SaaS and Cybersecurity in 2023: Considerations for Investment Firms
By Susan Kilburn, Chief Operating Officer at LightPoint Financial Technology.
The use of Software-as-a-Service (SaaS) has become increasingly prevalent, with Gartner predicting 2023 worldwide SaaS revenues to exceed $195 billion (more than double that of 2019). The SaaS model appeals to organizations for many reasons, including simplified user access, replacement of steep upfront costs with a monthly subscription fee, and the shifting of technical responsibilities (e.g., maintenance and upgrades) from the company using the software to the SaaS provider.
USD 195.2 billion
Prediction for 2023 worldwide SaaS revenues
Source: Garner
For alternative investment firms, the impact of this trend is twofold: it impacts the way in which the firm’s employees use software, and it impacts the investment landscape. From order management systems to portfolio management software, many investment firms are relying on SaaS providers to meet their technology needs. At the same time, investment firms are also considering SaaS providers as potential investments. It’s important for investment firms to consider the cybersecurity implications of both their own use of SaaS solutions and their potential investments in SaaS providers, as the impact of a security breach in either instance can have disastrous impacts. An IBM study of 550 organizations impacted by data breaches between March 2021 and March 2022 found that the average cost of a breach was $4.35 million.
USD 4.35 million
Average total cost of a data breach
Source: IBM
Cyberattacks can come in many forms, including hacking, malware, phishing, and social engineering. The consequences of a successful cyberattack can be devastating, including loss of data, financial losses, legal and regulatory penalties, and reputational damage. But while cyberattacks are on the rise, it is important to understand that cloud-hosted SaaS applications are not inherently less secure than traditional on-premise solutions. In fact, cloud service providers often invest more heavily in security measures than many businesses can afford to do on their own. However, there are specific risks associated with cloud computing that need to be addressed.
“…it is important to understand that cloud-hosted SaaS applications are not inherently less secure than traditional on-premise solutions.”
One of the key considerations for investment firms is the difference between single-tenant and multi-tenant SaaS solutions. In a single-tenant environment, each customer has their own separate instance of the software, meaning that their data and applications are isolated from other customers. In a multi-tenant SaaS environment, on the other hand, multiple customers share aspects of the SaaS application and its associated hardware and software components. A classic implementation involves a shared database architecture, in which multiple customers share a common database, using software-based access control mechanisms to separate one client’s data from another.
“The attraction to cyber criminals is that they need only exploit the security vulnerabilities of one company to gain access to confidential data from many companies at once.”
The appeal of multi-tenant architectures to SaaS providers is that it can be significantly less expensive to add new clients, both in terms of hosting fees as well as ongoing costs for implementing software changes. However, they can also carry a greater cybersecurity risk if they are not rigorously designed and tested. This is because a security vulnerability in the shared components can provide access to data across multiple clients. The attraction to cyber criminals is that they need only exploit the security vulnerabilities of one company to gain access of confidential data from many companies at once. This is the same reason that managed service providers (MSPs) have increasingly become targets of cyberattacks, such as the 2021 ransomware attack on IT solutions developer Kaseya. Kaseya provides IT management software solutions that are used by managed service providers (MSPs) to remotely manage and monitor their clients’ IT systems. By targeting Kaseya’s MSPs, the ransomware group REvil was able to gain access to the data of an estimated 1500 small to medium-sized business clients of the MSPs. In May 2022 the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory specifically directed to MSPs and recommending, among other things, that they segregate customer data sets from each other.
Investment firms handle sensitive financial data and client information, which makes them a particularly attractive target for cybercriminals. Because of this, the Securities and Exchange Commission (SEC) has been increasing its focus on cybersecurity in recent years, and based upon their 2023 exam priorities, this year is no exception. In fact, the SEC has made it clear that cybersecurity is a top priority for the agency in the coming years. One area of focus for the SEC is on ensuring that investment firms are taking appropriate steps to protect sensitive client information. This includes not only ensuring that firms themselves are taking the necessary precautions, but also that any third-party vendors or SaaS providers that they work with are doing the same. Through the explicit inclusion of third-party vendors, the SEC is making it clear that firms cannot outsource their accountability when it comes to cybersecurity.
“When it comes to cybersecurity, you can outsource the function, but you can’t outsource the accountability.”
In November 2019, the Office of the Inspector General to the SEC release a report detailing the results of their audit of the SEC’s adoption of cloud computing services. The report found that the SEC’s system security plan required additional controls and enhancements “to address the unique risks of cloud computing environments, such as multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust”.
Assessing SaaS Providers
Investment firms considering the use of SaaS solutions should prioritize assessing the cybersecurity measures of potential providers. Some key questions to ask include:
- What measures does the provider take to secure customer data?
- Has the provider undergone independent validation of their cybersecurity readiness?
- How does the provider handle incidents and breaches, and what is their incident response plan?
- How does the provider manage access controls and user permissions?
Additionally, investment firms should consider working with providers that offer single tenant solutions, as this can provide greater security. Single tenancy also provides organizations with more individual control over their software. This can be important for companies that have specific compliance needs or performance requirements.
Investing in SaaS Providers
For investment firms considering potential investments in SaaS providers, cybersecurity should be a critical factor in their due diligence process. In addition to assessing the provider’s security measures, investors should also consider the level of exposure that the provider has to potential breaches or data leaks, especially in the case of multi-tenant SaaS solutions or MSPs. It’s also important to consider the provider’s track record when it comes to incident response and transparency with customers.
As SaaS solutions continue to play a critical role in the alternative investment industry, it’s important for investment firms to prioritize cybersecurity when considering their own use of these solutions and potential investments in SaaS providers. By focusing on the risks of SaaS multi-tenancy, assessing the cybersecurity measures of potential providers, and considering independent validations of security status, investment firms can better protect their own data and investments while staying ahead of evolving cybersecurity threats.
About the Author:
Susan Kilburn is the Chief Operating Officer at LightPoint Financial Technology. Susan joined LightPoint, a SaaS provider of portfolio, order, and execution management software, in 2019. Prior to joining LightPoint, Susan worked as an independent consultant, working with organizations such as BMO Financial Group on large-scale business transformation initiatives. She graduated from Engineering Physics and Management at McMaster University in Canada.