RISK MANAGEMENT: PROTECTING YOUR DATA IN MULTI-TENET CLOUD ENVIRONMENTS
Sourcing Consultant
Seprio’s 2025 Summer Series to date has focused on the substantial risk associated with moving into the rapidly growing technology of AI and what contractually you should watch for. Rest assured, AI is not something to be feared; however, it comes with risks that should be understood and recognized.
Outside of the world of AI, there are many important aspects of technology agreements (stated or, even worse, silent) that require thorough review and understanding, and it is part of Seprio’s role to highlight areas of risk so that Clients are educated and make informed decisions. Let’s dig a little deeper into another area of risk.
Multi-Tenant Apartments
Lead Consultant
We’re seeing the need for additional risk management in cloud solutions, especially as many of the migrations are in multi-tenant environments (environments that are shared by multiple users). It’s like an apartment complex where each user keeps their data in their apartment, but the apartment is in the same building as the others with all of the same maintenance and rules.
These cloud suppliers are supporting numerous companies from the same cloud environments. Therefore, it’s not practical to expect those suppliers to contract unique terms and conditions for each of their customers. Thus, the need to focus on “managing” risk becomes increasingly important, rather than relying largely on contractual protections.
One key question that must be addressed is --- are you sure your data is being protected when it’s in an environment shared with numerous other users? These solutions require your data (often including protected personal data of your individual customers (most importantly, any personal “protected information”, such as PII, PCI or PHI)). These suppliers may claim that your data is safe in your apartment, but how can you be sure that remains true? And what happens in the event your apartment door gets left open or there’s a break in?
Monitoring and Managing the Risk
The answer to that question is that you will likely require the development and implementation of a comprehensive, robust cybersecurity framework to manage your company’s Governance, Risk Management and Compliance (“GRC”) requirements.
In addition to developing your company-wide GRC processes, and, as a part of the GRC framework, your data security protocols, your team will likely want to acquire an enterprise-wide GRC tool, or set of tools, to facilitate managing the overall process and to house the enterprise-wide security and risk management information that your team will need to collect. This is not to suggest the GRC tool needs to be high tech from the start – many companies begin with a spreadsheet and a person to oversee the key aspects defined as critical to their organization, like the data security requirements listed below. Once the spreadsheet approach becomes too burdensome to manually oversee, organizations will typically look for a technology solution to help.
Finding the Secure Fit
Managing the risk of technology suppliers starts when you select the supplier. The selection process, preferably a competitive one, will require the company’s GRC framework to be in place to find the “right” supplier. Without your GRC framework, you won’t be able to ensure that their security protocols, processes, and systems support your company’s evolving data security needs. If the supplier doesn’t have the proper security protocols and disclaims liability for any security breaches, your company can be damaged reputationally and financially.
You can’t be sure it’s the right supplier if you’re not asking the right questions. Here’s a short (and potentially incomplete) list of what your GRC framework’s data security vetting process should include:
· Review their latest 1-2 years of SOC 2 reports
· Review any other data security audit reports they have done
· Require proof of supplier’s satisfactory resolution of any security issues identified in those SOC 2 or audit reports
· Request any annual penetration testing results performed by an independent third party
· Evaluate supplier’s notification process in the event of security breach
· Ask if any security breaches have occurred over the last 3-5 years
The responses to this vetting process should be considered when selecting a supplier, and you should understand what the specific, written commitments are for the security protections the supplier will deploy to minimize data security risk. There should also be a clear understanding of the supplier’s commitments regarding potential liability or special obligations assumed in the event of a security breach.
Finally, after the supplier is selected (specifically, a strategic supplier), there should be ongoing, direct engagement of your executive leadership, including periodic joint executive-level reviews (typically quarterly) of the supplier’s performance, which should include a discussion of any suppler data security issues or concerns, as well as any data security changes they may be contemplating, to ensure they are all compliant, to the greatest extent possible, with your company’s cybersecurity requirements.
Long Story Short
Seprio, in our role of advising and making sure our Clients are making educated and informed decisions, prioritizes education of why understanding, acknowledging, mitigating (where possible), and managing the risk that comes with supplier agreements is so important.
In the 2025 Seprio Summer Series so far, we have discussed what risk exists with AI suppliers and we’re seeing those risks come to light in new ways almost daily. This isn’t to say that the risk outweighs the benefits – we're saying that ignoring the risk could cause issues that would outweigh the benefits. This is true for cloud solutions and all other agreements. Risk exists because neither party can be fully protected, and as technology continues to evolve at the exponential rate we’re seeing, suppliers are gaining more control than ever.
Instead of burying your head in the sand when you can’t change the terms and conditions or walk away from the supplier, we’re giving you another option: When you can’t fully mitigate the risk, manage it.
Please join us as we continue this journey in future articles discussing other critical elements you should consider in achieving a best-in-class Supplier Governance Operating Model.
Please join us in two weeks as the 2025 Seprio Summer Series continues with a discussion on another key aspect of Supplier Governance: Contract Management.
Please let us know in the form below what you think about this blog post, other content on this website, or ask any other questions you might have. Don’t be shy.