Safeguard
Industry Analysis

Third-party risk assessment for insurtech SaaS platforms

A practical playbook for running an insurtech third-party risk assessment across vendors, APIs, and integrations before they touch policyholder data.

Marina Petrov
Compliance Analyst
8 min read

Insurtech platforms sit at an uncomfortable intersection: they hold regulated policyholder data, they move money, and they are built almost entirely on third-party services — core policy administration systems, telematics and IoT data feeds, payment processors, KYC/AML vendors, claims automation tools, and a growing list of AI underwriting APIs. A single unreviewed vendor integration can expose PII, break state insurance compliance requirements, or hand an attacker a path straight into your claims pipeline. Yet most insurtech SaaS teams still run vendor security reviews as a one-time checkbox during procurement.

A rigorous insurtech third-party risk assessment treats vendor risk as a continuous engineering discipline, not a annual questionnaire exercise. By the end of this guide, you'll have a repeatable process for mapping your vendor ecosystem, tiering risk, running technical validation, and monitoring vendors continuously — the same workflow we help insurtech security and compliance teams operationalize at Safeguard.

Step 1: Scope Your Insurtech Third-Party Risk Assessment

Before you send a single questionnaire, build an accurate inventory of every third party touching your platform. Insurtech environments tend to undercount vendors because so many arrive as sub-processors bundled inside a primary integration (a claims vendor that quietly uses a third-party OCR service, for example).

Pull inventory from multiple sources so nothing hides in the gaps:

# Enumerate outbound integrations from your API gateway logs
grep -Eo 'https://[a-zA-Z0-9.-]+' access.log | sort -u > vendor_domains.txt

# Cross-reference against your SBOM for embedded SDKs and libraries
syft dir:. -o json | jq -r '.artifacts[].name' | sort -u > sbom_components.txt

# Pull DNS records for known SaaS integration subdomains
dig +short CNAME api.claims-vendor.com

Combine this with contract/procurement records and a survey of engineering teams. For each vendor, capture: what data flows to them (PII, PHI-adjacent health data for life/health lines, payment card data, driver telematics), what regulatory regime applies (state DOI rules, NAIC Model Law, GLBA, HIPAA if applicable), and whether they're a direct vendor or a fourth-party sub-processor.

Step 2: Tier Vendors by Risk Exposure

Not every vendor warrants the same depth of review. A marketing analytics tool and a core policy administration system are not equivalent risks. Build a simple tiering model so your team's effort scales with actual exposure — this is the backbone of any credible SaaS insurance platform risk program.

TierCriteriaReview depth
CriticalHandles PII/PHI, processes payments, or sits in the underwriting/claims decision pathFull technical + compliance review, annual penetration test evidence, continuous monitoring
HighHas API access to production systems but limited data scopeSecurity questionnaire + SOC 2 review + API-level testing
ModerateNo direct data access, internal tooling onlyLightweight questionnaire, SOC 2 Type II on file
LowNo system access, no sensitive dataSelf-attestation

Score vendors on a simple weighted formula (data sensitivity x access level x regulatory scope) so tiering decisions are defensible when auditors or regulators ask why a vendor was reviewed at a given depth.

Step 3: Run the Insurtech Vendor Security Review

For Tier 1 and Tier 2 vendors, move beyond a generic questionnaire. An insurtech vendor security review needs to verify controls that map directly to insurance-specific risk: encryption of data at rest and in transit for policyholder records, breach notification timelines that satisfy state insurance regulators (often faster than generic 72-hour SLAs), and subcontractor disclosure.

Request and independently validate:

  • SOC 2 Type II report (not just Type I) covering the last 12 months, with any exceptions and management responses
  • Penetration test summary from the last 12 months, scoped to the systems that touch your data
  • Data flow diagram showing exactly where your policyholder data lands, including backup regions and any AI/ML training pipelines
  • Sub-processor list with the vendor's own review cadence for those fourth parties
  • Incident history — ask directly whether they've had a breach or material security incident in 24 months, and how it was disclosed

Don't just collect documents — verify claims. A vendor claiming "encryption at rest" should be able to answer which KMS, what rotation policy, and whether keys are customer-managed.

Step 4: Audit Insurance API Vendor Integrations

Insurtech platforms are API-first by design, which makes the insurance API vendor audit step distinct from a typical SaaS vendor review. Every telematics feed, rating engine call, and third-party underwriting model is a live data channel that needs its own technical due diligence, separate from the paperwork review.

Test each critical API integration directly:

# Verify TLS configuration and certificate validity
openssl s_client -connect api.telematics-vendor.com:443 -tls1_2 </dev/null 2>/dev/null | openssl x509 -noout -dates -issuer

# Confirm authentication uses scoped, short-lived tokens rather than static API keys
curl -s -X POST https://api.vendor.com/oauth/token \
  -d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET" | jq '.expires_in'

# Check for overly permissive CORS or missing rate limiting on quote/claims endpoints
curl -s -I -H "Origin: https://evil.example.com" https://api.vendor.com/v1/quotes | grep -i access-control

Confirm the vendor enforces least-privilege scopes per API key (a rating engine key shouldn't also read claims records), supports mutual TLS or signed webhooks for callback data, and logs API access in a way you can pull for your own audit trail. If the vendor can't produce API-level access logs on request, that's a finding, not a formality.

Step 5: Validate Findings with Technical Testing

Documentation review catches policy gaps; technical testing catches reality gaps. Where contractually permitted, run or request:

# Dependency and vulnerability scan against any vendor-provided SDK
grype sbom:sbom_components.txt --fail-on high

# Confirm webhook endpoints validate signatures before processing
curl -s -X POST https://your-webhook-endpoint.com/vendor-callback \
  -H "X-Signature: invalid" -d '{"test":"payload"}' -w "%{http_code}"

For Tier 1 vendors, request evidence of their own SAST/DAST program and, where the relationship justifies it, negotiate a right-to-audit clause covering annual technical assessment. This is often the point where insurtech teams discover a vendor's "SOC 2 compliant" claim covers a different product tier than the one they're actually using.

Step 6: Establish Continuous Monitoring and a Reassessment Cadence

A point-in-time assessment expires the moment a vendor ships a new feature, rotates infrastructure, or gets acquired. Build reassessment into your calendar and tooling rather than relying on memory:

# reassessment-schedule.yml
critical_vendors:
  cadence: quarterly
  triggers: [soc2_expiry, breach_disclosure, subprocessor_change]
high_vendors:
  cadence: semi-annual
  triggers: [soc2_expiry, api_deprecation_notice]
moderate_vendors:
  cadence: annual

Pair scheduled reassessment with passive monitoring: subscribe to vendor status pages and security advisories, monitor for the vendor's domain appearing in breach databases, and track SSL certificate expiry and DNS changes automatically so a silently rotated integration doesn't slip past review.

Troubleshooting and Verification

"The vendor's SOC 2 report doesn't cover the product we actually use." This is common with insurtech platform vendors that white-label multiple product lines under one brand. Always confirm the report's system description explicitly names the product, environment, and region you're integrating with — request a bridge letter if the report window has lapsed.

"API testing shows different behavior than the vendor's documentation." Treat documentation as a hypothesis, not ground truth. Re-run your TLS, auth, and rate-limit checks against the actual production endpoint your integration hits, not a sandbox — sandbox environments frequently have looser controls that mask real exposure.

"We can't tell if a control finding is actually remediated." Require vendors to provide re-test evidence (a new scan output, a screenshot of a config change, an updated policy document with an effective date) rather than a verbal confirmation. Log remediation SLAs per finding and track them the same way you'd track an internal ticket.

"Our vendor list keeps growing faster than we can review it." This is the clearest sign a manual, spreadsheet-driven insurtech third-party risk assessment process has hit its ceiling. At that point, tiering and automated evidence collection stop being optional.

How Safeguard Helps

Safeguard was built for exactly this problem: giving software supply chain and platform teams continuous visibility into the third-party components, APIs, and vendors their applications actually depend on — not just the ones listed in a spreadsheet from last year's procurement cycle.

For insurtech SaaS platforms specifically, Safeguard helps you:

  • Automatically discover vendor and API dependencies from your SBOMs, runtime traffic, and CI/CD pipelines, so your insurtech vendor security review starts from a complete inventory instead of a best guess
  • Continuously monitor vendor SOC 2 status, CVE exposure, and breach disclosures, feeding directly into your risk tiering rather than requiring manual re-checks
  • Track API-level integration risk, flagging insurance API vendor audit gaps like expired certificates, overly broad OAuth scopes, or newly introduced sub-processors before they become incident-response problems
  • Generate audit-ready evidence trails that map to NAIC and state DOI expectations, so when a regulator or enterprise customer asks how you assess SaaS insurance platform risk, you have a documented, continuously updated answer rather than a one-time report

Third-party risk in insurtech isn't a compliance artifact you produce once a year — it's an operational surface that changes every time a vendor ships code. Treating it that way, with the workflow above and the right tooling behind it, is what separates a review that satisfies an auditor from one that actually catches the next incident before it happens.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.