This message was posted by a user wishing to remain anonymous
For those who track insurance companies in their TPRM program, what types of documentation do you obtain from insurance companies based outside the US? Obviously, for privacy one would want a copy of their privacy policy/notice and DPA. But for security, do you normally ask for just evidence of penetration and vulnerability testing? We're finding that these companies do not have SOC2s. Nor do they have pre-completed SIG Lite questionnaire which they can provide.