Case Study: An Insurance Company's SOC 2 Journey

The fintech was trying to achieve SOC 2 compliance to satisfy the security requirements of its enterprise-level clients. By doing so, it aimed to transform their security from an ad-hoc practice into a formalized and continuous process, thereby becoming a more trustworthy partner.

Company Profile
Our client is a large, well-established insurance provider offering a range of life, auto, and health insurance products. As a custodian of vast amounts of personally identifiable information (PII) and protected health information (PHI), the company is subject to strict regulatory requirements, including HIPAA and state-specific privacy laws.

The key learnings highlighted in this case study are that achieving SOC 2 compliance is a journey, not a destination. It’s crucial for companies to start the process early in their growth, rather than waiting until it becomes a roadblock. Automating the evidence collection process with tools like a GRC platform can significantly ease the burden of the audit. Finally, the case study emphasizes that compliance is a continuous effort that requires ongoing maintenance and annual audits to remain valid.

0+
Core team members from Engineering, Security, and Compliance.
0+
Controls were tested and validated across the SOC 2 Trust Services Criteria.
0+
Hours of internal team effort were required over the 6-month period to prepare for the SOC 2 audit.
0+
New or updated security policies were documented and implemented.

The Challenge
While the client had a long history of protecting customer data, they needed to provide a single, comprehensive report that would satisfy the security assurance demands of their corporate partners (e.g., healthcare providers, financial institutions) and regulators. The complexity of their legacy IT systems, combined with a large, distributed workforce, created a challenge in centralizing and documenting their security controls effectively to demonstrate compliance. They needed a holistic view of their security, availability, and confidentiality controls.

The Solution: A Phased Approach

The client decided to pursue a SOC 2 Type 2 report, using the framework as a way to streamline and consolidate their existing security and privacy efforts. The audit focused on the Security, Availability, and Confidentiality Trust Services Criteria.

  • Security: The company enhanced its identity and access management system, implementing role-based access controls to ensure employees could only access the data necessary for their job functions.

  • Availability: They formalized their business continuity and disaster recovery plan, conducting regular tests to ensure that critical systems could be restored quickly in the event of an outage.

  • Confidentiality: This was a major focus. The team implemented new data classification protocols, encrypting all sensitive customer data both at rest and in transit. They also created a robust vendor management program, conducting security reviews of all third-party vendors who handled their data.

 

The Audit & Outcome

The 12-month audit period for the Type 2 report was rigorous. Auditors reviewed a wide range of evidence, including incident logs, vulnerability scan reports, and the results of their disaster recovery tests. The audit successfully validated that Liberty Assurance’s controls were not only in place but also operating effectively over time.

The final SOC 2 report provided a high level of assurance to Liberty Assurance’s partners and regulators. It demonstrated that the company was a trustworthy steward of sensitive data, which helped them maintain and secure new partnerships. The report also served as a valuable internal tool, providing a structured way for the security and IT teams to manage risk and continuously improve their security posture.

 

Key Learnings

  • Integration is Key: SOC 2 is not a one-off project but an opportunity to integrate security best practices into your company’s culture and daily operations.

  • Focus on the Trust Services Criteria: The Trust Services Criteria provide a clear roadmap for organizations handling sensitive data. Tailoring your security program to these principles will yield significant benefits.

  • Proactive, Not Reactive: By proactively demonstrating compliance through a SOC 2 audit, Liberty Assurance was able to gain a competitive advantage and avoid the business disruption and reputational damage that can result from a security incident.