Understanding New SaaS Cybersecurity Rules

By neub9
4 Min Read

The SEC is now subjecting applicable public companies to cybersecurity incident disclosure and cybersecurity readiness requirements for data stored in SaaS systems, as well as for the third and fourth-party apps connected to them. The new mandates do not differentiate between data exposed in a breach that was stored on-premise, in the cloud, or in SaaS environments. In the SEC’s own words: “We do not believe that a reasonable investor would view a significant data breach as immaterial merely because the data are housed on a cloud service.”

These evolving regulations come in the wake of SaaS security shortcomings continually making headlines and tech leaders debating how the SEC may change cybersecurity after charging both SolarWinds and its CISO with fraud. The perception and reality of SaaS security are often miles apart, as demonstrated by AppOmni’s State of SaaS Security report, which showed that while 71% of organizations rated their SaaS cybersecurity maturity as mid to high, 79% suffered a SaaS cybersecurity incident in the past 12 months.

The SEC’s concerns are not limited to small numbers of registrants relying on SaaS. By the end of 2022, the average global organization was using 130 SaaS applications. Additionally, the risks associated with SaaS-to-SaaS connections are growing as organizations increasingly make these connections to boost productivity, leading to governance challenges and cybersecurity risks increasing exponentially.

The breach of CircleCI, for example, meant that countless enterprises with SaaS-to-SaaS connections to the industry-leading CI/CD tool were put at risk. However, these connections exist outside the firewall and cannot be detected by traditional scanning and monitoring tools, thereby creating hidden pathways into an organization’s most sensitive data. AppOmni has reported that most enterprises have 256 unique SaaS-to-SaaS connections installed in a single SaaS instance, which poses a significant risk to the security of sensitive data.

As the SEC is tasked with protecting investors and maintaining “fair, orderly, and efficient markets,” regulating registrants’ SaaS and SaaS-to-SaaS connections falls within the agency’s purview. The scope and frequency of breaches underpin the SEC’s regulatory expansion in the cyber risk realm, with the SEC emphasizing the need for companies to disclose and prevent cybersecurity incidents as part of these new regulations.

SaaS customers are now required to adopt better cybersecurity hygiene, and SaaS security posture management (SSPM) tools can help with the burden of manually evaluating SaaS security risk and posture. These tools enable organizations to monitor configurations and permissions across all SaaS apps and understand the permissions and reach of SaaS-to-SaaS connections, including connected AI tools. SSPM also helps in assessing SaaS-to-SaaS security aspects and alerts security and IT teams of configuration and permission drifts to ensure posture remains in check.

It is essential for companies to step up SaaS security in order to protect the data markets and investors rely on, regardless of how the SEC enforces these new rules. For more exclusive content, follow us on Twitter and LinkedIn.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *