Security is at the heart of everything we do at Breathe Life. It is intertwined with our priorities and even ingrained in our purpose:

To make financial security accessible to everyone.

 Over the last few years, the insurance industry has begun assimilating the prevalent digital transformation apparent in other industries. This change has come with benefits including granting more individuals access to insurance products, simplifying the user experience, and certainly accelerating the insurance application process.

This digital transformation, though exciting, has also led to an increase in breaches across the industry. Last year, 1,509 incidents of cyber-attacks against the Financial and Insurance industry were recorded. 448 of these incidents had confirmed data disclosures with 77% of data compromised being personal information. It was more alarming that 91% of actor motives were deemed as financially motivated.

It goes without saying that our industry has a huge target on its back due to the kinds of information it collects. Recognizably, data breaches are not just a concern and/or another hurdle for security experts; they also affect clients, stakeholders, organizations, and businesses. It is no wonder compliance is progressively becoming heavily weighted on information security.

So how did Breathe Life respond to all of this? It was important for us to provide assurance to organizations and stakeholders that security was not just at our heart in theory. We live and breathe it at Breathe Life. What better way to do that than with an external attestation to our practices!

And that’s how Deloitte Canada joined us as we trudged down AICPA’s System and Organization Control 2 (SOC 2) Trust Services Criteria (TSC) that addresses the security, availability, confidentiality, processing integrity, or privacy risks related to the use of our services. Like most companies, we started with the minimum attestation—Security or Common Criteria. And that was certainly a delightful journey.

Interestingly, there is nothing like a “SOC 2 certification” but having a clean attestation report sure does feel like one. Deloitte Canada attested to the controls that are in place at Breathe Life and verified that they are designed and operated effectively over a period of time.

Moreover, we recognize that being compliant is not necessarily being secure. And we discovered that putting security first aligned us with compliance requirements. Our defense in depth strategy enables us to prevent, detect, and respond to threats by offsetting the weaknesses of one security layer with the strengths of other layers. 

This took a lot of time! But that wasn’t it for us. We identified that we had stakeholders that needed a report:

« Designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. »

So while we were at it, we obtained a SOC 3 report as well.

SOC 2 and SOC 3 reports are governed by the same AICPA standards and the work performed by the service auditor for these two reports is very similar. A SOC 3 report typically contains a short auditor’s opinion, management assertion and system description. So, unlike our SOC 2 report, this report does not have a detailed description of the controls tested, the test procedures, or the results of the test procedures.

So, let’s take a look at our purpose again:

To make financial security accessible to everyone.

Notice where ‘security’ is? That’s what I thought too… It’s right at the center. I bet you didn’t see that before. Neither did I.  Whenever you request our SOC 2 report or download our SOC 3 report, you keep the heart of Breathe Life, security, ablaze. And you will have, with you, an attestation to the security behind making financial security accessible to everyone.