1. Home
  2. Buying health insurance
  3. Trust Centre
  4. Security
  5. Third party service providers

Providing the best service, safely

We work in partnership with a number of leading third-party service providers to manage our Information Technology (IT) systems, cloud services, hosting, auditing, analytics, software development, system integration, managed services, payment processing, and other software and hardware products.
 

Vetting third-party service providers

When working with third-party service providers we take full responsibility for the security of information and applications. Prior to working with us, every company goes through a thorough vetting process. They must comply with applicable laws and we prefer they maintain certification to an international standard. They’re then reassessed periodically against industry standards to ensure the appropriate controls are in place to maintain the security of their services.

When working with third parties, we sometimes share customer information, however, this is only for the purposes set out in our Member Privacy Statement.
 

Providing the best service, safely

We work in partnership with a number of leading third-party service providers to manage our Information Technology (IT) systems, cloud services, hosting, auditing, analytics, software development, system integration, managed services, payment processing, and other software and hardware products.
 

Vetting third-party service providers

When working with third-party service providers we take full responsibility for the security of information and applications. Prior to working with us, every company goes through a thorough vetting process. They must comply with applicable laws and we prefer they maintain certification to an international standard. They’re then reassessed periodically against industry standards to ensure the appropriate controls are in place to maintain the security of their services.

When working with third parties, we sometimes share customer information, however, this is only for the purposes set out in our Member Privacy Statement.
 

Cloud: an outsourcing model that allows an organisation to use IT systems that are delivered over the Internet, rather than being physically housed within their building. Depending on the type of cloud service, the third-party service provider will perform some or all of the security activities required to deliver the IT system and keep it secure.

Data centre: a facility located either on-premises or the cloud that’s used to host IT systems and store a large amount of data securely.

Data sovereignty: when data is physically stored outside of the country and is subject to the laws of the country in which it is located.

Host: also known as ‘network host’, is a computer or device connected to other devices over a network.

Infrastnructure-as-a-Service (IaaS): a service that provides an organisation with access to networking resources, computer hardware and data storage space through a virtual data centre. For example, Amazon Web Services and Microsoft Azure.

ISO 27001 certification: an internationally recognised standard published by the International Standardisation Organisation (ISO) that provides a framework to implement security management within an organisation.

NIST SP 800-53: National Institute of Standards and Technology (NIST) special publication 800-53 provides security and privacy controls for information systems.

Security control: a safeguard or measure that is implemented to avoid, detect or minimise security risks to data, business applications, systems or physical property.

Service Organisation Control 2 (SOC 2) certification: a data security audit that’s performed by an auditor to ensure a service provider has strict security policies and procedures in place to protect confidential data.

Software-as-a-Service (SaaS): web applications or servers that are provided over the Internet by a third-party service provider. For example, Microsoft Office 365.

Third-party service provider: an external partner, vendor, consultant, or an independent contractor that provides specialised products, services and other expertise to Southern Cross.

Third-party services we currently use

Software-as-a-Service (SaaS) cloud: We use web-based applications (such as Office 365) that are fully managed by the relevant vendor. By working with industry giants like AWS and Microsoft, we can access a number of services that are more secure, efficient and economical than if we tried to deliver those services ourselves.

Infrastructure-as-a-Service (IaaS) cloud and data centres: We rely on IaaS and data centre services to host our IT systems including insurance, business systems and IT infrastructure. These are located in New Zealand or Australia, and we work with two tech industry leaders - Amazon Web Services (AWS) and Microsoft Azure IaaS cloud services.

Analytics and reporting: We call on third-party expertise in research, analytics, and reporting where the scale or skills are not viable in-house.

System integration: Although we have a fantastic IT team, there are times we need to call on someone with specialised skills. In those instances, third-party service providers play an important role in helping us implement and integrate IT systems.

Software development: Southern Cross operate several “bespoke” IT systems that are specific to insurance products and services. With our team of in-house software developers and the external developers we hire for their specialised skills, we aim to develop customised business applications that are secure against external threats and deliver a greater user experience.

Managed services: We partner with external providers to manage our IT systems. They supplement our internal digital operations team, provide product expertise, and optimise business performance by reducing costs.

Payments: We use a third-party payment gateway service to securely process payment transactions. We don’t save or hold any record of credit card information in Southern Cross’ IT systems, however, we may hold some billing details for specific purposes, for example, issuing refunds.

Software and hardware products: We purchase our software and hardware products from reputable and well managed vendors.

How we assess and approve providers and their services
third-party-services-standards

What we expect as standard

  • They need to have a strong reputation within their industry.
  • We prefer they possess and maintain certification to an international standard such as ISO 27001 or NIST SP 800-53.
  • Data centres and IaaS cloud services must be independently certified to the industry standard SOC 2.
  • We prefer that third-party providers and services are located in New Zealand or Australia. Some innovative cloud services are not available in New Zealand but can be accessed in Australia, and they have a similar regulatory environment to New Zealand.

How we assess

  • We assess third-party providers and their services against appropriate security controls. For more details on these, visit Security systems and information.
  • We ensure that agreements with third-party service providers include security provisions to protect confidential and sensitive information and business applications.
  • All third-party service providers are reassessed periodically against industry standards and to ensure appropriate controls are in place to maintain the security of their services.
 third-party-services-assess
 
third-party-services-approve

How we approve

  • Third-party service providers are approved by our Information Security Management Team before the service is used by us.
               

 

Related information

 

Security compliance


Learn more >

Security assurance


Learn more >

Security controls


Learn more >



What we expect as standard

  • They need to have a strong reputation within their industry.
  • We prefer they possess and maintain certification to an international standard such as ISO 27001 or NIST SP 800-53.
  • Data centres and IaaS cloud services must be independently certified to the industry standard SOC 2.
  • We prefer that third-party providers and services are located in New Zealand or Australia. Some innovative cloud services are not available in New Zealand but can be accessed in Australia, and they have a similar regulatory environment to New Zealand.

How we assess

  • We assess third-party providers and their services against appropriate security controls. For more details on these, visit Security systems and information.
  • We ensure that agreements with third-party service providers include security provisions to protect confidential and sensitive information and business applications.
  • All third-party service providers are reassessed periodically against industry standards and to ensure appropriate controls are in place to maintain the security of their services.

How we approve

  • Third-party service providers are approved by our Information Security Management Team before the service is used by us.

Related information

 

Security compliance


Learn more >
 

Security assurance


Learn more > 		 
 

Security controls


Learn more >