Third-party service providers
Providing the best service, safely
We work in partnership with a number of leading third-party service providers to manage our Information Technology (IT) systems, cloud services, hosting, auditing, analytics, software development, system integration, managed services, payment processing, and other software and hardware products.
Vetting third-party service providers
When working with third-party service providers we take full responsibility for the security of information and applications. Prior to working with us, every company goes through a thorough vetting process. They must comply with applicable laws and we prefer they maintain certification to an international standard. They’re then reassessed periodically against industry standards to ensure the appropriate controls are in place to maintain the security of their services.
When working with third parties, we sometimes share customer information, however, this is only for the purposes set out in our Member Privacy Statement.
-
Glossary
Control uplift
Increasing the maturity and effectiveness of a security control.IT risk
The possibility that an IT system has a breach or other failure that leads to data loss, data integrity issues, or is unavailable. Risk is quantified in terms of likelihood and consequence. Most organisations have a ‘risk appetite’, which is the level of risk the organisation is prepared to accept. High likelihood and high consequence risks are never accepted, while low likelihood and low consequence risks may be completely acceptable unless they are easy to address.IT systems
IT services and applications that support a set of business processes, and store and manage information.Penetration testing
An intensive testing process where an expert in security testing (or “hacking”) techniques attempts to breach an IT system. This helps identify vulnerabilities that can be addressed before a malicious person finds them.Personal Identifiable Information (PII)
Information about an identifiable individual, such as a member, employee, provider or adviser, governed by New Zealand’s privacy laws and (where it contains health information) the Health Information Privacy Code.Security control
A safeguard or measure that we’ve implemented to avoid, detect or minimise security risks to data, business applications, systems or physical property.Third-party provider
An external partner, vendor, consultant, or an independent contractor that provides specialised products, services and other expertise to Southern Cross.
Third-party services we currently use
Software-as-a-Service (SaaS) cloud: We use web-based applications (such as Office 365) that are fully managed by the relevant vendor. By working with industry giants like AWS and Microsoft, we can access a number of services that are more secure, efficient and economical than if we tried to deliver those services ourselves.
Infrastructure-as-a-Service (IaaS) cloud and data centres: We rely on IaaS and data centre services to host our IT systems including insurance, business systems and IT infrastructure. These are located in New Zealand or Australia, and we work with two tech industry leaders - Amazon Web Services (AWS) and Microsoft Azure IaaS cloud services.
Analytics and reporting: We call on third-party expertise in research, analytics, and reporting where the scale or skills are not viable in-house.
System integration: Although we have a fantastic IT team, there are times we need to call on someone with specialised skills. In those instances, third-party service providers play an important role in helping us implement and integrate IT systems.
Software development: Southern Cross operate several “bespoke” IT systems that are specific to insurance products and services. With our team of in-house software developers and the external developers we hire for their specialised skills, we aim to develop customised business applications that are secure against external threats and deliver a greater user experience.
Managed services: We partner with external providers to manage our IT systems. They supplement our internal digital operations team, provide product expertise, and optimise business performance by reducing costs.
Payments: We use a third-party payment gateway service to securely process payment transactions. We don’t save or hold any record of credit card information in Southern Cross’ IT systems, however, we may hold some billing details for specific purposes, for example, issuing refunds.
Software and hardware products: We purchase our software and hardware products from reputable and well managed vendors.
How we assess and approve providers and their services
What we expect as standard
- They need to have a strong reputation within their industry.
- We prefer they possess and maintain certification to an international standard such as ISO 27001 or NIST SP 800-53.
- Data centres and IaaS cloud services must be independently certified to the industry standard SOC 2.
- We prefer that third-party providers and services are located in New Zealand or Australia. Some innovative cloud services are not available in New Zealand but can be accessed in Australia, and they have a similar regulatory environment to New Zealand.
How we assess
- We assess third-party providers and their services against appropriate security controls. For more details on these, visit Security systems and information.
- We ensure that agreements with third-party service providers include security provisions to protect confidential and sensitive information and business applications.
- All third-party service providers are reassessed periodically against industry standards and to ensure appropriate controls are in place to maintain the security of their services
How we approve
- Third-party service providers are approved by our Information Security Management Team before the service is used by us.