A recent open letter from Patrick Odet, CISO of JP Morgan urges SaaS software providers to do more to secure their systems. He suggests that competition is forcing vendors to prioritize functionality over security and the result is a “quiet enablement of cyber attackers.”

Odet brings up a very important point as so many industries, insurance included head into a digital technology world underpinned by cloud based solutions and solution providers. An insurer’s future security is “inextricably linked” to its supply chain which includes partnerships with software and cloud providers. Cyber criminals have begun to target SaaS vendors as a point of entry for stealing data. The SaaS vendor has multiple clients so a breach at the vendor level can provide a vast network of unsuspecting victims. It is imperative that an insurer or other FI trusts their software vendors, but can they? Are the vendors doing all that they can and should do to protect their clients? Or are they as Odet suggests, rushing features instead of prioritizing security? SaaS has become the deployment method of choice for many Fis. Different from traditional software deployments where data resided within an organization's own data centers and servers, SaaS deployments mean that the FI must trust sensitive information to third parties. This means there is a shared responsibility for responsibility for security, moving beyond a purely transactional relationship to a true partnership built on trust and transparency. SaaS deployments have changed how procurement looks at buying software. Today there is, or should be, rigorous security vetting, comprehensive due diligence, and ongoing monitoring. Celent’s recently published reports, SaaS Longevity for Life Insurance and SaaS Longevity for PC Insurance provides a roadmap for an insurer or other FI to follow when evaluating a SaaS provider. It discusses how the technology and security teams at an insurer must review how every vendor entrusted with their data (and their customers’ data) follows stringent security and privacy standards. And how the vendor responds to data breaches which sadly are no longer if they happen but when they happen. Software purchases now include detailed security questionnaires, reviews of penetration testing results, and continuous monitoring.

The reality is that insurers and FIs cannot escape the interconnectedness of today’s technology landscape. And all must understand it is a two sided relationship. Vendors must be build secure products and deliver secure channels for data exchange that include security features, transparent communication, and proactive vulnerability management. Insurers must focus on ensuring that all integrations are secure and that development tools and frameworks used to build and connect applications are safe and compliant. Security should be part of the product from the beginning, during the implementation, and ongoing as the solution is used.

JP Morgan’s CISO is not wrong that there are increased risks related to SaaS solutions. Insurers and vendors must learn to work together to protect against the risks of today and tomorrow, especially as AI evolves.