The days of having IT systems running on your own computer hardware, in a closet at the office are a thing of the past. Almost everyone has cloud-based IT vendors running some portion of their IT stack including their websites, email, CRM system, accounting systems, etc. That said, just because these IT companies are licensing you access to their software applications, you still own the data/information inside the system. Being the data owner brings legal responsibility in the event of a cyber breach, particularly when PII (Personal Identifiable Information) is compromised.
What do you do if your SAAS (Software As A Service) provider has a breach? Here is a good guide on how to approach this challenge, written by Corvus a leading provider of cyber insurance.