author photo
By Bruce Sussman
Fri | May 8, 2020 | 5:30 AM PDT

It is big cybersecurity news coming from a tiny update to the U.S. Security and Exchange Commission.

Enterprise software giant SAP admits that many of its products do not meet accepted cybersecurity standards—or the security it promised to customers.

What is SAP saying about cybersecurity problems?

The company explains the cybersecurity issue in just two sentences from its Form K-6 report to the SEC:

"SAP continuously reviews and optimizes its cybersecurity infrastructure. The company has identified that some of its cloud products do not meet one or several contractually agreed or statutory IT security standards at present."

What does a statement like this mean? 

SecureWorld asked cyber attorney Jordan Fischer of XPAN Law for insight.

"The way the announcement is written, it appears that there are two areas of potential non-compliance. The first is in the technical controls used within certain of its cloud-based services. The second is the actual agreements in place.

Basically, this announcement is vague, and with the broad application and interpretation of many security and privacy regulations, it is hard to know definitively without more information."

However, SAP does tell us which products are impacted.

Which SAP software applications have cybersecurity issues?

SAP identifies the following products are currently on the "do not meet" IT security standards list. It is quite the line-up of cloud applications:

  • SAP Success Factors
  • SAP Concur
  • SAP/CallidusCloud Commissions
  • SAP/Callidus Cloud CPQ
  • SAP C4C/Sales Cloud
  • SAP Cloud Platform
  • SAP Analytics Cloud

How many SAP customers are impacted by this cybersecurity issue?

SAP says about 9% of its global customer base is impacted here, which is approximately 40,000 organizations.

It also makes an important clarification, especially for the cybersecurity community:

"These findings were not identified in response to a security incident. As SAP continues with its review, it does not believe that any customer data has been compromised as a result of these issues.

In an effort to ensure that the affected products meet relevant terms and conditions and in addition to technical remediation, SAP has decided to update its security-related terms and conditions. These remain in line with market peers."

Why would SAP update its terms and conditions around cybersecurity? Fischer explains some of the possibilities here:

"The challenge in the cyber and privacy law space is that every day it feels like the law is changing or evolving, especially in the current environment. So, what it means to be 'compliant' is somewhat of a moving target. And if the terms were not drafted with that flexibility in mind, then it could be more of a technical change. 

However, it could also mean a narrowing, or I would prefer 'tightening,' of some of their terms to mitigate risk that may have been discovered or illuminated by recent court decisions and laws. And that could result in a 'narrowing' of the promises to customers. 

Ultimately, this is not a surprising development since, again, the law is evolving so rapidly in this area, both from a regulatory perspective and from cases.

We see more opportunities for lawsuits in the privacy and security context that are providing businesses with increased risks and liabilities that are now being addressed head-on by companies."

What is SAP doing to fix the cybersecurity issues?

In its filing with the Securities and Exchange Commission, SAP addressed next steps:

"...SAP has initiated remediation of the identified areas of shortcomings against contractually agreed or statutory standards and will proceed expeditiously. Remediation will largely be completed in the second quarter 2020."

And how much will this remediation cost? That's a great question, and SAP may not even know. However, it did say this:

"The expenses related to the remediation are expected to be covered within the range of SAP's current 2020 financial outlook."

Read SAP's K-6 filing for yourself if you're interested.