How Insurers Can Prepare for SOC 2 Audits  

The American Institute of CPAs drafted standards to assist organizations in developing and maintaining system and organization controls (SOC) for financial information (SOC 1) and user data (SOC 2). SOC 2 reports on the controls a service organization has in place, regarding the five trust services criteria (TSC) of security, availability, integrity, confidentiality, and privacy of user data. SOC compliance applies to any service organization but is used extensively in the financial services sector.

SOC 2 compliance serves as a guarantee that a company has systems and controls in place to protect its digital assets, including employee and customer data. Its goal is to establish a framework for continuous improvement of TSCs. Unlike other standards that only require passing a single test, SOC 2 audits must be performed annually to maintain a SOC 2 certification.

What Does a SOC 2 Audit Involve?

Although SOC 2 covers five trust services criteria, only security is required for a SOC 2 audit report. However, many insurance companies include other TSCs to ensure a comprehensive evaluation of their security processes. For many insurance companies, data integrity, confidentiality and privacy are equally important for meeting security standards.

Security

Cybersecurity is the focus of AICPA security standards; however, the standard can include physical security measures that restrict access to information systems. The standard's goal is to protect against unauthorized access, disclosure, or damage resulting in a system compromise. It requires well-documented policies and procedures for both training and enforcement of security standards.

Availability

Specific performance standards are not part of SOC 2; however, auditors will evaluate system availability. For insurance companies, the required uptime may be a contractual obligation or a business continuity plan that ensures operation in case of a disruption in critical services such as power or internet services.

Processing Integrity

Processing integrity means that data is complete, accurate, and timely. As more data is collected and used for analysis and training for artificial intelligence applications, the need for data integrity becomes crucial to delivering unbiased services within the insurance industry. 

Confidentiality

Confidentiality standards mean encrypting data and constructing infrastructures to prevent uncontrolled access. This TSC should identify the methods used to protect intellectual property and trade secrets. If insurers have access to proprietary information, they need to maintain strong controls to prevent client information from being compromised.

Privacy

Privacy laws continue to expand. Recent changes in the European Union's data privacy laws and California's cybersecurity laws mean insurers have a greater responsibility for protecting personal identifiable information (PII) for all clients. More countries and industries are restricting access through a least-privilege approach to data access. 

How to Prepare for a SOC 2 Audit

Preparing for an audit begins long before it is scheduled. It takes planning, self-assessment, and remediation if an insurer hopes to successfully complete a SOC 2 audit. 

Define The Scope

Most insurers should include all five TSC requirements. Because of legal, contractual, and regulatory stipulations, data privacy and confidentiality are as important as data safety. Failure to comply with all standards can result in significant financial penalties. Limiting an audit to security and availability lacks the comprehensive required in SOC 2 reports.

Build a SOC 2 Team

Preparing for an audit requires a team committed to understanding and complying with SOC 2 standards. At a minimum, a SOC 2 team should include representatives from the following areas:

• Executive. An individual from the executive offices is a crucial component of any SOC 2 team. Executives should understand the requirements in order to relate the process to future revenue generation, ongoing risk management, and security concerns.
• IT Team. Information technology departments are responsible for data storage and system operations. Without their representation, the team would be unable to determine where protected data was used across an enterprise.
• Security Steward. Physical and cybersecurity personnel can outline existing processes to prevent unauthorized access to company facilities and digital assets. They will need to demonstrate how an insurer can detect and respond to security issues.
• Legal. SOC 2 audits extend to third-party vendors and business partners. Legal representatives can outline contractual obligations that apply to TSC requirements.

In addition, a SOC 2 team needs a project manager and primary writer. The documentation required for an initial SOC 2 audit usually requires a primary author who is responsible for gathering information from multiple sources for incorporation into a single document. A project manager can help keep the process on track and ensure that tasks are assigned and monitored.

Perform a Readiness Assessment

Readiness assessments help teams understand what is required to pass a SOC 2 audit. A self-assessment identifies what processes and systems to include in an audit. An initial assessment can be used to define the project scope. Subsequent assessments can help refine the audit scope.

Identify Gaps

After assessments are complete, SOC 2 needs to identify gaps that must be addressed before an audit is performed. Common gaps include:

• Lack of core policies for handling protected data.
• Lack of background checks on all employees.
• Lack of security conditions in employment agreements.
• Lack of password policies and procedures.

In some instances, the process may exist but is not documented. Often, the processes are poorly defined and undocumented. 

Remediate Weaknesses

From the gap analysis, insurers need to look at the preliminary results of a mock TSC run to identify areas to be addressed. These weaknesses should be assigned priorities so that mission-critical vulnerabilities can be addressed as quickly as possible. 

Prepare Documentation

For data-intensive insurance companies, preparing and passing a SOC 2 audit can become overwhelming. For insurers that are unfamiliar with SOC 2 requirements, the process can be time-consuming while a compliance team comes up to speed.

Don't Do It Alone

Sometimes, the best solution is to work with a third-party provider who understands the SOC 2 audit process. They work with companies to ensure they receive the required attestation from an independent, approved CPA firm. They cannot do it for you, but they can decrease audit time and expense through proactive preparation.

At Havoc Shield, we collaborate with our clients to ensure adequate controls are in place for every criterion. We also help build processes to maintain audit requirements and incorporate new ones. Through systematic preparation, we can minimize the prep time for a SOC 2 audit.

If you are interested in learning how to reduce the time, and cost, of a proper SOC 2 audit, let's talk.