The SEC isn't giving SaaS a free pass. Applicable public companies, known as "registrants," are now subject to cyber incident disclosure and cybersecurity readiness requirements for data stored in SaaS systems, along with the 3rd and 4th party apps connected to them. The new cybersecurity mandates make no distinction between data exposed in a breach that was stored on-premise, in the cloud, or in SaaS environments. In the SEC's own words: "We do not believe that a reasonable investor would view a significant data breach as immaterial merely because the data are housed on a cloud service." This evolving approach comes as SaaS security shortcomings continually make headlines and tech leaders debate how the SEC may change cybersecurity after charging both SolarWinds and its CISO with fraud. Why SaaS and SaaS-to-SaaS Connection Risks Matter to the SEC — And To Your Organization The perception and reality of SaaS security are, in many cases, miles apart. SaaS security leader AppOmni's State of SaaS Security report showed that 71% of organizations rated their SaaS cybersecurity maturity as mid to high, yet 79% suffered a SaaS cybersecurity incident in the past 12 months. The SEC finds SaaS security lacking as well, citing the "substantial rise in the prevalence of cybersecurity incidents" as a key motivating factor for its new approach. These concerns are not, of course, limited to small numbers of registrants relying on SaaS. Statista reports that by the end of 2022, the…Read More