Security, Reliability, and Protecting Client Data

While our products and client service are best-in-class, the backbone of our success is providing a safe and trustworthy platform to protect our clients, policyholders, and members.

Cowan leverages cloud providers that offer foundational security for our environment. These providers help us to ensure privacy, security, and compliance and have audited controls such as ISO 27001, CSA STAR, SOC 1 Type 2, SOC 2 Type 2, and SOC 3.

Above that, on an annual basis, Cowan completes a SOC 2 Type II audit and leverages high-end cloud compliance and security tools and processes to ensure our systems meet ever-evolving industry standards.

Successful completion of SOC 2 Type I Security Audit

Cowan is committed to the SOC 2 security designation, which provides extra assurance to our clients and business partners that we meet their stringent security requirements.

SOC 2 (Systems and Organization Controls) is a security standard for service organizations that certifies our company's commitment to the protection and privacy of our clients' data. The American Institute of Certified Public Accountants (AICPA) developed the SOC 2 standards, and independent AICPA-certified auditors assess companies to those standards.

www.aicpa.org/soc4so

Application Security

In-transit Encryption

Sessions between you and our portals are protected with in-transit encryption using 2,048-bit or better keys and TLS 1.2 or above.

Transport Layer Security (TLS) for Email

Our email services support TLS to ensure that emails are transmitted in an encrypted format, if your email server is configured to support TLS.

Web Application and Network Firewalls

Cowan monitors potential attacks with several tools to help protect your data and access to your products, including a 24/7 Managed Detection and Response service, firewalls, security incident and event management systems, cloud application security monitoring, advanced threat protection, and Distributed Denial of Service (DDoS) protections.

Software Development Lifecycle (SDLC) Security

We have implemented static code analysis tools and human review processes to ensure consistent quality in our software development practices.

Data Centre and Office Protections

Physical Security

Our products are hosted in Microsoft Azure in Canada which maintains SOC 1 Type 2, SOC 2 Type 2, SOC 3, CSA STAR, and ISO 27001 certifications, among others. The certified protections include dedicated security staff, strictly managed physical access control, and video surveillance.
To protect against unauthorized access to our offices, we utilize Two-Factor Authentication (2FA) at each entry door.
Access to critical infrastructure within our offices is also controlled with Two-Factor Authentication.

Software Security

Compliance Management

Cowan leverages Azure and Office 365 Security and compliance assessment tools to ensure applications and infrastructure meet industry standard controls. These services are continually run by Microsoft against our environment, and Cowan staff monitor these security scores to ensure scores are always improving.

Patch Management

Cowan’s patch management process identifies and addresses missing patches within the product infrastructure. Server-level instrumentation ensures tracked software packages use the appropriate versions.

Security Incident Response

Our security incident process and investigations are pre-defined during recurring preparation activities and exercises and are refined through investigation follow-ups. We use standard incident response process structures to ensure that the right steps are taken at the right time.

We also leverage additional Incident response tools on workstations and servers to simplify and control devices during incidents. This includes End Point Detection and Response (EDR), Incident Response, and 24/7 Managed Detection and Response services.

Security Assurance

Vulnerability Assessment

We test for potential vulnerabilities on a recurring basis. We run static code analysis, and infrastructure vulnerability scans.

Penetration Testing

Cowan leverages third party penetration testing firms on an annual basis to test our systems and infrastructure.

Third Party Vendor Assessments

We regularly conduct security risk assessments of our vendors, and our platform continually monitors them for new Business and Cyber risks that come to light over time.

Employee Training and Testing

Cowan employees must complete annual security awareness training and we regularly conduct simulated campaigns (e.g., phishing emails) to ensure that employees can practice what they’ve learned in the awareness training.

Frequently Asked Questions

System Reliability

Q. How does Cowan make its system reliable and resilient?

A. We build our software platform so that it is available and accessible in a variety of disaster scenarios. Every service also has a corresponding test environment where changes are deployed before they are migrated to production.

Q. Are services always available?

A. Our goal is that you can always access your account. There are times when services will be unavailable due to planned maintenance or due to a component failure. In such cases, our staff are paged as soon as the failure is detected and work to make sure the service is back up in the shortest possible time.

Q. How do we make sure outages due to component failures do not reoccur?

A. When an outage or significant failure occurs, Cowan’s primary goal is to get the service up and available to customers. After the issue has been resolved, the team that owns the affected service holds a formal review of the incident to determine the root cause of the event and to develop a list of immediate action items to make sure this event, and other events like this one, do not re-occur.

If additional details on our cloud infrastructure are needed, please contact your Cowan Account Executive.

Data Safety

Q. Is my data safe?

A. Our platform uses a variety of datastores to store data and ensure data safety. Each datastore is architected using best practices for data safety and recovery. Cowan’s applications are hosted with Microsoft Azure. Data is replicated three times within the same server, and then replicated to a second data center. If a server in one data center fails, the processing is switched to a replica server in another regional data center with minimal service interruptions. Cowan also maintains backups that are geo-replicated to another regional data centre.

Q. Is my data secure?

A. All communications between a web client and Cowan systems are protected using TLS (1.2) protocol encryption using 2048 bit keys. To prevent unauthorized access, our employees use Two-Factor Authentication to access our systems. Data is encrypted at rest to help protect against unauthorized access.

Recoverability and Reliance

Q. Where is our data stored?

A. Cowan’s data is primarily stored in the Azure Canada Central region. A critical subset of data is also replicated and backed up to the Azure Canada Eastern region.

Q. How do we ensure all data is backed up and can be restored in case of a disaster?

A. Our disaster recovery strategy uses a combination of snapshots of data, replication to a second region, and backups to ensure that there are multiple copies of data available to be restored. Snapshots are designed to provide a quick recovery mechanism where the recovery can happen in minutes. Full backups are used when snapshots are not available to recover the data.

Q. What does Cowan do to monitor its systems?

A. Operations and engineering teams use industry-leading tools and instrumentation of services to monitor and analyze the behavior of our platform. Metrics from services and our cloud infrastructure are fed into an alerting framework. For security monitoring, we have a 24/7 Managed Detection and Response service that has documented procedures in place to alert appropriate staff and escalate as needed.

Q. How does Cowan let its customers know and keep them updated?

A. If we find issues that might affect your ability to use our services, we will inform you right away via web site postings and/or email.