The SEC isn’t giving SaaS a free pass. Applicable public companies, known as “registrants,” are now subject to cyber incident disclosure and cybersecurity readiness requirements for data stored in SaaS systems, along with the 3rd and 4th party apps connected to them.
The new cybersecurity mandates make no distinction between data exposed in a breach that was stored on-premise, in the cloud, or in SaaS environments. In the SEC’s own words: “We do not believe that a reasonable investor would view a significant data breach as immaterial merely because the data are housed on a cloud service.”
This evolving approach comes as SaaS security shortcomings continually make headlines and tech leaders debate how the SEC may change cybersecurity after charging both SolarWinds and its CISO with fraud.
Why SaaS and SaaS-to-SaaS Connection Risks Matter to the SEC — And To Your Organization
The perception and reality of SaaS security are, in many cases, miles apart. SaaS security leader AppOmni’s State of SaaS Security report showed that 71% of organizations rated their SaaS cybersecurity maturity as mid to high, yet 79% suffered a SaaS cybersecurity incident in the past 12 months.
The SEC finds SaaS security lacking as well, citing the “substantial rise in the prevalence of cybersecurity incidents” as a key motivating factor for its new approach. These concerns are not, of course, limited to small numbers of registrants relying on SaaS. Statista reports that by the end of 2022, the average global organization used 130 SaaS applications.
Data leak risk isn’t limited to SaaS’s ubiquity and vulnerability. To derive more value out of SaaS platforms, organizations routinely make SaaS-to-SaaS connections (connecting 3rd party apps to SaaS systems), whether these connections are approved by IT or integrated covertly as a form of shadow IT. As employees increasingly connect AI solutions to SaaS apps, the digital ecosystems CISOs oversee become more interconnected and nebulous.
Governance challenges and cybersecurity risks increase exponentially as intricate SaaS-to-SaaS connections flourish. While these connections typically boost organizational productivity, SaaS-to-SaaS apps introduce many hiddens risks. The breach of CircleCI, for example, meant countless enterprises with SaaS-to-SaaS connections to the industry-leading CI/CD tool were put at risk. The same holds true for organizations connected to Qlik Sense, Okta, LastPass, and similar SaaS tools that have recently suffered cyber incidents.
Because SaaS-to-SaaS connections exist outside the firewall, they cannot be detected by traditional scanning and monitoring tools such as Cloud Access Security Brokers (CASBs) or Secure Web Gateways (SWGs). On top of this lack of visibility, independent vendors often release SaaS solutions with vulnerabilities that threat actors can compromise via OAuth token hijacking, creating hidden pathways into an organization’s most sensitive data. AppOmni reports that most enterprises have 256 unique SaaS-to-SaaS connections installed in a single SaaS instance.
Data that could affect investors and the market is now accessible — and hackable — through a sprawling network of digital pipes.
“Follow The Data” Is The New “Follow The Money”
As the SEC is tasked with protecting investors and maintaining “fair, orderly, and efficient markets,” regulating registrants’ SaaS and SaaS-to-SaaS connections falls within the agency’s purview. In the cybersecurity rules announcement, the SEC chair stated, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.”
The scope and frequency of breaches underpins the SEC’s regulatory expansion in the cyber risk realm. SaaS breaches and incidents occur at a regular clip across public companies, and AppOmni has tracked a 25% increase in attacks from 2022 to 2023. IBM calculates that the cost of a data breach averaged an all-time high of $4.45 million in 2023.
While disclosure requirements have garnered the most media attention, the new SEC regulations also specify prevention measures. CISOs must describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats,” as well as sharing the board of directors’ and management’s role in cybersecurity risk and threat oversight.
Love them or loathe them, these rules force SaaS customers to adopt better cybersecurity hygiene. Disclosing what happened — and what your organization did and is doing about it — as directly and candidly as possible enhances investor confidence, ensures regulatory compliance, and fosters a proactive cybersecurity culture.
In SaaS, the best offense is an impenetrable defense. Assessing and managing risk of every SaaS system and SaaS-to-SaaS connection that has access to your sensitive data is not only mandated, it’s essential to avoiding data breaches and minimizing their impact.
How to Protect and Monitor Your SaaS Systems and SaaS-to-SaaS Connections
The burden of manually evaluating SaaS security risk and posture can be alleviated with a SaaS security posture management (SSPM) tool. With SSPM, you can monitor configurations and permissions across all SaaS apps, along with understanding the permissions and reach of SaaS-to-SaaS connections, including connected AI tools.
Registrants need a comprehensive understanding of all SaaS-to-SaaS connections for effective risk management. This must include an inventory of all connections and the employees using them, the data these connections touch, and the levels of permissions to SaaS systems these 3rd party tools have been granted. SSPM assesses all these aspects of SaaS-to-SaaS security.
SSPM will also alert security and IT teams of configuration and permission drifts to ensure posture remains in check. It will also detect and alert for suspicious activity, such as an attempted identity compromise from an unusual IP address or geographic location.
CISOs and their teams may struggle to meet readiness requirements without the proper posture and threat detection tools to reduce data breach risk. SSPM centralizes and normalizes activity logs to help companies prepare thorough and factual disclosures within the four-day window.
Only time will tell how the SEC will enforce these new rules. But even if these regulations vanish tomorrow, stepping up SaaS security is vital to protecting the data markets and investors rely on.