Risks You Need to Consider When Using SaaS Providers
Businesses now use cloud-based technology vendors for all manner of services, and for good reason. Software-as-a-Service (SaaS) providers will typically deliver better technology, at lower cost, with easier installation and management, than most companies can manage themselves.
That said, SaaS providers do bring risk when you engage them to work with your enterprise — especially around cybersecurity, data privacy, business continuity, and related issues. Those are all questions of vendor risk management. How well you answer those questions depends on your ability to identify and mitigate those risks before disaster strikes.
So what risks should a compliance officer anticipate when engaging with a SaaS provider? And how might you assure that you can keep those risks in check? (Or, for SaaS providers reading this, here’s how your customer base is approaching this important question.)
5 Essential Steps To Creating an Effective Third-Party Risk Management Program
Risks That a SaaS Provider Can Pose
SaaS providers can have potentially enormous access to your company’s internal operations and plans, and the risks that access creates are many. The most immediate and dangerous ones, however, include the following.
Serving as an attack vector. If the SaaS provider has poor security controls for its own business, attackers could penetrate the vendor’s IT systems and then use the vendor to launch an attack against you.
Breaches of data you store with the provider. If the SaaS provider stores or processes data on your behalf and suffers a breach, your data might be lost or compromised. That could leave your business exposed to regulatory enforcement (say, under the EU General Data Protection Regulation) or reeling from the loss of important intellectual property.
Poor access controls. If the SaaS vendor doesn’t keep sufficient access control over its systems, an unauthorized user might breach their systems and attack your data.
Incompatibility after a software upgrade. Either you or the SaaS provider might implement a software upgrade that creates new vulnerabilities or disables previous functionality.
Business interruption. If the SaaS vendor fails for some other reason (bankruptcy, physical disaster such as flooding or wildfires), that could leave you unable to process certain transactions. If the vendor provides a mission-critical service, your own business might be in jeopardy.
Insider threat. A SaaS provider’s employees might abuse their inside knowledge in other ways: trading on confidential information about your business, stealing intellectual property, blackmailing your employees, and so forth.
Companies ignore these risks — and the list above is by no means definitive — at their peril. A compliance or risk management failure at one of your SaaS providers can leave your business exposed to significant compliance, litigation, and operational risks of your own.
In other words, compliance officers must maintain strong governance over the company’s SaaS providers. They can do this in two principal ways.
Start With the Contract
A clear, comprehensive contract with your SaaS provider is the foundation for good third-party risk management. This is where you can list the risks that matter to you, and negotiate the measures the SaaS provider will need to take to address those concerns. Give this document all the time and attention you believe it needs.
Now, let’s not delude ourselves: the largest SaaS providers — the Googles and Salesforces and Amazon Web Services of the world — will give most customers virtually zero room to negotiate specific contract language. You take what they provide on their terms, or you look elsewhere. That’s life.
Even then, the contract is still important because it helps you to understand what your risks are. From there, you can engineer the compliance policies and controls you’ll need in place to use those SaaS providers successfully.
Moreover, plenty of SaaS providers aren’t among the giants and will negotiate contract terms with you. In that case, you want to consider several important provisions.
- Disclosure of security incidents that could affect your business. You want to know about every incident — data breaches, ransomware attacks, malware infections, and so forth — that might bring compliance, litigation, or operational risk to your business.
- Right to audit the vendor’s privacy and security controls. Without the right to audit, you depend on the vendor to allow an audit, and the vendor could always say no.
- Guarantees on sub-contractors. Specify whether you’ll allow the SaaS provider to subcontract any of its services to some other provider, and how you want your data protected if that arrangement is allowed.
- Right of termination and transition assistance. Identify when the contract will end; or if the relationship has no fixed term, specify the notice period each side should provide to the other. Also specify what help the SaaS vendor should provide as you move to a new vendor.
- Data deletion or storage. Include a provision for when the vendor should destroy any of your data that it might possess (say, when you move to a new SaaS provider), or whether the vendor should store any data long-term.
Those are only some examples of clauses you could include in a contract with your SaaS provider, and accuracy in the details is crucial. So above all, consult with legal counsel to be sure you have a contract that addresses what’s important to you and does so in the right way.
Audit and Compliance Matters Too
Sometimes a SaaS vendor will make a promise and not live up to it. So as important as a contract is, testing, monitoring, and internal controls are still crucial to a successful SaaS relationship. The compliance officer can play an important role here, too.
For example, test the access controls and other security protocols your SaaS provider uses. You want assurance that those protocols work as promised; and even if those security measures don’t meet your ideal standards (in the case of a large vendor), you at least want to understand them so you can implement remediation steps at your own organization.
Along similar lines, monitor security incidents within your organization, and perhaps even scan the Internet to see whether your data is posted somewhere without your authorization. Then trace those incidents back to the source — to see whether your SaaS vendor is the cause.
Throughout all of the steps you might want to take, success will hinge on your ability to devise a risk assessment and remediation plan. So the compliance program will need a risk register that includes threats SaaS providers can pose; and then remediation tools that will help you to devise, implement, and track all the remediation steps that are necessary. Just like with the contract, attention to detail will be crucial.
Learn How You Can Create a Highly Effective Third-Party Risk Management Program
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.