The Third-Party Risk You Can’t See

Financial institutions have long understood the importance of third-party risk management. Vendor due diligence, contract reviews, and ongoing monitoring are well-established practices; however, a new challenge is quietly expanding the risk landscape: SaaS sprawl.

You may be asking yourself, " What is SaaS Sprawl?" SaaS sprawl refers to the rapid growth of cloud-based applications used across an organization, many of which operate outside the visibility of IT and Information Security teams. These tools may be inexpensive, easy to deploy, and highly specialized, but they can also increase risk.

The marketing department adopting new analytics platforms, the HR department leveraging recruiting tools, or the accounting department implementing reporting software are all common examples. In many cases, these applications are onboarded with minimal or no security review.

SaaS providers and products often store or process sensitive customer information, integrate directly with internal systems, and sometimes require a user's credentials or access to corporate email platforms. Without proper oversight, this can lead to unauthorized data sharing, an increased attack surface, and potential regulatory exposure.

At the heart of SaaS sprawl is “Shadow IT” which are technology solutions implemented outside of a formal approval process. While often well-intentioned, Shadow IT bypasses critical controls such as security due diligence, data classification reviews, and contractual safeguards. This creates a situation where institutions may not even be aware of all the third parties handling their data.

In short, SaaS Sprawl can undermine even the most mature third-party risk management programs.

Addressing SaaS Sprawl does not mean slowing down the business; alternatively, it requires evolving your approach to third-party risk management. Below are the steps recommended:

• Build a Comprehensive Inventory
  You can’t manage what you don’t know exists. Leverage tools such as expense analysis, SSO logs, and network monitoring to identify all SaaS applications in use.
• Apply Risk-Based Tiering
  Not all SaaS vendors present the same level of risk. Classify vendors based on the sensitivity of the data they access and the criticality of the service they provide.
• Enforce Data Minimization
  Ensure vendors only receive the data necessary to perform their function.
• Strengthen the Onboarding Process
  Create a lightweight but effective intake and review process that encourages asset owners to engage Information Security early.
• Continuously Monitor, Not Just Onboard
  Risk doesn’t stop after onboarding. Implement ongoing monitoring practices, including access reviews, risk assessments, and vendor re-assessments.

Ultimately, managing SaaS Sprawl is not just a technical challenge; it’s a cultural one. Financial institutions must promote a shared understanding that security is every employee’s responsibility, not just an IT function or Information Security responsibility.

By improving visibility, reinforcing governance, and promoting collaboration between asset owners and security teams, financial institutions can create the right balance between innovation/efficiency and risk management.

As SaaS solutions are here to stay and more become available each day, financial institutions are beginning to learn that they bring undeniable benefits. This means we must have the right controls in place to address the risks the products can quietly introduce. Now is the time for financial institutions to upgrade their third-party risk practices to match the pace of today’s technology landscape.