According to industry experts, only 13% of SaaS providers currently hold both SOC 2 (System and Organisation Controls) and ISO 27001 accreditations. Given our sector’s laser focus on handling sensitive customer data and building trust-based relationships, this statistic raises interesting questions about the current state of information security standards and supply chains across the insurance.
Is your supplier the weakest link?
Today’s risk landscape is incredibly complex. An interconnected, international web where an incident or breach in one place can have far-reaching effects up and down the chain. Business ecosystems are particularly entangled with multiple supplier arrangements and layers of risk that many companies struggle to assess and mitigate. It’s a cliché, but today’s businesses can only be as strong as the weakest link in their supply chain.
For insurers and carriers, particularly those relying on InsurTech partners to gather, process and manage data, this interconnectivity means that security considerations must extend beyond their own systems to encompass their entire supplier network.
Many insurers now take a much closer look at their technology partners’ security credentials, and robust information security frameworks are becoming increasingly important in vendor selection processes.
Both the SOC 2 and ISO 27001 accreditations are widely recognised as benchmarks for responsible technology providers that put data protection at the heart of innovation. Yet with relatively low take-up of these dual certifications, and information security a rising priority amongst insurers, why aren’t more InsurTechs focusing on strengthening their own link in the chain?
Understanding the gap
The trouble is that achieving dual accreditation represents a significant organisational undertaking. Beyond the significant financial investment, companies need to develop comprehensive systems, maintain detailed documentation, and demonstrate consistent security practices over extended periods. The process involves thorough auditing, where organisations must provide evidence of implemented policies and procedures.
For many start-ups and growing companies, this level of investment can feel daunting, particularly when balancing multiple urgent business priorities. The challenge isn’t necessarily about understanding the importance of information security, but rather about having the resources and organisational maturity to navigate the certification process effectively.
Regional differences
In the US market, questions about SOC 2 compliance have become routine in pitch processes. Many established companies now view these certifications as a fundamental requirement, using them as an efficient filter during vendor evaluation. This approach allows organisations to streamline their due diligence processes, often reducing lengthy security questionnaires to straightforward compliance checks.
Companies without these accreditations may find themselves navigating more complex procurement processes, answering detailed security questions that certified competitors can address with established documentation. This dynamic appears to be influencing how businesses approach their security investments.
Beyond Plan B
In recent years, there has been a shift from disaster recovery planning, to a more robust resilience mindset that incorporates not just plan b, but plans c through to z. Companies are taking a more proactive approach to assessing and mitigating risk throughout their business and supply chain as risk moves up the corporate agenda.
Incident response planning has become more common in business. This approach provides a practical framework that allows organisations to test and document their response plans to minimise damage during a breach.
Our customers also highlight the critical importance of continuous monitoring and threat detection. Rather than waiting for a breach or other cyber problem to arise, this approach incorporates real-time monitoring and automated alerts which can detect breaches early and allow companies to take a more proactive response.
With human error still the leading cause of cyber breach, companies must also be certain that they are training their employees to be more cyber aware, particularly as the nature of cyber crime evolves, and would-be cyber criminals develop ever-more insidious ways of compromising security. But these companies should also be asking the same of their suppliers, ensuring there are documented training and awareness plans in place to keep employees up to date on the latest scams and schemes.
What lies ahead?
As cyber security challenges continue to evolve, there’s growing recognition across the insurance industry of the value that robust information security frameworks present. The emergence of trust centres, dedicated website sections where companies openly share their certifications, policies, and security practices, suggests that transparency around security standards is becoming a competitive differentiator.
The trend indicates a gradual shift toward viewing comprehensive security accreditations not just as operational necessities, but as strategic business assets that can facilitate partnerships and accelerate growth.
Companies take third party risk management more seriously than ever, recognising that the complexity of today’s supply chains present a real threat to their operation. Therefore, it’s vital that they vet and regularly assess their vendors to ensure they continue to meet the minimum standards of security. This includes their InsurTech partners.
For the majority of InsurTech companies currently without dual (or even single) accreditation, the landscape presents both challenges and opportunities. While the certification process requires significant investment, it also represents a pathway to enhanced credibility and potentially smoother business development processes.
The industry’s evolution toward higher security standards appears to be driven by practical business needs rather than regulatory requirements alone. As this trend continues, it will be interesting to observe how companies balance the investment required for comprehensive certification against their other strategic priorities.
By Ben Huckel, Co-founder and COO at Send. Connect with Ben on LinkedIn.