BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Chief financial officers (CFOs) are often the most conservative members of the C-suite when it comes to adopting new technology. It's no surprise that finance executives of large companies aren't scrambling to adopt cloud-based financial applications even while their senior-level counterparts experiment with Software as a Service (SaaS).
Because SaaS financial management software transfers sensitive financial information from a private local data center to public remote servers, CFOs are carefully weighing the potential time- and money-saving benefits against concerns about data privacy and security.
To address data privacy worries, SearchFinancialApplications.com compiled a list of six questions that CFOs can ask SaaS financial software providers before choosing between on-premises and cloud deployment.
1. Who owns the data?
A good place to start is to review the SaaS contract's data ownership clause. Jeanne Capachin, research vice president at IDC Financial Insights, based in Framingham, Mass., said CFOs should make sure the contract explicitly names their company as the owner.
She cautioned that contracts with SaaS financial management vendors tend to be more rigid than those of traditional on-premises vendors, so decision makers should review the terms carefully. "These contracts are very difficult to adjust, so people that are coming from large companies and are used to having aggressive tactics with their vendors -- that's much more difficult with cloud vendors," Capachin said. "Don't expect to be able to make a lot of changes to the contract."
2. How is the data segregated?
With public servers, many CFOs fret that private data could be intermingled with that of other customers. French Caldwell, a vice president at Stamford, Conn.-based research firm Gartner Inc., pointed out that more parties may be involved than customers are aware of. "Many vendors offer SaaS solutions, but they in turn contract out to other cloud providers to provide the data services, so you've got an additional third party in there."
Capachin recommends inquiring about segregation standards. "Information is not segregated physically, so customers need to make sure the vendor has good practices in place to make sure there's no way that information can be shared outside the customer," she said.
If assurances from the vendor are not sufficient, Capachin said companies can often ask that their data be segregated for an additional fee. "In some cases they can request that the vendor run a separate instance of the software. That can be a fallback plan."
3. Does the SaaS vendor have the necessary certifications for my industry?
Another critical step is to ensure that the SaaS financial management vendor conforms to the privacy specifications of a particular industry.
More on SaaS financial management software
Read about how one retailer chose SaaS financial management software
Find out how recent SaaS ERP gains are affecting the market
Charlie Burns, vice president of Westport, Conn., consultancy Saugatuck Technology Inc., described two common approaches of SaaS vendors regarding compliance with standards such as the Health Insurance Portability and Accountability Act (HIPAA). Some will describe the steps they take to ensure privacy, ultimately leaving it to the prospective purchaser to judge whether they are adequate.
Other vendors proactively seek certification from a third party so they can advertise that they are compliant. This is the more desirable choice, according to Burns. "I get the certification as the vendor, so I can tell you 'I did it,' and you can go home and sleep at night," he said.
No matter the industry, Caldwell said that a Soc 2 privacy audit can increase confidence in a vendor.
4. What is the training program for your data center staff?
Capachin said the vendor's training regime can provide clues to what it is doing to prevent breaches. In most industries, on-the-job training is more valuable than reading manuals. Similarly, Capachin recounted one SaaS vendor that uses a "scenario-based" training program, where employees are taught to recognize potential threats during "real-life" enactments.
However, the staff generally shouldn't be a cause for concern with larger SaaS vendors. As Burns put it, "They don't hire slouches, because they can't afford to."
5. What happens after the contract term is up?
Capachin said vendors should provide details about the lifecycle of the data and its security at various points. Knowing how secure data is in transit, where backups are kept, and how data is eradicated after a retention period are all essential factors in its overall security.
It's also a good idea to ask what happens after the contract term has ended. "At the end of the relationship what happens to the data?" Capachin asked. "Make sure that the vendor has good policies in place to return it to you and wipe the data clean from their devices."
6. What happens if there is a security breach?
The most unpleasant question on the list is also the most important. Caldwell said that assessing the degree of vendor liability in the event of a breach is paramount.
"If there is a breach, can they respond quickly to remedy the problem? Do they have the appropriate notifications in place? Will the vendor take liability -- will they be liable for the cost of reputational damage?"
Checking whether the vendor has encryption is key, Caldwell said. That way, even if data were breached, it would be unusable.
Data privacy worries are overblown, analysts say
While these questions should help to assuage fears, some analysts say data privacy worries are unfounded to begin with.
"You might have a more secure environment with a public cloud than you do with your internal data center," Burns said. "This isn't as scary as you might think."
Capachin agreed. "There are certainly some data privacy and security issues, but it's not a huge revolution -- more of an evolution."
Burns also said that SaaS financial management vendors might be the better option when a security breach occurs. "Using a cloud provider may in fact give you a valid disaster backup plan, because they have tested the fact that the data replicates in different locations and can be accessed. This may be something that your internal data center never did."
Because there are no universal privacy standards for SaaS financial management vendors, Caldwell said that at the end of the day finance executives have to decide for themselves what they consider to be acceptable proof of security. "There's no blanket statement that a vendor has the blessing of the U.S. privacy authority, because there is no such thing."
SearchFinancialApplications.com is on Twitter. Follow it at @FinAppsTT.