Suppliers Attestation

If you have not complied with your requirements then have these incidents been registered or reported incidents and breaches in your incident / breach register and to SCC?

Have you complied with your requirements under<br>- the Insurance Contact Act 1984 (Cth),<br>- the Corporations Act 2001 (Cth), and<br>- all financial services laws defined by the Corporations Act 2001 (Cth)?

Do you have documented claims processes and policies that are compliant with General Insurance Code of Practice (GICoP)?

Do you have current procedure manuals?

Have you complied with your make-safe authority?

Do you have controls in place to capture the failure of any systems, processes, or controls?

Do you have systems and processes in place to monitor, measure and detect whether your employees are complying with the standards under GICoP in the provision of their relevant services?<br>This includes,<br>- ensuring employees are adequately trained,<br>- ensuring employees are experienced, and<br>- ensuring that relevant professional licenses are current?<br>

Do you have an effective file quality review process / quality assurance program?

Do you have a current policy and procedure relating to fraud and anti-money laundering prevention?

If you have identified any customers experiencing vulnerability (CEV) have you followed your documented processes for managing these customers?

Do you have a process and controls in place to monitor your handling of complaints?

If applicable in the attestable quarter, have you successfully submitted your IDR complaints data to ASIC?

In the attestable period did you consider entering into an outsourcing contract?<br>The definition is as follows:<br>'Outsourcing is an arrangement under which a Provider will perform on a continuing basis a Function or Service that currently is, or could be, undertaken by the agency itself. Such services could include claims, underwriting and offshoring data.'

Is your Australian Financial Services (AFS) Licence current?

Has your AFS Licence been restricted by Australian Securities and Investments Commission (ASIC)?

Have you reported any incidents/breaches against your AFS Licence to ASIC for the Attested Period?

Have you met all of your regulatory and legislative obligations in respect of your AFS Licence?<br>

Have you lodged company accounts with the Regulator (ASIC/FSPR) over the last twelve months?<br>- ASIC FS70 Australian Financial Services Licensee Profit and Loss Statement and Balance Sheet<br>- ASIC FS71 Auditor’s Report for AFS Licensee

Do you have systems in place to identify, report, manage and monitor conflicts of interest?

Have you met your legal and regulatory obligations for record retention and disposal for this quarter?

Have there been any changes to your agency ownership structure?

Have you maintained an information security framework and complied with the related provisions of the your contract with SCC?

Has your Information Security Controls Framework been reviewed in the last 12 months?

Have you aware of a material weakness in any of your information security controls in the last year?

Have you complied with your Information Security Controls testing program?

If you became aware of a critical cyber security incident in the last period did you notify the Australian Cyber Security Centre within 12 hours?

When was the last time you completed a User Access Review (UAR) to ensure that <br>- new users,<br>- terminated users, and<br>- changes to existing users<br>are appropriately provisioned?

Do you use access profiling to ensure the appropriate segregation of duties?

Have you completed a Business Impact Assessment (BIA) of critical business processes and critical systems in the past 12 months?

Do you have a Business Continuity Plan (BCP) for each of the critical business processes determined in your BIA which includes a recovery strategy/plan?

Do you have an IT Service Continuity Management (ITSCM) Plan with recovery time and recovery point objectives to align with the BIA?

As part of your ITSCM plan, do you have a Disaster Recovery Plan (DRP) for each of the critical systems determined in your BIA?

Have you tested your BCP and DRP during the last twelve months and created action plans to remediate any shortcomings?

Have all core operating systems used in providing core services of underwriting and claims management, been continuously available during core business hours this quarter?

Have you reported any suspected or actual misconduct in the last period?

Have staff received adequate training, and have the skills and qualifications to do their roles, and are those records of training are maintained?

Have you maintained the organisational competence to meet the required<br>Financial Services (AFS) Licence and financial services laws obligations?

Please attach the training completion report to enable annual Code Governance Reporting.

In the last period did you receive any notices from regulators or Australian Financial Complaints Authority (AFCA) that pertain to SCC's claims handling and/or settlement services, including that part of those services performed by you?

Have you taken all reasonable steps in the last period to comply with all applicable privacy legislation?

Have there been any new processes/projects or changes to current processes that impact the handling and/or processing of personal information that SCC should be aware of?

Do you have a designated privacy officer?

Do you have policies and processes in place to assist with the identification an eradication of modern slavery in your supply chain network?

Have you maintained a process ensuring your economic sanctions screening obligations under the Corporations Act 2001 have been met?