Insurance
Security evidence for the insurance industry
Insurers, brokers, and underwriters operate under APRA prudential standards that demand provable information security. At the same time, AI is entering claims processing, underwriting, and customer communications faster than governance can keep up. APEXLyn provides the compliance evidence and AI governance the insurance industry needs, for your own organization and for the organizations you insure.
Insurance operates on two sides of the evidence problem
On one side, insurers are regulated entities. APRA CPS 234 requires information security capabilities that are maintained and aligned to the size and extent of threats. APRA expects evidence, not assertions. Board reporting requires defensible posture statements.
On the other side, insurers are underwriting cyber risk for their customers. Current underwriting relies heavily on self-assessment questionnaires, the insured ticks boxes, nobody independently verifies the answers, and when a claim arrives, the insurer discovers that the MFA they were told was enabled was never actually configured.
APEXLyn addresses both sides. Attest provides compliance evidence for the insurer’s own APRA obligations. And Attest provides independently verifiable evidence that can transform how insurers assess the security posture of prospective and existing insureds.
Attest for your own compliance
Attest collects security evidence from your own systems automatically and maps it to APRA CPS 234, Essential Eight, ISO 27001, and other relevant frameworks. Evidence is locked in tamper-proof storage and reports are generated with chain-of-custody statements, governance attestation records, and independent verification capability.
APRA CPS 234 requires regulated entities to maintain information security capabilities commensurate with the size and extent of threats to their information assets. Attest maps your technical evidence to CPS 234 requirement areas including:
Attest generates reports suitable for APRA regulatory purposes, board reporting, and internal audit review. Reports include plain-English executive summaries, risk scorecards, and technical evidence appendices, satisfying both board-level and technical audiences from the same evidence base.
Where CPS 234 requirements depend on governance documentation, policies, or board attestations not automatically collected through technical connectors, Attest surfaces these honestly as insufficient evidence rather than inferring a pass.
Attest for cyber underwriting, a different class of evidence
Current cyber insurance underwriting relies on self-assessment. The prospective insured fills in a questionnaire. The underwriter takes their word for it. When a claim arrives, the gap between the questionnaire answers and reality is often significant.
Attest changes this dynamic. Instead of asking "do you have MFA enabled?" and accepting a checkbox answer, Attest provides cryptographic proof that MFA was enabled on specific systems, on specific devices, at specific times, with an unbroken evidence chain that the underwriter can independently verify.
Every Attest report includes:
- An assertion statement describing exactly what was assessed
- A non-assertion statement describing what was not
- A chain-of-custody statement
- Cryptographic hash proof for every piece of evidence referenced
- Independent verification via QR code or verification endpoint
An underwriter receiving a Attest report does not need to trust APEXLyn’s claims. They verify the mathematics. The report either matches the evidence ledger or it does not. There is no ambiguity. If your organization is interested in how Attest evidence could integrate with your underwriting workflow, we would welcome a conversation.
Talk to us about Attest for underwritingTrace, AI governance for insurance operations
AI is entering claims processing, underwriting automation, customer correspondence, and policy analysis. Trace monitors how AI tools are used across your organization, applies your governance policies automatically, and records every governed interaction as forensic-grade evidence.
If a claims handler pastes policyholder data into an unsanctioned AI tool, Trace enforces your rules, block, warn, redact, or record. If an automated underwriting pipeline calls an AI API with sensitive customer data, Trace governs the interaction even though no human initiated it through a browser.
Trace integrates with your existing security infrastructure, SIEM, XDR, SASE, ITSM, and adds the AI governance layer on top.
Frameworks relevant to insurance
APRA CPS 234
Information security requirements for APRA-regulated entities
Essential Eight (L1–L3)
Cybersecurity maturity, relevant for own posture and insured assessment
ISO/IEC 27001:2022
Information security management standard
Privacy Act & all 13
APPs
Privacy obligations for policyholder and claimant data
NIST CSF 2.0
Cybersecurity framework for international operations
Explore Solutions
Discover security and compliance solution patterns designed for your operational environment.
Explore APEXLyn
Explore our core assurance platforms, standard pricing guides, and technical specifications.
Evidence for both sides of the insurance equation
Whether you need APRA CPS 234 evidence for your own compliance, independently verifiable evidence from your insureds, or AI governance across your claims and underwriting operations — APEXLyn provides the proof.