The U.S. Securities and Exchange Commission (SEC) is taking a firm stance on the cybersecurity posture of Software as a Service (SaaS) providers and their clients. Publicly traded companies, referred to as ‘registrants’, are now required to disclose cyber incidents and demonstrate their readiness to manage cybersecurity threats, including those impacting third-party applications linked to their SaaS platforms. This move signifies that the SEC will no longer treat breaches occurring on cloud platforms as less significant than traditional on-premise violations.
According to the SEC’s regulations, the framework makes no distinction based on the storage location of data during a breach. As articulated by SEC officials, “A significant data breach cannot be deemed immaterial simply because it involves cloud-stored data.” This evolving regulatory landscape comes amidst ongoing concerns over rampant vulnerabilities in SaaS security, overshadowed by high-profile incidents involving major technology companies like SolarWinds.
The SEC’s Focus on SaaS Security Metrics
Emerging statistics from AppOmni’s State of SaaS Security report reveal a glaring contrast between perceived and actual security maturity among organizations. While a notable 71% of respondents rated their SaaS security competence as mid to high, a staggering 79% experienced breaches within the past year. This paradox underscores the SEC’s growing concern over cybersecurity incidents, which it identifies as rampant across various sizes of organizations. Statista highlights the rising number of SaaS applications used by the average global organization, which stood at 130 by the end of 2022.
The risks associated with SaaS extend beyond direct vulnerabilities; the prevalence of SaaS-to-SaaS connections exacerbates the threat landscape. Businesses increasingly integrate third-party applications into their environments, often bypassing formal IT approval, leading to potential shadow IT scenarios. This interconnectedness, particularly with the recent trend of employees linking AI solutions to SaaS tools, complicates the security landscape for Chief Information Security Officers (CISOs).
While security teams may believe they have the situation under control, the data tells a different story: 79% of organizations faced breaches involving SaaS platforms. The AppOmni report uncovers the hidden vulnerabilities within SaaS security. Download it now to evaluate your risk.
Managing governance and cybersecurity challenges becomes increasingly complex as SaaS-to-SaaS interactions multiply. While such integrations enhance productivity, they significantly raise security risks. Notably, incidents like the breach of CircleCI have put numerous entities at risk due to their connections with this industry-leading tool. Similar vulnerabilities loom for organizations utilizing other platforms such as Qlik Sense, Okta, and LastPass, which have all faced cyber incidents recently.
Given that these SaaS-to-SaaS connections operate outside traditional network perimeters, conventional scanning tools, like Cloud Access Security Brokers (CASBs), often fail to detect them. This lack of visibility is compounded by vulnerabilities present in independently released SaaS solutions, which can be exploited for unauthorized access to sensitive organizational data. AppOmni notes that enterprises typically host 256 distinct SaaS-to-SaaS connections concurrently within a single SaaS setup.
Data that bears potential implications for investors and market trends is now increasingly vulnerable, intruding through a labyrinth of interconnected systems.
The SEC’s Authority Over Data Integrity
Mandated with the protection of investors and the enforcement of equitable and efficient markets, the SEC’s scope extends to the regulation of registrants’ SaaS and SaaS-to-SaaS frameworks. In recent announcements, the SEC chair remarked, “The materiality of a data breach is comparable to losing a factory in a fire; both can have a significant impact on investor sentiment.”
The frequency and severity of cyber breaches have prompted the SEC to enhance its oversight in this domain. Data from AppOmni revealed a 25% uptick in cyber attacks from 2022 to 2023 across public companies. IBM’s research indicates that the average cost of a data breach reached $4.45 million, the highest on record in 2023.
While heightened disclosure obligations have attracted considerable media attention, the SEC’s regulations also encompass preventive strategies. CISOs are now required to articulate their methodologies for assessing and managing material risks posed by cybersecurity threats, detailing the roles of both the board of directors and management in overseeing these risks.
Regardless of opinions on the regulations, organizations must acknowledge that these requirements promote improved cybersecurity hygiene. Transparent disclosures regarding cyber incidents — along with an organization’s response — bolster investor confidence and assure regulatory compliance while fostering a proactive security culture.
In the realm of SaaS, an effective defense against breaches hinges on thorough risk assessments across all SaaS systems and any interrelated applications. Ensuring that these systems maintain robust security protocols is imperative, both for compliance and for safeguarding sensitive data against breaches.
Implementing Robust Oversight of SaaS and Connections
The challenges of manual evaluations of SaaS security can be mitigated with the implementation of a SaaS security posture management (SSPM) tool. An SSPM solution provides visibility into configurations and permissions across various SaaS platforms, enabling organizations to grasp the permissions and functionalities granted to SaaS-to-SaaS connections, including integrations with AI tools.
For registrants, maintaining a detailed inventory of all SaaS-to-SaaS connections, understanding who utilizes these connections, the data involved, and the permissions allocated to third-party solutions is vital for effective risk management. SSPM tools deliver comprehensive assessments of these security dynamics.
Moreover, SSPM frameworks facilitate real-time alerts for configuration discrepancies and unusual activities, such as attempts to access accounts from anomalous IP addresses or geographic locations. Without appropriate monitoring tools, CISOs may find it challenging to meet the SEC’s readiness requirements and effectively mitigate the risk of data breaches.
While the precise enforcement methods for these regulations remain to be seen, it’s clear that enhancing SaaS security is crucial for protecting key data assets that investors and markets depend upon.
