How to Pass a Carrier IT Security Audit as a Pet Insurance MGA
How to Pass a Carrier IT Security Audit as a Pet Insurance MGA
Your carrier will audit your IT security. It's not a question of if, but when. Carriers need to verify that the MGA handling their policyholders' data has adequate security controls. A failed audit can delay your launch, strain the carrier relationship, or in severe cases, trigger agreement termination. Here's how to prepare and pass.
What Do Carriers Examine in an IT Security Audit?
Carriers examine your IT security across approximately eleven areas, with data encryption, access controls, vulnerability management, and incident response carrying the most weight. They verify that your controls are not only documented but actually functioning and enforced in practice.
1. Common Audit Areas
| Audit Area | What They Check | Weight |
|---|---|---|
| Data encryption | Encryption at rest and in transit | Critical |
| Access controls | MFA, RBAC, least privilege, access reviews | Critical |
| Vulnerability management | Scanning, patching, penetration testing | Critical |
| Incident response | Documented plan, tested, breach notification | Critical |
| Business continuity/DR | Backup, recovery, tested DR plan | High |
| Vendor management | Third-party security assessments | High |
| Employee security | Training, background checks, termination | High |
| Network security | Firewalls, segmentation, monitoring | High |
| Application security | Secure development, code review, WAF | Medium |
| Physical security | Office security, device management | Medium |
| Compliance | SOC 2, NAIC model law, privacy regulations | High |
2. Audit Types
| Type | Scope | Duration | Frequency |
|---|---|---|---|
| Pre-appointment audit | Full IT review before MGA agreement | 2–4 weeks | Once |
| Annual IT audit | Comprehensive review | 1–2 weeks | Annual |
| Targeted audit | Specific area (post-incident) | 3–5 days | As needed |
| SOC 2 review | Review your SOC 2 report | 1–2 days | Annual |
| Questionnaire-based | Security questionnaire (SIG, CAIQ) | Self-assessment | Annual+ |
How Should You Prepare for the Audit?
You should follow a structured 90-day preparation timeline that begins with obtaining or renewing your SOC 2 report, progresses through internal assessments and remediation of critical findings, and concludes with a mock audit and final evidence package review.
1. 90-Day Preparation Timeline
| Days Before | Action | Priority |
|---|---|---|
| D-90 | Obtain or renew SOC 2 report | Critical |
| D-80 | Complete internal security assessment | Critical |
| D-70 | Remediate critical findings | Critical |
| D-60 | Document all policies and procedures | High |
| D-50 | Compile evidence binder | High |
| D-40 | Run vulnerability scans, remediate | High |
| D-30 | Test DR plan and document results | High |
| D-20 | Conduct mock audit with team | High |
| D-14 | Prepare audit logistics and access | Medium |
| D-7 | Final review of evidence package | Medium |
| D-0 | Audit day — confident and prepared | — |
2. The Evidence Binder
| Category | Documents Needed |
|---|---|
| Policies | Information security policy, acceptable use, data classification |
| SOC 2 | Current SOC 2 Type II report (or Type I) |
| Access controls | Access control policy, MFA enforcement evidence, access review logs |
| Encryption | Encryption configuration, TLS certificates, database encryption settings |
| Vulnerability management | Latest scan results, patch management records, pentest report |
| Incident response | IR plan, test results, any incident reports |
| DR/BCP | DR plan, backup configuration, test results |
| Vendor management | Vendor security assessments, DPAs |
| Training | Training records, completion rates, phishing test results |
| Network | Network diagram, firewall rules, segmentation evidence |
| HR | Background check policy, termination checklist |
What Security Controls Are Required to Pass?
The security controls required to pass a carrier IT audit fall into three tiers: critical controls that you must pass (encryption, MFA, vulnerability scanning, patching, backups, and incident response), high-priority controls (RBAC, penetration testing, security training), and medium-priority controls (DLP, SIEM, change management).
1. Critical Controls (Must Pass)
| Control | Requirement | Evidence |
|---|---|---|
| Encryption at rest | AES-256 on all databases and storage | Configuration screenshots |
| Encryption in transit | TLS 1.2+ on all connections | SSL Labs test results |
| MFA enforcement | MFA on all user accounts and admin access | MFA configuration, enrollment stats |
| Access logging | All system access logged | CloudTrail/audit log configuration |
| Vulnerability scanning | Regular automated scanning | Latest scan reports |
| Patch management | Critical patches within 30 days | Patch log with dates |
| Backup verification | Backups tested and verified | Restore test records |
| Incident response plan | Documented and tested | Plan document + test records |
2. High Priority Controls
| Control | Requirement | Evidence |
|---|---|---|
| RBAC implemented | Role-based access across all systems | Role definitions, user-role mapping |
| Access reviews | Quarterly review of all access | Review records with sign-off |
| Penetration testing | Annual third-party pentest | Report from qualified firm |
| Security training | Annual training for all employees | Completion records |
| Vendor assessments | Security review of critical vendors | Assessment records, SOC 2 reports |
| Network segmentation | Database not on public network | Network diagram |
| Endpoint protection | EDR/antivirus on all devices | Deployment report |
| Password policy | Minimum complexity and rotation | Policy + enforcement config |
3. Medium Priority Controls
| Control | Requirement | Evidence |
|---|---|---|
| DLP (Data Loss Prevention) | Monitor for data exfiltration | DLP configuration |
| SIEM/monitoring | Centralized security monitoring | SIEM dashboard/config |
| Change management | Documented change process | Change records |
| Code review | Security review of code changes | Code review records |
| WAF | Web application firewall | WAF configuration |
What Are the Most Common IT Audit Findings?
The most common IT audit findings involve MFA not being fully enforced, outdated patches, lack of access reviews, and incomplete incident response plans. These are also the easiest to prevent with disciplined processes and compliance automation tooling.
1. What Fails Most Often
| Finding | Frequency | Remediation |
|---|---|---|
| MFA not fully enforced | Very Common | Enable MFA on ALL accounts (no exceptions) |
| Outdated patches | Common | Implement 30-day critical patch cycle |
| No access reviews | Common | Implement quarterly access reviews |
| Incomplete IR plan | Common | Document and test IR plan |
| Vendor security gaps | Common | Assess all critical vendors |
| Missing security training | Common | Implement annual + new hire training |
| Weak password policy | Moderate | Enforce complexity + MFA |
| No pentest results | Moderate | Conduct annual pentest |
| DR plan not tested | Moderate | Quarterly DR drills |
| Incomplete logging | Moderate | Enable logging on all systems |
2. How to Handle Findings
| Finding Severity | Expected Timeline | Carrier Expectation |
|---|---|---|
| Critical | 30 days or immediate | May require daily updates |
| High | 60 days | Regular progress updates |
| Medium | 90 days | Resolution at next audit |
| Low | Next audit cycle | Address when feasible |
For cybersecurity requirements and disaster recovery, see our detailed guides.
How Do You Prepare for SOC 2 Certification?
SOC 2 preparation involves a gap assessment against SOC 2 trust criteria, remediation of missing controls, selection of an audit firm, and then operating your controls for a 6–12 month observation period before the Type II audit. The process typically takes 8–14 months from start to completed report.
1. SOC 2 Overview
| Element | Details |
|---|---|
| Purpose | Independent verification of security controls |
| Type I | Point-in-time assessment (faster, less valuable) |
| Type II | Assessment over 6–12 months (preferred by carriers) |
| Cost | $15K–$50K for audit |
| Timeline | Type I: 2–3 months. Type II: 6–12 months |
| Trust criteria | Security, Availability, Processing Integrity, Confidentiality, Privacy |
2. SOC 2 Readiness Steps
| Step | Action | Timeline |
|---|---|---|
| 1 | Gap assessment against SOC 2 criteria | 2 weeks |
| 2 | Remediate gaps (implement missing controls) | 1–3 months |
| 3 | Select audit firm | 2 weeks |
| 4 | Type I audit (optional starting point) | 1–2 months |
| 5 | Operate controls for observation period | 6–12 months |
| 6 | Type II audit | 1–2 months |
| 7 | Receive report, share with carrier | Ongoing |
3. Tools That Simplify SOC 2
| Tool | Purpose | Monthly Cost |
|---|---|---|
| Vanta | Automated compliance monitoring | $5K–$15K/year |
| Drata | Compliance automation platform | $5K–$12K/year |
| Secureframe | Compliance management | $5K–$10K/year |
| Tugboat Logic | SOC 2 management | $3K–$8K/year |
These tools automate evidence collection and continuous monitoring worth the investment.
What Are the Best Audit Day Tips?
The best audit day practices include having all evidence organized and accessible, assigning a single point of contact for auditors, being honest about any known gaps and your remediation plans, and providing system access promptly. Never fabricate evidence, restrict auditor access, or argue with findings during the audit itself.
1. Do
| Action | Why |
|---|---|
| Have evidence organized and accessible | Shows preparedness and professionalism |
| Assign a single point of contact for auditors | Consistent communication |
| Be honest about gaps and remediation plans | Auditors respect transparency |
| Provide access to systems promptly | Delays signal problems |
| Take notes on all findings | Accurate remediation planning |
| Ask questions if requirements are unclear | Better to clarify than assume |
2. Don't
| Action | Why |
|---|---|
| Don't fabricate or backdating evidence | Fraudulent - immediate termination risk |
| Don't restrict auditor access | Creates suspicion |
| Don't argue with findings during audit | Address in remediation, not during audit |
| Don't provide more than asked | May open additional investigation |
| Don't rush | Careful responses are better than quick ones |
Frequently Asked Questions
1. What does a carrier IT audit cover?
Encryption, access controls, vulnerability management, incident response, DR, vendor management, employee security, and SOC 2 compliance.
2. How do you prepare?
Start 90 days before. Get SOC 2, document policies, run vulnerability scans, test DR, compile evidence, and conduct mock audit.
3. Do you need SOC 2?
Strongly recommended. Most carriers expect it. SOC 2 Type II shortens carrier audits and builds trust. Without it, carriers audit more extensively.
4. What if you fail?
You get a remediation plan (30–90 days). Most carriers work with you. Repeated failure or refusal can lead to agreement termination.
5. How much does SOC 2 cost?
The audit itself costs $15K–$50K. Compliance automation tools add $3K–$15K per year. Total first-year investment is typically $20K–$65K.
6. What are the most common IT audit failures?
MFA not fully enforced, outdated patches, no access reviews, incomplete IR plans, vendor security gaps, and missing training records.
7. How often do carriers conduct IT audits?
Annually as part of the comprehensive MGA review. Pre-appointment audits occur once before the agreement. Targeted audits happen as needed after incidents.
8. What compliance tools help with IT audits?
Vanta, Drata, Secureframe, and Tugboat Logic automate evidence collection and continuous monitoring, significantly reducing preparation effort and time.
External Sources
- https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
- https://content.naic.org/
Internal Links
- Explore Services → https://insurnest.com/services/
- Explore Solutions → https://insurnest.com/solutions/
