Why Risk Managers Need to Address SaaS Security

As organizations increasingly adopt cloud-based software-as-a-service (SaaS) apps that store and handle sensitive and proprietary company data, cybersecurity risks have quickly become direct financial concern. The stakes around SaaS have never been higher—today, current spend on SaaS tools like Workday, Google Workspace and ServiceNow is in the hundreds of billions, or approximately $8,700 per employee.

Despite the increasing investment in SaaS, investment in their security has lagged. One common misconception is that SaaS vendors are responsible for securing these applications. In reality, it is a shared responsibility—the business must ensure proper configuration, integration, threat detection and usage of these applications and the sensitive data stored within. The problem is that every application is unique, creating a massive attack surface security teams must harden.

Attackers are aware of this vulnerability and are targeting SaaS with increasing frequency—monthly SaaS breaches have surged 300% year over year. While some of these attacks make headlines, many occur under the radar. Allocating budget and resources to protect these applications is becoming as necessary today as endpoint security was a decade ago.

These risks create an opportunity for risk managers to step in as key facilitators to help ensure that CFOs, finance teams and security counterparts understand and proactively address SaaS risks before they result in costly damages. 

The Growing Financial Risks of SaaS Breaches

Cloud-based applications like SaaS and platform-as-a-service (PaaS), such as Databricks, handle sensitive data and play a part in critical operations. This means that breaches of these applications result not only in data loss but also in substantial financial impacts due to:

• Reputation damage and loss of future business
• Decline in market value
• Legal liabilities and class-action lawsuits
• Breach of contract fees
• Regulatory fines and compliance violations
• Customer compensation
• Increased cyber insurance premiums

For example, Change Healthcare experienced a breach because a critical system did not have multi-factor authentication (MFA). As a result of the cyberattack, the sensitive health data of over one-third of Americans may have been sold on the dark web. It also disrupted health care services in facilities across the country, including payment operations, which forced many patients to pay out of pocket for critical medical services. So far, the breach has cost Change Healthcare at least $2.3 billion.

After such a breach is resolved, there is usually still a long tail of financial ramifications. One growing impact comes from regulators placing companies under increased scrutiny for security practices, expanding their audit scope and setting higher penalties. For example, OneMain Financial saw over $4 million in regulatory fines, on top of the cost of their breach, due to security failures tied to multiple cybersecurity incidents.

Class-action lawsuits are also becoming more frequent. Organizations are not only paying for breach mitigation but also defending themselves in court against damage claims that further erode financial health. IBM reports that costs related to lost business have reached $2.8 million—the highest level in six years.

Risk managers should work closely with finance leaders to align security investments with business risk priorities. CFOs, in turn, should work with their security counterparts to ensure they are allocating adequate resources to close this gap, which is especially urgent since breaches to data stored in public clouds like Microsoft Azure are the most expensive, averaging $5.17 million according to IBM.

Eight Key Considerations for Risk and Finance Leaders

If SaaS security is not on your radar yet, it should be. Below are eight considerations risk managers and CFOs should discuss with their CISO or IT security team to ensure resources that meet business needs also support the company’s security infrastructure:

1. SaaS app inventory: Does each stakeholder know the definitive source of data for all apps the organization uses?
2. User privileges: How do we determine and manage which users should have elevated permissions to access or share sensitive data?
3. Authentication use: Does every user and app follow security guidelines and controls, such as multi-factor authentication, to help protect data and strengthen authentication?
4. Change management: What are our policies for continuously checking users, configurations and permissions to avoid unauthorized changes to the configuration of a system, application or infrastructure?
5. Integration management: Can we control app-to-app integrations, especially with the deployment of generative AI?
6. Breach detection and response: Can our security solutions and workflows keep up with the speed of SaaS attacks?
7. Compliance monitoring: Do our compliance frameworks map to critical SaaS applications?
8. SaaS procurement: What is our SaaS onboarding process, and how do we ensure every app complies with IT policies?

As SaaS adoption continues to surge, its security is critical. Adopting a comprehensive SaaS security approach does not have to be challenging, and the teams that prioritize this investment will better protect their organization from future costs. By framing SaaS security as a financial risk rather than just an IT issue, risk managers and finance leaders can drive executive buy-in for stronger security measures and mitigate the risks associated with SaaS apps.