Back to Insights
There has been a quiet revolution in business. It has been inexorable, compulsive, sensible, innovative and helps to drive innovation and productivity. The benefits of Software as a Service (SaaS) are clear and perhaps 90% of organisations of any scale are signed up to cloud-hosted, subscription-based software.
Welcome to the Real World of reduced costs, improved access, opened borders, scalability, ease of upgrades and broader compatibility. If you are one of the outliers not using SaaS, then we expect you will soon be. The benefits are apparent.
But what of the risks?
What is your reputation and your firm’s reputation worth to you?
The cyber incidents endured by Medibank and Optus continue to damage those organisations, financially and reputationally. In the Real World, they are not alone. Corporations understand well all the benefits of SaaS also expose them to serious risk and SaaS vendors are not immune to scrutiny around the security of their processes, their products, their assets and the underlying contractual terms and exposures that define the risks and the allocation of these risks. The risk exposures won’t go away and are part of an ongoing compliance environment that will become more, not less, invasive.
SaaS users will ask of themselves and of their vendor’s hard questions and evidence of compliance around the following:
1. Access Management - critical for every SaaS application considering sensitive data; can the data of others, for which the user has responsibility, be affected?
2. Misconfiguration - SaaS products generally add more layers of complexity to an organisation, increasing the risk of misconfiguration. This can also have a knock-on effect in terms of availability of cloud infrastructure for other users.
3. Regulatory compliance - ensuring a supplier has strong endpoint security is one side of the issue. Another side will include the question of jurisdiction(s), the powers and even politics of that jurisdiction or jurisdictions and the governance of customer data and how this is controlled?
4. Storage - where is the data stored and does the user have any control, power or authority over it. Who owns the data, what is it for, how much is it worth and to whom, and how long will it be retained?
5. Privacy and data breaches - how are these risks mitigated and what measures exist to detect and prevent breaches? Is a user powerless in the event of breach, and what remedies are enforceable under the contract?
6. Disaster recovery - another reminder of volatile climate and hostile geopolitics. Who else is up in that cloud or somewhere along the system? What are the mitigants and what are the disaster recovery procedures in the event of failure, whether as a result of power blackouts, fires, floods or natural or unanticipated catastrophe?
The rate of cybercrime will grow; it’s a constant game of increased effort and reward by criminals and hostile actors, and increased vigilance, intelligence and prevention by those under attack. Very high losses have created an adversary situation where vendors look to transfer risk to users, and vice versa.
The trilogy of risk identification and analysis, risk mitigation and risk transfer (either within the contract or by way of insurance) is complex. Off the shelf insurance from general insurers or non-specialist insurance brokers are unlikely to produce much of an answer. A mature discussion of risk and its broader implications is essential. Engagement may be with several parties.
Specialist insurance products have been developed and are under constant revision to meet increasingly complex risks. For SaaS vendors, some of these require tailored solutions to help meet unique or unusual risk exposures.
Headsure is a specialist insurance consultancy and a leading expert in technology and cyber risk. It supports its clients in understanding the risks that face them and in providing solutions.
For an obligation free chat about how Headsure can help you protect your business, give us a call or send us an email.