When you consider the risks that may impact on security, don't be blinded by "cyber-risk" - the term that is generally used to categorise the risks associated with electronic access to sensitive data.
There are some fairly obvious security concerns to address first.
Most theft of sensitive electronic information is generally accepted to be by obtaining user name / password combinations by ... simply asking for them. It is estimated that people will hand over an access account on 1 in 10 requests. You probably already know that people in your organisation share access account details. The key is to be able to trace who-did-what-when-from-where. And then include clear requirements in the terms and conditions
Your data can be stolen - physically. Are you aware? Copies, back up tapes, off-site storage discs, USB sticks and even the servers themselves. Make sure you know where physical copies of your system / data are, who has access and, ideally, that they are encrypted.
Do you even own your own data? There's a chance you don't. If your data is held in a shared platform, you may find that using the tools includes a signing over of copyright, or third party usage. If you don't own the information you can at least stop worrying about it being stolen!
If it can happen ... it will! With this in mind, make sure you have some method of restoring your service - this includes back-ups, hardware support and telecoms alternatives.