open, HIPAA breaches (7d), ERISA DOL requests open, claims API uptime, NAIC deadlines CRITICAL, ERISA deadlines URGENT+, HIPAA deadlines URGENT+.
NAIC 668 events open, market conduct exams open, and HIPAA breaches are red-flagged when non-zero — these are not metrics that improve with product iteration, they are binary compliance events that require immediate engagement regardless of commercial performance.
{
"name": "Weekly InsurTech Platform KPI Dashboard",
"nodes": [
{
"id": "1",
"name": "Monday 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
250,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
}
},
{
"id": "2",
"name": "Query Postgres KPI",
"type": "n8n-nodes-base.postgres",
"position": [
450,
300
],
"parameters": {
"operation": "executeQuery",
"query": "SELECT COUNT(DISTINCT customer_id) as active_customers, COUNT(DISTINCT CASE WHEN tier='ENTERPRISE_INSURANCE_CARRIER_SAAS' OR tier='INSURTECH_MGA_PLATFORM' THEN customer_id END) as carrier_mga_accounts, SUM(mrr_usd) as mrr_usd, SUM(mrr_usd)*12 as arr_usd, SUM(CASE WHEN created_at >= NOW()-INTERVAL'7 days' THEN policies_issued ELSE 0 END) as policies_issued_7d, SUM(CASE WHEN created_at >= NOW()-INTERVAL'7 days' THEN claims_processed ELSE 0 END) as claims_processed_7d, COUNT(CASE WHEN incident_type='NAIC_668_CYBERSECURITY_EVENT_DETECTED' AND status='OPEN' THEN 1 END) as naic_668_open, COUNT(CASE WHEN incident_type='STATE_MARKET_CONDUCT_EXAM_OPENED' AND status='OPEN' THEN 1 END) as market_conduct_exams_open, COUNT(CASE WHEN incident_type='HIPAA_PHI_BREACH_DETECTED' AND ts >= NOW()-INTERVAL'7 days' THEN 1 END) as hipaa_breaches_7d, COUNT(CASE WHEN incident_type='ERISA_DOL_DOCUMENT_REQUEST' AND status='OPEN' THEN 1 END) as erisa_dol_requests_open, ROUND(AVG(CASE WHEN api_name='claims_processing_api' THEN uptime_pct END),2) as claims_api_uptime, COUNT(CASE WHEN deadline_type LIKE 'NAIC_%' AND urgency='CRITICAL' THEN 1 END) as naic_deadlines_critical, COUNT(CASE WHEN deadline_type LIKE 'ERISA_%' AND urgency IN ('CRITICAL','URGENT') THEN 1 END) as erisa_deadlines_urgent, COUNT(CASE WHEN deadline_type LIKE 'HIPAA_%' AND urgency IN ('CRITICAL','URGENT') THEN 1 END) as hipaa_deadlines_urgent FROM platform_metrics WHERE week = date_trunc('week', NOW()-INTERVAL'1 week')"
}
},
{
"id": "3",
"name": "Build KPI HTML",
"type": "n8n-nodes-base.code",
"position": [
700,
300
],
"parameters": {
"jsCode": "const d = $json;\nconst html = `\n<h2>InsurTech Platform \u2014 Weekly KPI</h2>\n<table><tr><th>Metric</th><th>Value</th></tr>\n<tr><td>Active Customers</td><td>${d.active_customers}</td></tr>\n<tr><td>Carrier + MGA Accounts</td><td>${d.carrier_mga_accounts}</td></tr>\n<tr><td>MRR</td><td>$${Number(d.mrr_usd).toLocaleString()}</td></tr>\n<tr><td>ARR</td><td>$${Number(d.arr_usd).toLocaleString()}</td></tr>\n<tr><td>Policies Issued (7d)</td><td>${d.policies_issued_7d}</td></tr>\n<tr><td>Claims Processed (7d)</td><td>${d.claims_processed_7d}</td></tr>\n<tr><td>NAIC 668 Events Open</td><td style='color:${d.naic_668_open>0?'red':'green'}'>${d.naic_668_open}</td></tr>\n<tr><td>Market Conduct Exams Open</td><td style='color:${d.market_conduct_exams_open>0?'orange':'green'}'>${d.market_conduct_exams_open}</td></tr>\n<tr><td>HIPAA Breaches (7d)</td><td style='color:${d.hipaa_breaches_7d>0?'red':'green'}'>${d.hipaa_breaches_7d}</td></tr>\n<tr><td>ERISA DOL Requests Open</td><td style='color:${d.erisa_dol_requests_open>0?'orange':'green'}'>${d.erisa_dol_requests_open}</td></tr>\n<tr><td>Claims API Uptime</td><td>${d.claims_api_uptime}%</td></tr>\n<tr><td>NAIC Deadlines CRITICAL</td><td style='color:${d.naic_deadlines_critical>0?'red':'green'}'>${d.naic_deadlines_critical}</td></tr>\n<tr><td>ERISA Deadlines URGENT+</td><td style='color:${d.erisa_deadlines_urgent>0?'orange':'green'}'>${d.erisa_deadlines_urgent}</td></tr>\n<tr><td>HIPAA Deadlines URGENT+</td><td style='color:${d.hipaa_deadlines_urgent>0?'orange':'green'}'>${d.hipaa_deadlines_urgent}</td></tr>\n</table>`;\nreturn { html, ...d };\n"
}
},
{
"id": "4",
"name": "Gmail CEO + BCC CRO",
"type": "n8n-nodes-base.gmail",
"position": [
900,
300
],
"parameters": {
"to": "={{$vars.CEO_EMAIL}}",
"bcc": "={{$vars.CRO_EMAIL}}",
"subject": "InsurTech Platform KPI \u2014 Week of {{$now.minus({weeks:1}).toFormat('yyyy-MM-dd')}}",
"message": "={{$json.html}}"
}
},
{
"id": "5",
"name": "Slack #management",
"type": "n8n-nodes-base.slack",
"position": [
900,
450
],
"parameters": {
"channel": "management",
"text": "Weekly KPI: {{$json.active_customers}} customers | MRR ${{$json.mrr_usd}} | NAIC 668 open {{$json.naic_668_open}} | Market conduct exams {{$json.market_conduct_exams_open}} | HIPAA breaches 7d {{$json.hipaa_breaches_7d}}"
}
}
],
"connections": {
"Monday 8AM": {
"main": [
[
{
"node": "Query Postgres KPI",
"type": "main",
"index": 0
}
]
]
},
"Query Postgres KPI": {
"main": [
[
{
"node": "Build KPI HTML",
"type": "main",
"index": 0
}
]
]
},
"Build KPI HTML": {
"main": [
[
{
"node": "Gmail CEO + BCC CRO",
"type": "main",
"index": 0
},
{
"node": "Slack #management",
"type": "main",
"index": 0
}
]
]
}
}
}
The Self-Hosted n8n Procurement Argument for InsurTech Vendors
Five specific compliance arguments that matter at the InsurTech procurement stage:
1. NAIC Model 668 §11(A) — Third-Party Service Provider enumeration. Your Cybersecurity Program must enumerate every TSP processing nonpublic information, with written security requirements and annual assessments. A cloud automation platform processing policyholder or claims data is a TSP. If it is not in your Program, the state insurance examiner finds it. Self-hosted n8n eliminates the cloud automation vendor from your TSP enumeration requirement.
2. State market conduct examination — document subpoena scope. Insurance examiners have subpoena authority over all records relevant to the examination, including records held by third-party vendors. When your policy, claims, or underwriting workflows run through a cloud automation platform, those run logs are reachable by the examiner without your legal team's review. Self-hosted n8n keeps all workflow run logs inside your legal hold.
3. ERISA §104 — plan document production, $110/day. ERISA requires plan administrators to produce plan documents within 30 days of a DOL request. If your benefit administration automation workflows run through a cloud platform, the DOL request may include those vendor run logs, and your vendor's response timeline may not align with your 30-day production window. Self-hosted automation keeps benefit records inside your plan fiduciary's controlled environment.
4. HIPAA Security Rule — BA Agreement scope. Most cloud automation platforms provide HIPAA Business Associate Agreements (BAAs) with significant data processing carve-outs. PHI that flows through automation vendor infrastructure creates a BAA scope question: is the vendor's data processing covered by the BAA, or is it carved out as "infrastructure" or "logging"? Self-hosted n8n eliminates the BA Agreement complexity by keeping PHI processing inside your own HIPAA security boundary.
5. NAIC MAR — annual audit IT control scope. The NAIC Model Audit Rule requires annual audited financial statements. Material weaknesses in IT controls are MAR-reportable. If your core insurance operations run through cloud automation platforms, your external auditor may expand IT audit scope to those vendors. Self-hosted n8n keeps automation infrastructure inside your existing IT control boundary.
Three Procurement Questions to Ask Your Automation Vendor
Before your next NAIC Model 668 examination or carrier contract renewal, ask your cloud automation vendor these three questions:
Are you enumerated in our NAIC Model 668 Cybersecurity Program as a Third-Party Service Provider, with a written security agreement and annual assessment? If not, your Program has a §11(A) gap — and your state examiner will find it.
If we receive a state insurance department market conduct document production request, what is your response process and timeline? The answer tells you whether your compliance records are inside or outside your legal team's review process before they reach the examiner.
Does your HIPAA Business Associate Agreement cover all data processing performed by your automation workflows, or are there infrastructure or logging carve-outs that create PHI scope gaps? The answer tells you whether your HIPAA compliance boundary includes your automation vendor.
Get the Complete InsurTech Automation Kit
All five workflows above are available as ready-to-import n8n JSON at FlowKit on Gumroad — along with 10+ other compliance automation templates covering FinTech, HealthTech, LegalTech, HRTech, RetailTech, TravelTech, and more.
The complete bundle (all templates + setup guides) is $97 at stripeai.gumroad.com.
FlowKit — n8n automation templates for SaaS compliance teams. All workflows are illustrative educational examples. Consult qualified legal and compliance counsel for implementation guidance specific to your regulatory obligations.
Top comments (0)