Why SOC 2 is critical to protect Australian insurance customers

Wed, 15th Sep 2021

FYI, this story is more than a year old

By Yannick Giguère, general manager, Stelvio Australia

As Australian insurers continue to amass vast amounts of private data from millions of Australians, it's imperative that they now demonstrate system and organisational controls (SOC) reporting.

In particular, insurance technology companies are now required to be information security compliant, considering customer data is predominantly stored in cloud applications. The SOC 2 reporting standard (SOC 2 Type II report) is based around the trust principles of security, availability, integrity of processing and privacy, and is an audit opinion report over internal controls related to IT.

SOC 2 is often referred to as a certification; however, it is more an audit of a company's service-oriented controls to ensure they meet the SOC trust principles relating to IT. These controls have been curated from known standards to specifically address the trust principles.

While the SOC 2 standard does not directly dictate the controls, the report's purpose is to demonstrate that a company has controls in place, identify and list the controls, and validate that it correctly implemented the controls during the observation period.

SOC 2 compliance means that an organisation has developed and is implementing stringent controls to protect customer information. With growing concerns around data security, it is now more critical than ever that customers feel their confidential data is secure. Controls implemented by an organisation must align with the needs of the customers.

While it's critical that customers understand that an organisation is SOC 2 Type II compliant, it's more important for customers to recognise that the controls cover what they need covered to engage with this organisation.

Conducting annual SOC 2 audits through independent, third-party specialist auditing firms lets Insurtech providers demonstrate to insurers and their customers that the controls remain in place.

These audits encompass the design, implementation, and management of Insurtech systems around customer, insurer, and third-party supplier data controls.

With vast amounts of private data in the cloud and continuing threats of cyber-breaches, everyone in the insurance industry needs to know their data is protected. This goes beyond merely providing assurances. Insurers and their suppliers have a duty of care to firmly demonstrate that a strong data control environment is in place.

When engaging the services of Insurtech suppliers and providers, insurers must look for companies that have achieved a SOC 2 Type II compliance report that covers a twelve-month period — and that demonstrates the intention to undergo recurring audits and maintain compliance.

This report will validate the company's achievements concerning meeting all data security, availability, integrity and other requirements of the SOC 2 audit. Additionally, companies may choose to publish a SOC 3 compliance report, which is a report for public consumption based on the SOC 2 Type II report results. This lets Insurtech companies share their compliance results in a comprehensive report that is available for public view.

Insurers and their suppliers are continually subjected to rigorous and ever-changing regulatory requirements, as well as mandatory requirements of the industry's own General Insurance Code of Practice. However, SOC 2 is not merely another compliance mechanism. It helps insurance businesses continually monitor and improve how they manage highly valuable and private customer data.

This is a crucial tool in demonstrating sound business practices and helping to keep threats at bay. It also helps mitigate the risk of fraud when it comes to being the caretakers and protectors of valuable personal customer data.