SRS has managed captives and other insurance vehicles for more than 25 years, and in that time, we’ve defined and operationalized the services a high-performing insurance company manager should provide to every client, no matter the size. Every decision we make is based on client needs and how best to serve them.
Rigorous Internal Controls and Compliance.
What makes a good captive manager? What does good service look like in the captive management industry? These aren’t easy questions to answer because “captive management” is not a well-defined service. Contracts tend to be long-term or evergreen, with little movement between managers. This means that an owner’s only frame of reference may be their experience with how the incumbent manager operates.
What should owners expect?
Your insurance company manager should be able to demonstrate it has a rigorous set of internal controls and compliance practices.
Right to the point. Prove it.
How do you know your potential insurance company manager has the internal controls and compliance practices in place to deliver consistent, reliable, high-quality service? Ask them to provide evidence of their commitment. Here’s where it gets a little tricky, though. How do you know that the processes they have in place are appropriate and effective? The truth is you don’t unless the evidence they provide follows a recognized standard.
Enter SSAE 18 / ISAE 3402 and why it matters
SRS is the first captive manager to make a global commitment to achieving the SSAE 18 / ISAE 3402 certification (Statement on Standards for Attestation Engagements No. 18), which is designed to evaluate and report on the controls and processes delivered by service organizations. It demonstrates that the company is capable of mitigating risks and protecting the interests of its clients.
SSAE 18 / ISAE 3402 is not specific to the insurance industry. It’s the standard for reporting on internal controls at companies providing outsourced services that affect another company’s financial statements. For those selecting an insurance company management firm, the certification provides evidence that the service provider has met stringent control standards and adheres to best practices. Some of the critical components included in the audit process include:
- Compliance and risk management
- Data security and confidentiality
- Operational efficiency and reliability
- Due diligence, risk analysis and risk mitigation
What it means for YOU
- It verifies that the company has implemented effective controls to safeguard data, manage risks, and maintain the integrity of its operations.
- It demonstrates that appropriate controls are in place to comply with regulatory requirements and demonstrates that the company is committed to, and capable of, mitigating risks and protecting the interests of its clients
- It proves that the service provider has implemented robust measures to protect sensitive information and maintain the confidentiality of client data. This is crucial in an era where data breaches and cyber threats are very real concerns.
- It helps the provider identify areas for improvement, streamline processes, and enhances operational efficiency.
Data Privacy: Controls are Critical!
Protecting and maintaining the privacy of data is critical for all businesses today, but the insurance industry runs on data and lots of it. Depending on the type of captive, Personally Identifiable Information (PII) and Personal Health Information (PHI) may be needed for its operation.
The captive manager and anyone involved in receiving PII and PHI related to the captive must have the appropriate controls in place to protect the privacy of that data. The controls must comply with applicable data privacy regulations and to protect against liability for the captive.
How do you know that your captive manager has the appropriate controls in place? Ask your captive manager if they are following industry standards, such as NIST (National Institute of Standards and Technology) and/or ISO (International Organization for Standardization). If your captive is in a domicile that requires the captive insurance manager to have a Cybersecurity Framework, request a copy.