The SEC doesn’t give SaaS a free pass. Affected public companies, known as “registrants,” are now subject to cyber incident disclosure and cybersecurity preparedness requirements for data stored in SaaS systems, along with the third- and fourth-party apps connected to them.
The new cybersecurity mandates do not distinguish between data exposed in a breach that was stored on-premise, in the cloud or in SaaS environments. In the words of the SEC: “We do not believe that a reasonable investor would consider a significant data breach to be immaterial simply because the data is hosted on a cloud service.”
This evolving approach comes as SaaS security flaws continually make headlines and tech leaders debate how the SEC might change cybersecurity after accusing both SolarWinds and its CISO of fraud.
Why SaaS and SaaS-to-SaaS Connection Risks Matter to the SEC and Your Organization
The perception and reality of SaaS security are, in many cases, miles apart. The State of SaaS Security Report from SaaS security leader AppOmni showed that 71% of organizations rated their SaaS cybersecurity maturity level as medium to high, but 79% had experienced a cybersecurity incident SaaS in the last 12 months.
The SEC also finds SaaS security lacking, citing the “substantial increase in the prevalence of cybersecurity incidents” as a key motivating factor for its new approach. These concerns are, of course, not limited to a limited number of registrants who rely on SaaS. Statista reports that by the end of 2022, the average global organization was using 130 SaaS applications.
The risk of data loss is not limited to the ubiquity and vulnerability of SaaS. To get more value from SaaS platforms, organizations routinely make SaaS-to-SaaS connections (connecting third-party apps to SaaS systems), whether these connections are approved by IT or covertly integrated as a form of shadow IT. As employees increasingly connect AI solutions to SaaS apps, the digital ecosystems overseen by CISOs become increasingly interconnected and nebulous.
Can your security team monitor third-party apps? 60% of teams can’t
Security teams believe they are safe, but the data speaks for itself: 79% of organizations have experienced SaaS breaches. AppOmni’s report highlights surprising hidden cracks in SaaS security. Download it now to see if you are vulnerable.
Find out how you can
Governance challenges and cybersecurity risks increase exponentially as complex SaaS-to-SaaS connections grow. While these connections typically increase organizational productivity, SaaS-to-SaaS apps introduce many hidden risks. The CircleCI breach, for example, put countless companies with SaaS-to-SaaS connections to the industry-leading CI/CD tool at risk. The same goes for organizations connected to Qlik Sense, Okta, LastPass and similar SaaS tools that have recently suffered cyber incidents.
Because SaaS-to-SaaS connections exist outside the firewall, they cannot be detected by traditional scanning and monitoring tools such as Cloud Access Security Brokers (CASB) or Secure Web Gateway (SWG). In addition to this lack of visibility, independent vendors often release SaaS solutions with vulnerabilities that threat actors can compromise by hijacking OAuth tokens, creating hidden paths into an organization’s most sensitive data. AppOmni reports that most companies have 256 unique SaaS-to-SaaS connections installed in a single SaaS instance.
Data that could influence investors and the market is now accessible – and hackable – through a vast network of digital channels.
“Follow the data” is the new “Follow the money”
Because the SEC is charged with protecting investors and maintaining “fair, orderly, and efficient markets,” regulating registrants’ SaaS and SaaS-to-SaaS connections falls within the agency’s purview. In the announcement of the cybersecurity rules, the SEC chairman said, “If a company loses a factory in a fire — or millions of files in a cybersecurity incident — it could be material to investors.”
The scope and frequency of breaches are driving the SEC’s regulatory expansion into cyber risk. SaaS breaches and incidents occur regularly in public companies, and AppOmni has tracked a 25% increase in attacks from 2022 to 2023. IBM calculates that the cost of a data breach has reached an all-time high of $4.45 million on average of dollars in 2023.
While the disclosure requirements have attracted the most media attention, the new SEC regulations also specify prevention measures. CISOs must describe their processes to “assess, identify, and manage material risks from cybersecurity threats,” as well as share the role of the board of directors and management in overseeing cybersecurity risks and threats.
Love them or loathe them, these rules force SaaS customers to adopt better cybersecurity hygiene. Disclosing what happened – and what your organization has done and is doing about it – as directly and truthfully as possible increases investor confidence, ensures regulatory compliance and promotes a proactive cybersecurity culture.
In SaaS, the best offense is an impenetrable defense. Assessing and managing the risk of every SaaS system and SaaS-to-SaaS connection that has access to your sensitive data is not only mandatory, it is essential to avoid data breaches and minimize their impact.
How to secure and monitor SaaS systems and SaaS-to-SaaS connections
The burden of manually assessing SaaS security posture and risk can be alleviated with a SaaS security posture management (SSPM) tool. With SSPM you can monitor configurations and permissions across all SaaS apps, as well as understand the permissions and scope of SaaS-to-SaaS connections, including connected AI tools.
Registrants need in-depth knowledge of all SaaS-to-SaaS connections for effective risk management. This must include an inventory of all connections and the employees using them, the data touched by those connections, and the levels of SaaS system permissions granted to these third-party tools. SSPM evaluates all these aspects of SaaS-to-SaaS security.
SSPM will also alert IT and security teams of configuration and permissions shifts to ensure the situation remains under control. It will also detect and alert you to suspicious activity, such as an attempted identity compromise from an unusual IP address or geographic location.
CISOs and their teams may struggle to meet preparedness requirements without the right posture and threat detection tools to reduce the risk of a data breach. SSPM centralizes and normalizes activity logs to help companies prepare thorough, fact-based disclosures within the four-day window.
Only time will tell how the SEC will enforce these new rules. But even if these regulations vanish tomorrow, strengthening SaaS security is vital to protecting the data markets that investors rely on.