ENS
  May 11, 2023 - South Africa

Data Center Vendors – a View at Risk Management
  by ENSafrica

With cloud technology becoming increasingly important, data centres provide services critical to many businesses. Given the strategic value of data center to digital transformation, it is essential that data center vendors have a clear plan to manage the risks they face.

What are some of the key risks for data center vendors

Security

Digital and physical security risks have been listed as the top 5 data center security risks for 2023. With increased efforts to combat digital security, physical attacks that target the operational side of data centers have grown significantly. Attackers now find ways to disrupt critical supplies to the data centre through physical intrusion, unauthorised access and social engineering, often involving employees or contractors of the data center. Other significant risks that plague data centers include disruption to power supply, power-related issues causing surges, or reliance on back-up generators (especially in South Africa with continued power cuts).

Digital security risks such as cyber-attacks are a major part of data centers security concern, but so is overstretched cybersecurity personnel. These security teams are often overstretched and prone to burnout.

Data Privacy

With data protection and privacy legislation becoming more prevalent around the world, compliance with data privacy legislation has become a major compliance consideration for data center vendors. Data centres now need to implement more robust data privacy and protection policies and procedures to safeguard customer data. Data breaches are a major concern for vendors because they can result in the loss, theft, or destruction of customer data. This can cause significant financial and reputational damage, making it the biggest risk for a data center.

Vendors and their supply chain must comply with any data privacy laws and security standards that may apply to them. With data centers providing cloud-based services to customers across the globe, without proper data privacy procedures and compliance guidelines in place, complying with various jurisdictions’ data privacy legislation becomes a compliance nightmare. Having a global data privacy compliance map is a great tool to assist with compliance.

If vendors use third parties in their supply chain, they should conduct an in-depth data compliance due diligence on the supplier to establish their level of compliance. Having template supplier data privacy compliance questionnaires is one way to simplify the vetting process. Vendors should also ensure that third-party suppliers only have access to data that is absolutely critical to the services they provide in order to reduce the risk of data breaches.

Operational

Vendors should be aware of the day-to-day operational risks. Important factors to consider are:

If these factors result in the vendor suffering system downtime, it will have a direct knock-on effect on customers who rely on the vendor for access to their data. This could lead to reputational and financial damage for the Vendor. Appropriate procedures and policies and contractual arrangements could effectively manage operational risks.

Compliance

There is a general principle in law that data is governed by the laws of the jurisdiction where it resides. However, need to take into account the laws and regulations of different jurisdictions and industries when contracting with their customers.

To mitigate any legal risks, vendors will be obligated to ensure that they have a full compliance risk model to combat any compliance risk. The following are some of the main compliance risks that vendors should be aware of:

Environmental

Data  centres consume large volumes of electricity, it is imperative that vendors implement energy-sustainable solutions whilst optimising their energy usage. Data centres will also need to be designed to withstand various natural disasters, such as floods or fires. In the event that a data centre is destroyed or otherwise rendered inoperable, vendors should have fault-tolerance solutions in place.

Conclusion

In order to navigate the legal minefield of compliance obligations and risk, vendors should implement on-going data center risk analysis and assessments and ensure they have a proper risk compliance and management plan in place. Not only will vendors need to ensure that they have developed risk-mitigation solutions, but they will also need to make sure that they have sufficient contingency plans in place.