The risk of fragmented oversight in delegated authority models in insurance makes working with trusted insurance software providers more pivotal than ever. 

As cloud-based solutions become deeply embedded in the operations of modern insurance providers, ensuring strong security practices has never been more critical or more complex.  With increasing decentralisation and reliance on third-party Software-as-a-Service, many organisations face unseen vulnerabilities that traditional oversight models can’t adequately address.

Cloud Security Alliance’s 2025-2026 State of SaaS Security Report

The Cloud Security Alliance’s 2025-2026 State of SaaS Security report paints a clear picture: while investment in SaaS security is on the rise, real maturity is lagging. 

Although confidence is high, many organisations are operating in the dark.

6 key SaaS security trends from the CSA report:

  • SaaS security is a top priority - 86% of organisations surveyed view SaaS security as a high priority and 76% have increased their budgets.
  • Sensitive data remains at risk - 63% of organisations report external oversharing and 56% say data is uploaded to unsanctioned third-party services.
  • Security teams are being bypassed - 55% of employees adopt SaaS without involving security or IT.
  • Human identity management is inconsistent - Automation is lacking for provisioning and offboarding.
  • Non-human identities like APIs and AI tools are blind spots - 46% of organisations struggle to monitor non-human identities and 56% are concerned about over-privileged API access.
  • Overconfidence masks capability gaps - Many rely on vendor-native tools, manual audits and fragmented strategies.

You can access the full report on the CSA website.

Fragmented oversight is a growing insurance software security risk

One of the most urgent takeaways from the report is the rise of decentralised SaaS adoption and fragmented oversight. More than half of organisations surveyed reported that SaaS tools are adopted and managed outside of security and IT teams. 

In any industry, this introduces risk. 

But in the highly regulated insurance industry, where entities operate across increasingly distributed value chains, the implications are even more serious.

Delegated authority has reshaped how insurance software is adopted

Delegated authority has become the dominant operating model in insurance. Policies are underwritten by one entity, sold by another and administered by a third. MGAs, schemes, and embedded distribution partners like retailers or banks are now core players in the value chain. 

A graphic depicting delegated authority and the insurance value chain

Each participant relies on insurance software to deliver digital customer experiences, manage policies, process claims and maintain compliance. Most of that software is cloud-based SaaS.

As reliance on SaaS grows, so does the security risk surface area.

Whether it’s CRM systems, policy administration software, cloud-based claims platforms or custom underwriting tools, when insurance software is adopted without central oversight or managed in isolation, the result is a fragmented security environment where:

  • No single party has end-to-end visibility
  • Security policies are inconsistently applied
  • Privileged access can go unchecked
  • Sensitive customer data is exposed to unnecessary risk

Insurance regulation demands clarity and control

This isn’t just a technical or operational concern - it’s a regulatory one. 

In the UK, the FCA’s guidance on outsourcing to the cloud is explicit: accountability for data protection and security when outsourcing cannot be delegated. 

Similarly, South Africa’s Joint Standard on Cybersecurity and Cyber Resilience places the responsibility on regulated financial entities to ensure that all third-party IT services, including insurance software provided as SaaS, meet strict security and resilience standards.

Where delegated authority exists, this means that each party in the insurance value chain is responsible for the insurance software and other SaaS tools they use to operate - creating a complex web of accountability, and leaving little room for assumptions.

Trusted insurance software providers

Meeting regulatory obligations and protecting customer data in a decentralised value chain requires more than strong internal processes; it demands trusted insurance software partners who:

  • Enable shared visibility over systems and controls across stakeholders, from insurers to MGAs to embedded partners.
  • Design for centralised oversight and provide role-based access control.
  • Are transparent about their security and privacy practices, controls, and monitoring.
  • Support compliance and reporting, making it easier for regulated entities to prove control.

Because trust in insurance depends on trust in the software insurance is built on.