SOC 2 for Insurance & Insurtech: Complete 2026 Guide

Insurance sits at an odd compliance intersection. The industry has been regulated for centuries — state departments of insurance, the NAIC Model Law, GLBA, HIPAA (for health insurers), state cybersecurity regulations like NYDFS 500 — but compared to banking, it's been slow to adopt modern attestation standards.

That's changing fast. In 2026, sophisticated insurance buyers (reinsurers, broker networks, TPAs, enterprise customers) expect SOC 2. Insurtech startups need it to close deals. Established carriers need it for their technology subsidiaries and B2B service lines. The question isn't whether, it's how to layer SOC 2 on top of an already regulated environment without creating a parallel compliance program.

This guide is for CISOs, compliance leaders, and founders at insurance carriers, insurtech startups, MGAs, TPAs, and insurance technology providers. It focuses on what's different about insurance and how to run SOC 2 efficiently alongside existing regulatory obligations.

Why SOC 2 Now

The insurance industry's SOC 2 adoption has accelerated for specific reasons:

Enterprise customer expectations. Brokers and risk managers at Fortune 500 companies won't onboard new insurance tech without SOC 2. They run the same vendor review rubric on insurance vendors that they run on everyone else.
Reinsurance capital. Sophisticated reinsurance partners expect SOC 2 from cedants' technology platforms. It's now part of standard due diligence.
Partner program requirements. Carriers now require SOC 2 from MGAs and program administrators. MGAs require it from their tech vendors.
Cyber insurance pressures. Yes, insurance companies buy cyber insurance too. Underwriters give discounts for SOC 2-certified operations.
Investor demands. Institutional investors expect SOC 2 as a signal of operational maturity at Series B and beyond.

For the foundational material this post assumes, start with the SOC 2 framework hub, the Trust Services Criteria page, the Type 1 vs Type 2 guide, and our SOC 2 for SaaS companies guide.

The Insurance Compliance Stack

Insurance already carries a heavy regulatory load. SOC 2 has to coexist with:

Framework / Regulation	Focus	Jurisdictions
NAIC Model Law	Data security, privacy	Most states (varies)
NYDFS 500	Cybersecurity	NY-licensed entities
GLBA Safeguards Rule	Nonpublic personal info protection	Federal
HIPAA	PHI (for health insurers / stop-loss)	Federal
State Insurance Commissioner examinations	Financial solvency, market conduct, IT	By state
PCI DSS	Card data (for online premium payments)	Card networks

The theme: controls overlap heavily. The same access management program satisfies NAIC Model Law, NYDFS 500, GLBA, and SOC 2. Running four separate programs is how insurance compliance teams burn out. Running one program with four attestation outputs is how they stay sane.

For the multi-framework pattern, see our control mapping guide.

Trust Services Criteria for Insurance

Every SOC 2 includes Security (Common Criteria). For insurance, the other criteria map to specific business functions:

Business Function	Recommended Criteria
Policy admin SaaS	Security + Availability + Confidentiality
Claims management platform	Security + Availability + Processing Integrity + Confidentiality
Underwriting / rating engine	Security + Availability + Processing Integrity
Agent / broker portal	Security + Availability + Confidentiality
Insurtech marketplace	Security + Availability + Privacy
Actuarial modeling platform	Security + Confidentiality + Processing Integrity
Health insurance technology	Security + Availability + Confidentiality + Privacy (or HIPAA-focused)

Processing Integrity matters more in insurance than most verticals. Your rating engine must produce accurate premiums. Your claims system must correctly calculate payouts. Sophisticated buyers will ask about Processing Integrity specifically.

Privacy is worth including for any consumer-facing product and strongly consider for health insurance where it complements HIPAA.

Insurance-Specific Data Sensitivity

Insurance handles some of the most sensitive personal data that exists:

Health information (life, disability, health, stop-loss)
Financial information (all lines — premiums, claims, banking for direct deposit)
Driving records and MVRs (auto)
Property and home details (home/renters)
Business financial data (commercial lines)
SSNs and DOBs (underwriting and claims)
Medical records (claims evaluation)

Your SOC 2 controls need to handle this data with appropriate depth. Common pitfalls:

PII in test environments. Dev and staging with real PII is a controls failure.
Over-retention. Insurance statutes sometimes require long retention but SOC 2 expects documented data lifecycle.
Loose access controls on claims. Claims adjusters often have broad access historically; modern SOC 2 expects role-scoped access with regular reviews.
Third-party data enrichment. You pull data from MIB, MVR, credit bureaus, LexisNexis. Each is a subprocessor with BAA-equivalent requirements.

Scoping for Insurance Operations

Insurance SOC 2 scope typically includes:

Policy administration system
Claims management system
Underwriting platform
Rating engine
Billing and premium collection
Agent / broker portal
Customer-facing web and mobile apps
Data warehouse with policy and claims data
Actuarial modeling environment (if insurance data flows in)
Identity and access management
Monitoring, logging, alerting
Vendor ecosystem (data enrichment, reinsurance, third-party admins)

Scoping mistakes common in insurance:

Excluding the actuarial environment because "it's analytical." If it contains customer data, it's in scope.
Ignoring legacy systems because "they're being sunset." Until they're actually decommissioned, they're in scope.
Treating agent portals as out-of-scope because agents "aren't customers." Agents are users with access to customer data. In scope.

Our SOC 2 readiness roadmap walks through scoping decisions.

Coordinating with State Insurance Commissioners

State Departments of Insurance (DOIs) conduct periodic IT and operational examinations. These are separate from SOC 2 but overlap heavily.

How to coordinate:

Share your SOC 2 report when permitted. Many DOIs accept it as evidence during IT exams.
Map control evidence once, use in multiple contexts.
Pre-emptive self-assessment against NAIC Model Law requirements reduces exam surprise.
Document NYDFS 500 compliance separately if licensed in NY; the annual certification is specific.
Prepare exam response playbooks so your team isn't reinventing the wheel each exam cycle.

A clean SOC 2 report signals to DOI examiners that your program is mature. It doesn't replace the examination, but it shortens and simplifies it.

Insurance-Specific Control Depth

Baseline SOC 2 controls need specific insurance flavoring:

Claims System Controls

Segregation of duties between claims adjustment and payment authorization
Dollar-threshold approval workflows
Audit trail for every adjustment, reserve change, and payment
Fraud detection controls integrated with claims workflow
Recorded statement storage with access controls
Data retention per state-specific statutes

Underwriting Controls

Access to underwriting data restricted by role and line of business
Audit trail for every underwriting decision
Integration of MIB, MVR, and other external data sources with documented controls
AI/ML model governance (increasingly expected by regulators)
Discrimination and fairness considerations (where applicable)

Actuarial Controls

Access to actuarial data and models tightly restricted
Version control for rating algorithms and models
Change management for rate filings
Production data use in actuarial work governed by documented policy

Agent and Broker Portal Controls

Strong authentication (MFA required)
Agent-to-customer data access scoped to assigned accounts
Agent offboarding workflow tied to licensing changes
Commission and compensation data segregated appropriately

Cost and Timeline Expectations

Insurance SOC 2 falls between SaaS and banking in cost. Expect:

Line Item	Typical Cost
SOC 2 Type II audit	$45K–$150K
Readiness assessment	$25K–$75K
Penetration testing	$20K–$60K per engagement
GRC platform	$20K–$80K annual
Internal program staffing	$150K–$400K annual
Remediation (variable)	$50K–$500K

Timeline: 10–16 months from standing start to Type II. 6–10 months for insurtechs with strong engineering foundations. 12–18 months for traditional carriers adding SOC 2 to existing programs.

Our SOC 2 cost breakdown has more detailed modeling.

Common Pitfalls in Insurance SOC 2

Running SOC 2 separately from NAIC / NYDFS / GLBA programs. Integrate or burn out.
Under-scoping actuarial and modeling environments. If they see customer data, they're in scope.
Ignoring legacy. Insurance runs on systems older than most engineers. Your SOC 2 has to address them, not pretend they don't exist.
Agent portal security shortcuts. Weak agent authentication is a perennial finding.
Third-party data enrichment governance. MIB, MVR, LexisNexis — each a subprocessor that needs vendor management treatment.
Skipping Processing Integrity. If you calculate premiums or claims payments, including this criterion strengthens your credibility.
State-by-state inconsistency. Operating under multiple state regulatory regimes requires your control environment to satisfy the strictest, not the average.
Slow incident response. Insurance breaches face state AG and DOI notification in parallel with federal requirements.

How to Get Started

If you're an insurtech early stage:

Map existing controls against SOC 2 Common Criteria
Identify required Trust Services Criteria for your business model
Address actuarial / claims / underwriting system depth before Type I
Get Type I at month 4–6
Type II observation starts immediately after
Type II delivered at month 10–14

If you're a traditional carrier adding SOC 2:

Inventory existing controls across NAIC, GLBA, NYDFS (if applicable), PCI (if applicable)
Map to SOC 2 Common Criteria
Identify gaps (usually in evidence formalization and audit-readiness, not control existence)
Build the gaps with cross-functional team including IT, legal, compliance, and operations
Select an auditor with insurance experience

FAQ

Q: Do insurance companies actually need SOC 2? A: Not by regulation, but by market expectation for any B2B operation. Consumer-only carriers have less SOC 2 pressure but may still benefit for cyber insurance discounts and partner relationships.

Q: Can we use our NYDFS 500 certification in place of SOC 2? A: No. NYDFS 500 is a regulatory certification to a state regulator. SOC 2 is an attestation report from a CPA firm, shareable under NDA with customers and partners. They serve different audiences.

Q: Does SOC 2 satisfy state DOI IT examination requirements? A: Not entirely, but it can significantly reduce exam time. Many examiners accept SOC 2 as evidence for shared control areas. Check with your state-specific examiners for their practices.

Q: How does SOC 2 work for insurance platforms serving multiple lines of business? A: Scope the whole technology platform with clear narratives for each line-of-business control variation. A single report with good control narratives is more credible than a patchwork of line-specific reports.

Q: We're a health insurer. Do we need HIPAA, SOC 2, or both? A: Both. HIPAA is a federal law you must comply with. SOC 2 is a market expectation for B2B operations. They overlap significantly in controls but serve different purposes.

Insurance is a trust industry, and SOC 2 is fast becoming the currency of trust in B2B commerce. Carriers and insurtechs that run SOC 2 well layer it on top of their existing regulatory discipline — same controls, multiple attestations. That's how you satisfy the modern market without drowning your compliance team.

For more, see the SOC 2 framework hub, Trust Services Criteria, and our insurance industry page. Ready to run multi-framework compliance on one platform? Start with episki.

SOC 2 Compliance for Insurance & Insurtech (2026)