German software giant SAP/Callidus has identified that some of its cloud products do not meet one or several contractually agreed or statutory IT security standards at present. Specifically, the affected products are limited to the acquired entity products SAP Success Factors, SAP Concur, SAP/CallidusCloud Commissions, SAP/Callidus Cloud CPQ; as well as SAP C4C/Sales Cloud, SAP Cloud Platform and SAP Analytics Cloud.
These findings were not identified in response to a security incident. As SAP continues with its review, it does not believe that any customer data has been compromised as a result of these issues. In an effort to ensure that the affected products meet relevant terms and conditions and in addition to technical remediation, SAP has decided to update its security-related terms and conditions. These remain in line with market peers.
Moreover, SAP has initiated remediation of the identified areas of shortcomings against contractually agreed or statutory standards and will proceed expeditiously. Remediation will largely be completed in the second quarter of 2020. The expenses related to the remediation are expected to be covered within the range of SAP's current 2020 financial outlook.
The executive board of SAP SE has decided that SAP will inform and support the affected customers individually - approximately 9% of SAP's 440,000 customers.