by Robert Holland, VP Research and Publishing, SAPinsider

On May 4, SAP announced that, while performing regular internal reviews of the company’s cyber security infrastructure, they discovered several of the company’s cloud products “do not meet one or several contractually agreed or statutory IT security standards.” SAP stated that the products impacted were part of previous acquisitions, specifically SAP SuccessFactors, SAP Concur, SAP Commissions (previously CallidusCloud Commissions), and SAP CPQ (previously CallidusCloud CPQ). However, SAP’s statement also indicated that SAP C4C/Sales Cloud, SAP Cloud Platform, and SAP Analytics Cloud were affected, possibly indicating a larger underlying infrastructure concern.

In the official announcement, SAP emphasized that these issues were “not identified in response to a security incident” and that they “do not believe that any customer data has been compromised as a result of these issues.” In addition, SAP expects that correction of the issues will “largely be completed” during the second quarter of 2020, and that any related costs will be covered within their current financial outlook for the 2020 fiscal year. SAP also plans on updating their security-related terms and conditions so they are consistent with other enterprise cloud organizations.

SAP’s statement indicated that they would be reaching out to any customers affected by the issues individually to inform them of the issue and support them while those issues are being addressed. Those impacted represent “approximately 9 percent of SAP’s 440,000 customers,” according to the company’s announcement. While not a huge number compared to SAP’s overall customer base, this number likely represents a significant proportion of those customers running the impacted products.

What Does This Mean for the SAPinsider Community?

While waiting to hear from SAP whether they are impacted by these cyber security gaps, SAPinsiders should use this time to reflect on their own cyber security strategy. Here are some steps that can benefit your organization:

• See if you are impacted. SAP has stated that they will be reaching out individually to customers who are affected. If you are, ensure that the information is passed quickly to your SAP administrators who can work closely with your SAP support and customer success representatives to provide you with all the information and assistance that you need.
• Review your enterprise security strategy. If you are using cloud-based systems, this announcement is a reminder that you must regularly check your own security plans and strategies and ensure that they are up to date and fully compliant.
• Hear what other SAPinsiders are planning for their security strategy. SAPinsider is hosting a webinar on May 6 discussing the results of our March benchmark report on the Impact of the Cloud and SAP HANA on Enterprise Security Strategy. This is a great opportunity to hear what other SAPinsiders are planning, and what can help you be successful.
• Attend other security-focused sessions. SAPinsider is launching a virtual event starting May 5 which includes sessions that are focused on security. This event includes interactive Q&A sessions during the week of May 11. Make sure that you don’t miss out.

Following this guidance should help the SAPinsider Community make appropriate decisions around their cloud and enterprise security plans.

Robert Holland, Vice President of Research & Publishing, SAPinsider, can be reached at robert.holland@wispubs.com.