Data Center Vendors – a View at Risk Management
What are some of the key risks for data center vendors
Security
Digital and physical security risks have been listed as the top 5 data center security risks for 2023. With increased efforts to combat digital security, physical attacks that target the operational side of data centers have grown significantly. Attackers now find ways to disrupt critical supplies to the data centre through physical intrusion, unauthorised access and social engineering, often involving employees or contractors of the data center. Other significant risks that plague data centers include disruption to power supply, power-related issues causing surges, or reliance on back-up generators (especially in South Africa with continued power cuts).
Digital security risks such as cyber-attacks are a major part of data centers security concern, but so is overstretched cybersecurity personnel. These security teams are often overstretched and prone to burnout.
Data Privacy
With data protection and privacy legislation becoming more prevalent around the world, compliance with data privacy legislation has become a major compliance consideration for data center vendors. Data centres now need to implement more robust data privacy and protection policies and procedures to safeguard customer data. Data breaches are a major concern for vendors because they can result in the loss, theft, or destruction of customer data. This can cause significant financial and reputational damage, making it the biggest risk for a data center.
Vendors and their supply chain must comply with any data privacy laws and security standards that may apply to them. With data centers providing cloud-based services to customers across the globe, without proper data privacy procedures and compliance guidelines in place, complying with various jurisdictions’ data privacy legislation becomes a compliance nightmare. Having a global data privacy compliance map is a great tool to assist with compliance.
If vendors use third parties in their supply chain, they should conduct an in-depth data compliance due diligence on the supplier to establish their level of compliance. Having template supplier data privacy compliance questionnaires is one way to simplify the vetting process. Vendors should also ensure that third-party suppliers only have access to data that is absolutely critical to the services they provide in order to reduce the risk of data breaches.
Operational
Vendors should be aware of the day-to-day operational risks. Important factors to consider are:
- loss of power;
- maintenance;
- hardware or software malfunctions;
- software updates; and
- employees/contractors.
If these factors result in the vendor suffering system downtime, it will have a direct knock-on effect on customers who rely on the vendor for access to their data. This could lead to reputational and financial damage for the Vendor. Appropriate procedures and policies and contractual arrangements could effectively manage operational risks.
Compliance
There is a general principle in law that data is governed by the laws of the jurisdiction where it resides. However, need to take into account the laws and regulations of different jurisdictions and industries when contracting with their customers.
To mitigate any legal risks, vendors will be obligated to ensure that they have a full compliance risk model to combat any compliance risk. The following are some of the main compliance risks that vendors should be aware of:
- Customer terms:
- service levels: Customers will be able to hold the vendor accountable, should the vendor fail to provide services that meet the specified service levels.
- scalability: Scalability is important as it provides flexibility to the customer to dynamically upscale or downscale the level of services provided by the vendor based on the customer’s business needs. However, vendors may want to carefully manage customer’s ability to downscale services in order to manage projected revenue streams.
- disaster recovery: Vendors should implement contingency plans as part of their disaster recovery protocols. It is advisable that, as a minimum, vendors do not merely store their customers’ data on one server but rather backup the data on another server at a different data centre site.
- Procurement (subcontractors and reliance on third parties):
- vendors face several procurement risks including, cybersecurity risks, quality-assurance issues, and supply-chain risks. Supply chain risk needs to be carefully managed by vendors to avoid failure in the supply chain. Proper supply contracts and supplier due diligence is a critical part of a vendor’s risk management.
- if a vendor procures software or hardware from third parties, it has to ensure that such products adhere to the quality standards and specification prescribed by the vendor.
- if third parties in the vendor’s supply chain have access to the vendor’s customers’ data or systems, it will vastly increase cybersecurity concerns. The vendor will be required to ensure that sound security safeguards are established to protect its customers’ data throughout the supply chain. This could be achieved through proper contracting and data privacy protocols / policies.
- Industry specific regulations:
- various industry specific directives will impact on vendors’ contractual arrangements with customers in these industries. Vendors will need to understand and adhere to the requirements of these directives in order to contract with any organisation in these regulated industries. This includes the following directives:
- the South African Reserve Bank’s directive on cloud computing and data off-shoring;
- the Financial services board’s directive on outsourcing; and
- the Minister for Public Service and Administration’s Public Service Cloud Computing Determination and Directive.
- Customer’s audit rights:
- some customer may insist that vendors include an audit right allowing the customer to audit the vendor’s systems and facilities to verify that their data and applications are being adequately safeguarded. Vendors should require customers to proactively inform vendors of any industry-specific audit requirements that may apply.
- vendors may be required to establish and maintain documentation that tracks their compliance with their contractual, regulatory, and legal obligations.
- if vendors need to transfer any data or provide access to data or systems during an audit, they will need to ensure that they have developed security protocols to facilitate secure data transfers and to prevent unauthorised access of or to their systems.
- various industry specific directives will impact on vendors’ contractual arrangements with customers in these industries. Vendors will need to understand and adhere to the requirements of these directives in order to contract with any organisation in these regulated industries. This includes the following directives:
Environmental
Data centres consume large volumes of electricity, it is imperative that vendors implement energy-sustainable solutions whilst optimising their energy usage. Data centres will also need to be designed to withstand various natural disasters, such as floods or fires. In the event that a data centre is destroyed or otherwise rendered inoperable, vendors should have fault-tolerance solutions in place.
Conclusion
In order to navigate the legal minefield of compliance obligations and risk, vendors should implement on-going data center risk analysis and assessments and ensure they have a proper risk compliance and management plan in place. Not only will vendors need to ensure that they have developed risk-mitigation solutions, but they will also need to make sure that they have sufficient contingency plans in place.