Let’s face it, the siren song of SaaS – agility, scalability, cost-effectiveness – is hard to resist. But beneath the promises of seamless security lies a reality that Sourcing and Procurement leaders in the Financial Services and Insurance (FSI) sectors can’t afford to ignore. The misconception that SaaS security is solely the vendor’s burden is a dangerous one, and recent breaches are stark reminders of this uncomfortable truth.
This isn’t a technical deep dive, but a crucial wake-up call. As the gatekeepers of vendor relationships and the stewards of organizational resources, you need to understand that overlooking the nuances of SaaS security isn’t just an IT issue – it’s a business risk with tangible consequences for your bottom line, regulatory compliance, and the trust you’ve built with your stakeholders.
The Illusion of “Vendor Secured”: Recent Breaches Shatter the Myth
The past year has offered a sobering look at the vulnerabilities inherent in relying solely on a SaaS provider’s security assurances. the patterns emerging from recent incidents paint a clear picture.
Obsidian Security had released its inaugural 2025 SaaS Security Threat Report, highlighting a significant 300% increase in Software as a Service (SaaS) breaches over the past year.
The report, covering the period between September 2023 to 2024, outlines how SaaS breaches have heavily impacted multiple sectors, with prominent organisations such as Microsoft and AT&T experiencing major security incidents. This rise in breaches coincides with an increased reliance on SaaS applications, where expenditure has reached hundreds of billions globally, averaging around USD $8,700 per employee for tools like Workday, Google Workspace, ServiceNow, and Office 365.
- The Identity Provider as the Achilles’ Heel: Think of your identity provider (like Okta or Microsoft Entra ID) as the master key to your SaaS kingdom. Recent surges in attacks targeting these central hubs have demonstrated the devastating ripple effect when they are compromised. A breach here can grant attackers access to multiple SaaS applications used across your FSI organization, underscoring the need for stringent security measures and vigilant monitoring on your end.
- The Treacherous Terrain of Integrations: Your technology ecosystem likely thrives on interconnected SaaS applications. But these integrations and APIs, while enabling efficiency, are also emerging as prime targets. Attackers are exploiting vulnerabilities in these pathways to move laterally, highlighting the critical need for proactive security assessments that extend beyond the core vendor to every connected application.
Think of your online tools as being connected by hallways and doorways. These connections, while helpful for getting things done, can also be targeted by attackers. They look for weak spots in these "hallways" to sneak from one tool to another. That's why it's super important to check the security of all your connected applications, not just the main ones, to make sure there are no easy paths for attackers to wander through.
- Misconfiguration: The Silent Killer: Alarmingly, many recent SaaS breaches aren’t due to sophisticated attacks on vendor infrastructure, but rather simple misconfigurations on the customer’s side. Overly permissive sharing settings, exposed APIs – these seemingly minor errors can lead to significant data leaks, reminding us that the responsibility for proper setup and ongoing management lies firmly with the FSI organization.
SaaS misconfigurations are like leaving the doors and windows of your online software unlocked. When you don't set up these applications correctly or accidentally change security settings, it can create openings for bad guys to get in. Common mistakes include giving too many people special access, not properly managing who can log in, and not following important rules. Because every online software is a little different, messing up even one setting can leave it wide open to hackers and data leaks. These mistakes are really common and can be super risky!
- Non-Human Identities: The Unseen Threat: Service accounts, API keys, and OAuth tokens often operate with fewer security controls than human users. Recent reports indicate threat actors are increasingly targeting these “non-human identities” as easier entry points into SaaS environments, demanding a more robust approach to their management and monitoring within FSI.
- The Systemic Risk of Targeting the Provider: While less frequent, ransomware attacks on SaaS providers themselves can have widespread consequences for their FSI customers, disrupting critical services and potentially compromising sensitive data. This underscores the importance of evaluating the resilience and security posture of your core SaaS vendors.
- Theft from “Secure” Data Warehouses: Even data stored in seemingly secure cloud data warehouses isn’t immune. Recent incidents have shown how compromised credentials, often obtained through separate malware attacks, can grant access to vast troves of sensitive financial and insurance data held within these SaaS platforms.
What This Means for Sourcing & Procurement Leaders:
The average financial impact of a SaaS breach now stands at USD $4.88 million, with investment in security lagging behind the swift uptake of SaaS solutions, exacerbating these risks.
These aren’t just technical anecdotes; they are critical lessons for how you approach vendor selection and management. The comfortable notion of simply outsourcing security with your SaaS subscriptions is a dangerous fallacy. As leaders in sourcing and procurement, you must:
- Demand Deeper Transparency: Go beyond the marketing jargon and security certifications. Ask probing questions about the vendor’s shared responsibility model, incident response plans, and specific security controls relevant to the FSI sector.
- Integrate Security Rigorously into Vendor Evaluation: Security can no longer be a secondary consideration. It needs to be a heavily weighted factor in your RFPs and vendor scoring, alongside cost and functionality.
- Negotiate Clear Security Terms: Ensure your contracts explicitly define the security responsibilities of both parties, including data breach notification protocols and liability.
- Champion Cross-Functional Collaboration: Forge strong partnerships with your CISO and application teams. Understand their security requirements and ensure your vendor selections align with those needs.
- Prioritize Ongoing Security Assessments: Your due diligence doesn’t end with the contract signing. Implement processes for regular security reviews and audits of your SaaS vendors and your own configurations.
The digital landscape of the FSI sector is increasingly reliant on SaaS. By acknowledging the shared responsibility of SaaS security and learning from the realities of recent breaches, Sourcing and Procurement leaders can move beyond simply acquiring solutions to strategically building a secure and resilient digital future for their organizations. The time for complacency is over; informed action is now paramount.
