Companies and their treasury departments are increasingly using third-party software-as-a-service (SaaS) providers to store, analyze and manipulate some of their most sensitive data. The question is, is this a cybersecurity threat just waiting to happen?
Cybersecurity has been a topic at recent NeuGroup treasury executive meetings, and understandably so, given the rapid increase in cyber-attacks and breaches at many of the US’s largest companies.
“More and more we feel we’re less dependent on our in-house solutions and more on third-parties,” noted a treasurer of a major retailer at a recent NeuGroup Treasurers’ Group of Thirty (T30) meeting. He then asked a panel of three cybersecurity experts at that meeting: “How do you feel about that?”
The panel members, who included experts from Marsh, PwC and Deutsche Bank, generally agreed that SaaS providers tend to have stronger defenses against cyber-attacks than most corporates, and larger ones tend to be better fortified than smaller upstarts. Nevertheless, companies must do their due diligence.
Panelists said the first steps include ensuring the SaaS provider has the proper attestations, such as the American Institute of Certified Public Accountants’ service organization controls (SOC) reports, which are accounting standards measuring an organization’s control of financial information. Also, key is inquiring about the provider’s business continuity plan and how the provider protects its customers in the event its system is breached
Todd Waskelis, vice president for security consulting at AT&T Security Solutions, said companies must assess the criticality of data they plan to outsource to third parties, then ensure that the third party has the proper controls and can continually validate those controls are functioning.
“A lot of SaaS providers are getting much better at security, given their scale and the investment they can make,” Mr. Waskelis said.
In addition to data storage worries is the issue of connectivity. Data can also be hijacked in transit between the company and its third-party provider, so for “crown jewel” data it may be wise to install a dedicated data-transfer pipe between the two parties. Mr. Waskelis noted that AT&T’s NetBond establishes a dedicated connection between the SaaS provider and company’s network as well as its employees’ mobile devices.
A T30 participant noted that banks seek to minimize liability stemming from cyber breaches in their contracts with corporate customers. SaaS customers must make sure their providers accept significant liability, Mr. Waskelis said. He noted that in the credit card industry, for example, third-party providers holding their corporate customers’ credit-card-holder data are contractually obligated to make sure the customer is complying with industry standards.
“It’s critical for companies to have language like that in their contracts and agreements with SaaS providers,” he said.
Reval, a SaaS provider of treasury and risk management services has SSAE16 SOC1 and SOC2 reports under its belt (frameworks for service organization reporting; SOC means “service organization control”). The company takes numerous steps to ensure the security of customer data, such as enabling clients to set company-specific security levels and controls, and uses industry standard cryptographic protocol for all internet-based communication.
In addition, Reval provides Security Assertion Markup Language (SAML), which enables single-sign on to further control connection to the site, and for payments, dual-factor authentication. Reval constantly monitors all aspects of the application and data to protect client data, using tools including anti-virus, anti-malware and intrusion prevention software, and it monitors the firewall, router and switch activity.
Phil Pettinato, chief technology officer at Reval, noted that his company must “comply with the aggregate” of the security requirements of all its customers, including some of the largest technology companies that, in some cases, specialize in security services.
“This economy of scale helps all of our clients,” Mr. Pettinato said, adding that clients no longer have to house their data on their own servers, reducing the risk of a breach from outside or problems occurring inside their firewalls.
AT&T’s first Cybersecurity Insights Report published earlier this month echoes other recent studies on cybersecurity in describing an ever intensifying cyber threat environment with insufficient defensive actions taken by corporates and other organizations. For example, 75 percent of businesses do not involve their full board of directors in cybersecurity oversight, and approximately half of organizations are not re-evaluating their information security as a result of high-visibility data breaches. In addition, 78 percent of employees do not follow the security policies set forth by their employer.
Meanwhile, AT&T has seen a 62 percent increase in the number of times Distributed Denial of Service (DDoS) attacks, which aim to bring down companies networks and websites, occurred over the last two years. And the number of times hackers have searched for vulnerabilities in internet-of-things networks has increased 458 percent.