malaysia insurance guidance on complying with regulatory requirements applicable...
TRANSCRIPT
Confidential
Page 1 of 74
10006606-2
MALAYSIA – INSURANCE
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES INSTITUTIONS
USING CLOUD COMPUTING (AZURE)
Last updated: November 2014
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using
cloud computing. In this guidance financial services institutions means insurance companies (“ICs”). Microsoft has prepared a guidance document for
other financial service institutions which is available on request.
Sections 2 to 6 of this guidance sets out some high level information about the applicable legal frameworks governing banks’ and insurance companies’
use of cloud computing services and the regulatory process that applies.
Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to the
use of cloud services. Although there is no requirement to complete a checklist like this one, we have received feedback from ICs that a checklist
approach like this is very helpful. The checklist can be used:
(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and
(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to
compliance with their requirements.
Appendix One also contains a list of key contractual requirements based on the laws, regulations and guidance that are relevant to an IC’s use of cloud
services.
Confidential
Page 2 of 74
10006606-2
Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment. Instead, it is
intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal
and regulatory obligations. Please note that the scope of this document specifically does not include potentially applicable state laws, rules and
regulations.
2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?
BNM has developed several relevant documents which ICs should bear in mind. As with banks, there are effectively different “layers” of rules that apply
depending on whether the use of Azure constitutes an “outsourcing” and, if so, whether it is significant enough to constitute a “material outsourcing”.
Even if it does not constitute an “outsourcing” or “material outsourcing”, more other general technology guidelines apply, specifically: IT Guidelines, E-
Banking Guidelines, Business Continuity Management Guidelines and Guidelines on Data Management and Management Information System as listed
below.
The relevant documents are as follows (although most of them are not available on the BNM website but we have included a hyperlink where they are):
BNM’s Guidelines on Outsourcing for Insurers.
BNM’s Guidelines on Internet Insurance.
BNM’s Guidelines on Data Management and MIS Framework for Financial Institutions.
BNM’s Guidance on Business Continuity Management (“BNM’s BCM Guidelines”).
BNM’s Guidelines on Management of IT environment.
In addition, the Financial Services Act 2013 (“FSA”) contains some relevant provisions.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
The Bank Negara Malaysia (“BNM”)
Confidential
Page 3 of 74
10006606-2
4. IS REGULATORY APPROVAL REQUIRED IN MALAYSIA?
Yes.
The prior consent of BNM is only required if an IC wishes to undertake an outsourcing which is deemed to be “material” or which results in services being
provided in a location outside Malaysia whether material or not. It is prudent to assume that the use of Azure would, as a minimum, constitute an
“outsourcing”. Whether it would then constitute a “material outsourcing” would be determined on a case-by-case basis, based on an analysis of whether
the disruption of the Microsoft Cloud Services would have the potential to significantly impact the financial institution’s business operations, reputation or
profitability1. Depending on the solution you decide on, the service will likely involve data centers based outside of Malaysia.
5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?
No.
Unlike in certain jurisdictions, such as Singapore, there are no specific forms or questionnaires that an IC must complete when considering cloud
computing solutions.
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
Yes.
BNM does specifically mandate contractual requirements that must be agreed by ICs with their service providers. These are not set out in one list in any
one place unfortunately but scattered across the different documents referred to above. Microsoft has included these points in the document which
follows in relation to the relevant issues and Appendix One contains a comprehensive list and details of where in the Microsoft contractual documents
these points are covered.
1 Relevant considerations in terms of what is constituted to be ‘material’ can be found in the BNM Guidelines on Outsourcing for Insurers, Part VIII.
Confidential
Page 4 of 74
10006606-2
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point
raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref. Question/requirement Template response and guidance
A. GENERAL
1. Who is the Service Provider? Please provide company
profile/background.
In case requested, details of the Microsoft corporate entity providing the
services are provided below.
The Service Provider is Microsoft Operations Pte Ltd, the regional licensing
entity for Microsoft Corporation, a global provider of information technology
devices and services, which is publicly-listed in the USA (NASDAQ: MSFT).
Microsoft’s full company profile is available here:
https://www.microsoft.com/en-us/news/inside_ms.aspx.
2. List all proposed activities and operations to be outsourced to the Service
Provider. Confirm that the outsourcing will not include ‘core activities’.
Paragraph 3.2 of the BNM’s Guidelines on Outsourcing for Insurers which
provides that ICs should not outsource core activities except in very limited
circumstances. “Core activities” are defined in Part V of those guidelines as
activities constituting insurance business; board and senior management;
internal audit and compliance functions; risk management; strategic planning
and decision making; and financial analysis.
Confidential
Page 5 of 74
10006606-2
Ref. Question/requirement Template response and guidance
We can confirm that the outsourced services will not involve any core
activities or any inherent banking functions such as services associated with
placement of deposits and withdrawals.
The arrangement will involve the outsourcing of certain IT functions through
the use of Microsoft’s “Azure” service, which is described in more detail here:
Azure. Amongst other things, the Azure service includes:
Compute
Data & Storage
Networking
Identity & Access Management
IT support services
B. OUTSOURCING POLICY AND RISK MANAGEMENT
3. Is senior management confident that there are effective oversight, review
and reporting arrangements in place to ensure that service level
agreements regarding standards on data quality, integrity and
accessibility are observed at all times?
Paragraph 4.12 of the BNM’s Guidelines on Data Management and MIS
Framework for Development Financial Institutions (“DFI Guidelines”). You
may want to add to the following any specific details of communications with
and involvement of senior management.
Yes.
It is essential to us is that, despite the outsourcing, we retain control over our
Confidential
Page 6 of 74
10006606-2
Ref. Question/requirement Template response and guidance
own business operations, including control of who can access data and how
they can use it. At a contractual level, we have dealt with this via our contract
with Microsoft, which provides us with legal mechanisms to manage the
relationship including appropriate allocation of responsibilities, oversight and
remedies and the relevant regulatory requirements. At a practical level, we
have selected the Azure product since it provides us with transparency in
relation to data location, access/audit and authentication and advanced
encryption controls. We have access rights (at any time) to the online
dashboards, which provide live information in relation to Microsoft’s services’
performance against performance measures. Finally, we (not Microsoft) will
continue to own and retain all rights to our data and our data will not be used
for any purpose other than to provide us with the Azure services.
4. Does your organization have a written, board-approved outsourcing risk
philosophy showing that management have considered the overall
business and strategic objectives and assessed the materiality of the
outsourcing arrangements and has approved the outsourcing?
Paragraphs 9.2, 9.4 and 9.5 of the BNM’s Guidelines on Outsourcing for
Insurers which provide that the board should approve a framework for
assessing the materiality of all existing and prospective outsourcing
arrangements. It refers to this as an ‘outsourcing risk philosophy’.
Paragraph 26.1 of the BNM’s Guidelines on Internet Insurance. BNM expects
that you will have sought Board approval in relation to the outsourcing so you
will need to confirm this here.
Yes/No
[See attached board approval.]
More details of our outsourcing risk philosophy and analysis are set out
Confidential
Page 7 of 74
10006606-2
Ref. Question/requirement Template response and guidance
below.
5. Does the outsourcing risk philosophy and your business case address the
following?
(i) Identification of the activities that will not be outsourced for
strategic or internal control reasons.
(ii) Expectations of the outsourcing arrangements in terms of
contribution to your overall strategic and business objectives.
(iii) Limits on the acceptable overall level of outsourced activities.
(iv) The potential impact of the outsourced activity to the
economic or commercial value of the insurer.
(v) An assessment of whether an independent enterprise in
comparable circumstances would be likely to outsource the
activity.
(vi) Costs implication of the outsourcing arrangement (including
costs associated with internal resources required to oversee
and manage the outsourcing arrangement) relative to
anticipated benefits.
(vii) The cumulative impact, including risk concentrations, of all
outsourcing arrangements on the overall safety and
Paragraphs 9.5 and 9.7 of the BNM’s Guidelines on Outsourcing for Insurers
and paragraph 26.1 of the BNM’s Guidelines on Internet Insurance. BNM
expects you to be able to demonstrate that your outsourcing risk philosophy
and business case each of these points. Items (i) to (viii) are largely internal
matters that you will need to outline and show you have considered. Items (ix)
and (x) directly relate to Microsoft’s offering so you may find the following
helpful:
(ix) Reporting and Monitoring.
Yes.
Microsoft’s Service Level Agreement (“SLA”) applies to the Azure product.
Our IT administrators also have access to the Azure Service Health
Dashboard, which provides real-time and continuous monitoring of the Azure
service. The Service Health Dashboard provides our IT administrators with
information about the current availability of each service or tool (and history of
availability status) details about service disruption or outage, scheduled
maintenance times. The information is provided via an RSS feed.
Amongst other things, it provides a contractual uptime guarantee for the
Azure product and covers performance monitoring and reporting requirements
which enable us to monitor Microsoft’s performance on a continuous basis
against service levels.
Confidential
Page 8 of 74
10006606-2
Ref. Question/requirement Template response and guidance
soundness of your business.
(viii) An assessment of key outsourcing risks, including but not
limited to the impact of the outsourcing arrangement on the
quality of your service.
(ix) Proper reporting and monitoring of the integrity and quality of
work conducted by the Service Provider.
(x) An assessment of your ability to retain control of the
outsourced activity.
As part of the support we receive from Microsoft, we also have access to a
technical account manager who is responsible for understanding our
challenges and providing expertise, accelerated support and strategic advice
tailored to our organization. This includes both continuous hands-on
assistance and immediate escalation of urgent issues to speed resolution and
keep mission-critical systems functioning. We are confident that such
arrangements provide us with the appropriate mechanisms for managing
performance and problems.
We also have extensive audit rights as detailed in section E below.
(x) An assessment of your ability to retain control of the outsourced
activity.
The handing over of certain day to day responsibility to an outsourcing
provider does present some challenges in relation to control. It is essential to
us is that, despite the outsourcing, we retain control over our own business
operations. At a contractual level, we have dealt with this via our contract
with Microsoft, which provides us with legal mechanisms to manage the
relationship including appropriate allocation of responsibilities, oversight and
remedies and the mandatory provisions required by BNM. At a practical level,
we have selected the Azure product since it provides us with transparency in
relation to data location, authentication and advanced encryption controls.
We (not Microsoft) will continue to maintain control and will own and retain all
rights to our data and our data will not be used for any purpose other than to
provide us with the Azure services.
Confidential
Page 9 of 74
10006606-2
Ref. Question/requirement Template response and guidance
6. Does your organization have an outsourcing risk management program
and policies that apply to material outsourcing arrangements?
Paragraphs 9.6 and 10.1 of the BNM’s Guidelines on Outsourcing for Insurers
which provides that insurers are expected to have in place a comprehensive
‘risk management program’ that is applied to all material outsourcing
arrangements and that all decisions to outsource a material activity should be
supported by a sound business case. The business case should take into
account the potential benefits of outsourcing against risks that may arise,
having regard to all relevant prudential matters as well as short-term and
long-term implications.
There would appear to be some overlap between the risk management
program and the outsourcing risk philosophy. You will need to be able to
confirm that you have one and provide details. Specific areas that should be
covered are set out below.
7. Does your risk management program explicitly cover the management of
country risks including the following areas:
(i) Strategic risks (activities carried on by the Service Provider on its
own behalf that are inconsistent with the overall strategic goals of
the insurer; failure to implement appropriate oversight of the
Service Provider; inadequate expertise to oversee the Service
Provider);
(ii) Reputational risks (poor service by the Service Provider;
customer interaction that is inconsistent with IC’s standards;
unethical practices of the Service Provider);
Paragraph 10.2 of the BNM’s Guidelines on Outsourcing for Insurers. Many of
these areas will require detail regarding internal policies but we have included
some information in relation to Microsoft’s specific offerings where relevant to
assist where possible.
Yes.
Taking each of the areas in turn:
(i) Strategic risks. We have no reason to believe that any activities
carried out by the Service Provider on its own behalf would be
inconsistent with our overall strategic goals. To the contrary, we
have selected a Service Provider with a very strong track record
Confidential
Page 10 of 74
10006606-2
Ref. Question/requirement Template response and guidance
(iii) Compliance risks (prudential and market conduct regulations not
complied with; breach of obligation to preserve customer data
confidentiality; changes in regulations not communicated to the
service provider in a timely manner);
(iv) Operational risks (technology failure, inadequate financial
capacity of Service Provider to fulfill obligations or provide
remedies/restitution; fraud or error; failure of IC to undertake
inspections of Service Provider);
(v) Exit strategy risks (over reliance on one firm to provide service;
loss of relevant skills or resources in the IC preventing it from
bringing an outsourced activity back in-house; contracts which
make a speedy exit prohibitively expensive);
(vi) Counter party risks (inappropriate credit assessments leading to
diminished quality of receivables);
(vii) Country risks (political, social and legal climates may create
added risk and business continuity planning can be more
complex);
(viii) Contractual risks (inability to enforce the contract);
(ix) Information risks (reliance on information by Service Provider that
may be materially inaccurate; delay in providing timely data and
information to IC or regulator; confidentiality of commercially
and experience of understanding the requirements of financial
institutions. We are also very confident that the contractual
protections and nature of the service offering enable us to have
appropriate oversight of the Service Provider and tools which are
very easy to use to ensure this oversight as opposed to
demanding the development of new skillsets and high levels of
expertise in order to manage it on our side. Microsoft will not have
interactions with customers. The strategic risks in our view are
therefore low.
(ii) Reputational risks. Again, we see the risks as very low since
we have undertaken a very thorough due diligence process and
chosen a world-class and highly experienced Service Provider
who is able to provide contractually backed up assurances of
quality of service. We also have numerous protections in the
contract itself in order to monitor the service performance and
take action in the event that any issues arise.
(iii) Compliance risks. We are not outsourcing core business
activities. In that respect the risks of market conduct regulations
not being complied with purely as a result of these outsourced
services are very low. As detailed in section F, there are very
strong security arrangements and safeguards in place to prevent
any damage to customer data confidentiality.
(iv) Operational risks. The service provides high SLA (as defined
above) commitments but also ensures that a raft of different
Confidential
Page 11 of 74
10006606-2
Ref. Question/requirement Template response and guidance
sensitive/customer information may be compromised);
(x) Concentration risks (reliance on one Service Provider for multiple
activities);
(xi) Due diligence of the Service Provider;
(xii) Service Agreements;
(xiii) Contingency Plans; and
(xiv) Monitoring and control.
safeguards and arrangements are in place to prevent and
minimize the impact of any technology failure. Microsoft is subject
to very high international auditing standards in this regard which
provide us with a great deal of comfort. The size and resources
that Microsoft has in place also mean that we do not foresee risks
in relation to the adequacy of Microsoft to fulfill obligations or
provide remedies and restitution. The nature of the services that
are being outsourced also mean that there are low risks of fraud
or error. In relation to risks in respect of our failure to undertake
inspections (for practical or cost considerations) we have
assurance in the fact that Microsoft is also subject to its own
regular reviews as well as independent auditing by a third party –
the reports of which are made available to us.
(v) Exit strategy risks. Our contract with Microsoft provides various
opportunities to terminate the service even at short notice as well
as contractual obligations on the part of Microsoft to enable the
transfer of services to another service provider or back in-house.
These are not services which would commonly be provided by
any IC in-house in any event however.
(vi) Counter party risks. We do not see any risks in relation to
inappropriate credit assessments given the nature of the services
being outsourced.
(vii) Country risks. We carefully considered the location risks
relevant to the service. We are comfortable that the risks are low
Confidential
Page 12 of 74
10006606-2
Ref. Question/requirement Template response and guidance
for several reasons. First, Microsoft informs us that it takes a
regional approach to hosting of Azure data. For customers like us
with a presence in the Asia-Pacific region, the applicable Azure
services will be hosted out of Microsoft’s highly-secure data
centers that have been selected by Microsoft taking into careful
account the country and socio-economic factors. Second, we
took into account that the Microsoft data centers have been built
in seismically safe zones. Environmental controls have been
implemented to protect the data centers including temperature
control, heating, ventilation and air-conditioning, fire detection and
suppression systems and power management systems, 24-hour
monitored physical hardware and seismically-braced racks.
These requirements are covered by Microsoft’s ISO/IEC 27001
accreditation for Azure. Azure offers data-location transparency
so that the organizations and regulators are informed of the
jurisdiction(s) in which data is hosted. We are confident that
Microsoft’s data centers offer extremely stable political and socio-
economic environments with robust and transparent legal
frameworks. Microsoft data center locations are made public on
the Microsoft Trust Center
(viii) Contractual risks. We are not concerned regarding any inability
to enforce the contract. The contract contains various remedies
including service credits and also the ability for us to terminate
the services quickly and easily.
(ix) Information risks. We do not foresee risks connected with
Confidential
Page 13 of 74
10006606-2
Ref. Question/requirement Template response and guidance
inaccurate information provided by the Service Provider given the
nature of the services that are being provided. Further, in relation
to any information that is provided to us by Microsoft, we have
assurances in the fact that they are subject to independent audit
and international standards and also that BNM has audit rights.
Microsoft’s service ensures the provision of real-time information
via their dashboard and various protections detailed elsewhere in
this document to ensure the protection of commercially sensitive
and customer information.
(x) Concentration risks. We are not placing undue reliance on one
service provider for multiple activities in making this outsourcing.
The arrangement is for the provision of certain IT services only
and not of the nature that would usually be split between different
service providers.
(xi) Due diligence of the Service Provider. See section C below.
(xii) Service Agreements. See section D below.
(xiii) Contingency plans. See section G below.
(xiv) Monitoring and control of outsourcing. See section B5 above.
C. SERVICE PROVIDER SELECTION CRITERIA & DUE DILIGENCE
8. Is the selection process of the Service Provider and its sub-contractors, if Paragraph 10.4 of the BNM’s Guidelines on Outsourcing for Insurers which
provides that appropriate due diligence is expected to be conducted by
Confidential
Page 14 of 74
10006606-2
Ref. Question/requirement Template response and guidance
any, formally defined and documented? insurers prior to the selection of service providers. Paragraph 15(a), Part II of
the BNM’s Guidelines on Management of IT Environment states that due
diligence should be adequately carried out to review and assess outsourcing
viabilities, capabilities, reliabilities, expertise and track records before being
approved by the board of directors.
Yes.
The selection process was formally defined and documented. It covered the
service provider’s:
financial soundness;
reputation;
managerial skills
technical capabilities; and
operational capability and capacity in relation to the services to be
performed.
[Please see the attached documentation for further information.]
9. Did your selection criteria consider the following? Are there any other
objective criteria that you considered?
(a) Capabilities, expertise, track records, experience, technical
This is covered in several places: paragraph 10.5 of the BNM’s Guidelines on
Outsourcing for Insurers; paragraphs 10.4 and 15(a); Part II of the BNM’s
Guidelines on Management of IT Environment; paragraph 1(d), Part IV of the
BNM’s Guidelines on Management of IT Environment; paragraph 1(d), Part IV
Confidential
Page 15 of 74
10006606-2
Ref. Question/requirement Template response and guidance
competence and adequacy of human resource capabilities of the
Service Provider to perform the specified activity to be
outsourced.
(b) Service Provider’s understanding of your organization’s strategic
and business objectives in relation to the specific activity
outsourced.
(c) Financial strength and resources of the Service Provider (based
on recent audited financial statements and other relevant
information), including the consideration of the extent of the
Service Provider’s liabilities and financial ability (i.e., professional
indemnity insurance coverage) to compensate your organization
for errors, negligence and other operational failures.
(d) Business reputation, complaints, regulatory infringements and
pending or potential litigation of the Service Provider.
(e) Compatibility with your organization in terms of business
objectives, human resource policies, service philosophies and
business culture.
(f) Security and internal controls, standards, policies and
procedures.
(g) Business resumption and contingency plans including disaster
recovery capabilities.
of the BNM’s Guidelines on Management of IT Environment; and paragraph
15(b), Part II of the BNM’s Guidelines on Management of IT Environment.
Yes.
We followed a rigorous review and selection process. Set out below are the
specific areas we considered and why we decided on Microsoft:
a. Capabilities, experience and track record. Microsoft is an industry
leader in cloud computing. Azure was built based on ISO/IEC 27001
standards and was the first major business productivity public cloud
service to have implemented the rigorous set of global standards covering
physical, logical, process and management controls. 40% of the world’s
top brands use Azure. We consulted various case studies relating to
Azure, which are available on the Microsoft website and also considered
the fact that Microsoft has amongst its customers some of the world’s
largest organizations and financial institutions.
b. Service Provider’s understanding of our objectives. We have
conducted detailed discussions with Microsoft and are confident that they
understand our business and objectives. As set out above and below,
their extensive experience and reputation in helping other financial
institutions also helps us to be confident in this decision.
c. Financial strength and resources. Microsoft Corporation is publicly-
listed in the United States and is amongst the world’s largest companies
by market capitalization. Microsoft’s audited financial statements indicate
Confidential
Page 16 of 74
10006606-2
Ref. Question/requirement Template response and guidance
(h) Ability of the Service Provider to comply with the relevant
regulatory requirements applicable to your organization (factors
that could be considered include the Service Provider’s
experience in regulated financial service industries).
(i) Reliance on and previous experience in dealing with sub-
contractors.
that it has been profitable for each of the past three years. Its market
capitalization is in the region of USD 280 billion. Accordingly, we have no
concerns regarding its financial strength and ability to compensate us for
failures.
d. Business reputation, complaints, regulatory infringements. As set
out above, Microsoft has a very strong international reputation and
experience. There are no complaints or regulatory infringements. In fact,
the European Union’s data protection authorities have found that
Microsoft’s enterprise cloud contracts meet the high standards of EU
privacy law. Microsoft is the first – and so far the only – company to
receive this approval.
e. Compatibility with our organization. We have conducted detailed
discussions with Microsoft and are confident that they understand our
business and that we will be able to work well with them.
f. Security and internal controls. Microsoft is an industry leader in cloud
security and implements policies and controls on par with or better than
on-premises data centers of even the most sophisticated organizations.
We have confidence in the security of the solution and the systems and
controls offered by Microsoft. In addition to the ISO/IEC 27001
certification, Azure is designed for security with controls for encryption of
data at rest and security sockets layer (“SSL”)/transport layer security
(“TLS”) encryption of data in transit. The Microsoft service is subject to
the SSAE16 SOC1 Type II audit, an independent, third party audit. In
particular, all personnel with access to customer data are subject to
Confidential
Page 17 of 74
10006606-2
Ref. Question/requirement Template response and guidance
background screening, security training and access approvals. In
addition, the access levels are reviewed on a periodic basis to ensure that
only users who have appropriate business justification have access to the
systems. User access to data is also limited by user role. For example,
system administrators are not provided with database administrative
access. Microsoft offers contractually-guaranteed uptime, hosted out of
world class data centers with physical redundancy at disk, NIC, power
supply and server levels, constant content replication, robust backup,
restoration and failover capabilities, real-time issue detection and
automated response such that workloads can be moved off any failing
infrastructure components with no perceptible impact on the service, with
24/7 on-call engineering teams.
g. Business resumption and contingency plans. Microsoft offers
contractually-guaranteed uptime, hosted out of world class data centers
with physical redundancy at disk, NIC, power supply and server levels,
constant content replication, robust backup, restoration and failover
capabilities, real-time issue detection and automated response such that
workloads can be moved off any failing infrastructure components with no
perceptible impact on the service, with 24/7 on-call engineering teams.
More details regarding business resumption and contingency plans are
set out in section G below.
h. Specific financial services credentials and our business. Financial
Institution customers in leading markets, including in the UK, France,
Germany, Australia, Singapore, Canada, the United States and many
other countries have performed their due diligence and, working with their
Confidential
Page 18 of 74
10006606-2
Ref. Question/requirement Template response and guidance
regulators, are satisfied that Azure meets their respective regulatory
requirements. This gives us confidence that Microsoft is able to help
meet the high burden of financial services regulation and is experienced
in meeting these requirements. We have had detailed discussions with
Microsoft regarding our business objectives and are confident that they
understand them.
i. Reliance on and previous experience in dealing with sub-
contractors. Microsoft does use sub-contractors to provide certain
ancillary assistance, but not for any critical roles. An up-to-date list of all
subcontractors used to provide the ancillary services (including exact
services) is available at http://azure.microsoft.com/en-us/support/trust-
center/. Microsoft ensures that all sub-contractors that it deals with are
subject to stringent requirements and Microsoft is experienced at
managing such relationships. If we do not approve of a subcontractor
that is added to the list, then we are entitled to terminate the affected
online services.
10. Do you have processes in place to ensure ongoing periodic due
diligence?
Paragraph 10.6 of the BNM’s Guidelines on Outsourcing for Insurers which
states that due diligence processes should continue to be conducted
periodically after the initial selection of a service provider, having regard to the
level of materiality of the outsourcing arrangement and risks associated with
the use of a particular service provider, as well as the experience with the
quality of the service performed. Generally, due diligence should be carried
out whenever there are significant changes in the circumstances of the
service provider (e.g. changes in key personnel, work procedures or systems
of the service provider) which materially affect the factors used as the basis
Confidential
Page 19 of 74
10006606-2
Ref. Question/requirement Template response and guidance
for selection.
Suggested wording below. You will likely want to add to this in order to
provide details of any internal processes you have.
Yes.
We have various monitoring tools in relation to the service that enable us to
carry out continuous due diligence in relation to the service and Service
Provider. We may trigger specific reviews where there are significant changes
in the circumstances of the Service Provider and services.
In our contract with Microsoft, under the FSA, Microsoft offers us the right to
participate in the Microsoft Online Services Customer Compliance Program.
Under this Compliance Program, we are offered the following key features:
access to the controls that apply to each online service and the effectiveness
of those controls; access to data related to service operations; receipt of
notifications of changes that may materially impact Microsoft’s ability to
provide the online services; engagement with Microsoft’s subject matter
experts and external auditors; and the ability to provide suggestions to
improve the online services. Under the FSA we are also provided with access
to Microsoft’s independent third party audit reports and we have the right to
review Microsoft’s Information Security Policies, along with other information
we may reasonably request regarding Microsoft’s security practices and
policies. Finally, our regulator is also provided with a contractual right under
the FSA to examine Microsoft’s online services. We are confident that such
arrangements provide us with the appropriate level of assessment of
Confidential
Page 20 of 74
10006606-2
Ref. Question/requirement Template response and guidance
Microsoft’s ability to meet our policy, procedural, security control and
regulatory requirements.
D. SERVICE AGREEMENT
See also Appendix One to this document which includes a comprehensive list of the different provisions in the various regulations in Malaysia which
require ICs to insert specific contractual provisions into their agreements with outsourcing vendors. The appendix then maps these against the
clauses of Microsoft’s agreement where these are covered.
11. Has a service agreement (“SA”) for each of the items, activities,
operations, transactions or areas to be outsourced to the Service Provider
been established?
Paragraph 10.9 of the BNM’s Guidelines on Outsourcing for Insurers.
Yes.
The written contract we have with Microsoft is in the form of an SLA which is
available at:
http://azure.microsoft.com/en-us/support/legal/sla/
12. Has the SA been reviewed by legal counsel? Paragraph 10.9 of the BNM’s Guidelines on Outsourcing for Insurers.
Microsoft recommends that you do seek legal advice on the use of cloud
computing services in relation to statutory/regulatory/common law
requirements. You will need to be able to confirm this review has been
undertaken.
Yes.
Confidential
Page 21 of 74
10006606-2
Ref. Question/requirement Template response and guidance
13. Does the SA cover the following?
(a) Nature and scope of the service provided (i.e., scope of the
relationship, frequency, content, agreed roles, responsibilities and
duties of Service Provider and location of service to be provided)
(b) Performance monitoring (i.e., includes service levels and
performance measures; liability of the service provider for
unsatisfactory performance or other breach of agreement of the
outsourced functions)
(c) Clear identification of ownership and access (i.e., ownership of
assets generated, purchased or acquired during the outsourcing
arrangements and your access to those assets)
(d) Protection of confidentiality and security of your organization and
your clients’ information (i.e. roles and responsibility, liability for
losses in the event of breach of security/confidentiality; and
requirement for immediate notification if there is a breach)
(e) Basis for compensation and fees and circumstances under which
additional charges may be imposed.
(f) Business resumption and contingency arrangements
(g) Reporting requirements (i.e., type, content and frequency of
reporting; whether the performance is met; and reporting of
incidents or events that may affect the service; testing and review
Paragraphs 10.6 and 10.10 of the BNM Guidelines on Outsourcing for
Insurers provides for the provisions that should be incorporated into the
service agreements, depending on the materiality of the outsourced activity.
Specific obligations can also be found in different places including: (i)
paragraph 1(c), Part V of the BNM’s Guidelines on Management of IT
Environment; (iii) paragraph 110 of the BNM’s BCM Guidelines; and (viii)
paragraph 111 of the BNM’s BCM Guidelines.
Yes.
Taking each of the points in turn:
(a) Nature and scope of services: The contract includes this. See
section 2 for an overview of the services which are being provided.
(b) Performance monitoring: We have a detailed SLA with Microsoft.
Microsoft provides a contractual financially-backed uptime guarantee
for the Azure product and covers performance monitoring and
reporting requirements which enable us to monitor Microsoft’s
performance on a continuous basis against service levels. Under the
service credits mechanism in the SLA, we may be entitled to a
service credit of up to 100% of the service charges. If a failure by
Microsoft also constitutes a breach of contract to which the service
credits regime does not apply, we would of course have ordinary
contractual claims available to us too under the contract.
(c) Ownership and access: We retain ownership of data at all times.
Confidential
Page 22 of 74
10006606-2
Ref. Question/requirement Template response and guidance
of work done by the Service Provider; progress of work
conducted)
(h) Dispute resolution (including jurisdiction under which disputes will
be resolved).
(i) Default termination.
(j) Sub-contracting.
(k) Service Provider is subject to all applicable regulations and
guidelines including BNM’s BCM Guidelines.
(l) Requirements for ensuring the continuity of the outsourced
business function in the event of a major disruption affecting the
Service Provider’s services (including recovery time objectives
(“RTO”) and provisions for legal liability if the RTO is not
achieved).
(m) Audit rights.
(n) Prompt notification by the Service Provider of any breach of
confidentiality and liability for losses that might result from such
breach.
There are no specific hardware or other assets that are purchased on
our behalf by Microsoft as part of these services to which we would
expect or need to have ownership or access.
(d) Protection of confidentiality and security: Microsoft as an
outsourcing partner is an industry leader in cloud security and
implements policies and controls on par with or better than on-
premises data centers of even the most sophisticated organizations.
Azure was built based on ISO/IEC 27001 standards, a rigorous set of
global standards covering physical, logical, process and management
controls. This makes us confident that there are very robust security
controls in place to protect the transmission and storage of
information/data within Microsoft’s infrastructure. The following
security features are also relevant to protecting the transmission and
storage of information/data within the Microsoft infrastructure:
1. The Microsoft Azure security features consist of three parts: (a) built-
in security features; (b) security controls; and (c) scalable security.
These include 24-hour monitored physical hardware, isolated
customer data, automated operations and lock-box processes, secure
networks and encrypted data.
2. Microsoft implements the Microsoft Security Development Lifecycle
(SDL) which is a comprehensive security process that informs every
stage of design, development and deployment of Microsoft software
and services, including Azure. Through design requirements, analysis
of attack surface and threat modeling, the SDL helps Microsoft
Confidential
Page 23 of 74
10006606-2
Ref. Question/requirement Template response and guidance
predict, identify and mitigate vulnerabilities and threats from before a
service is launched through its entire production lifecycle.
3. Networks within the Azure data centers are segmented to provide
physical separation of critical back-end servers and storage devices
from the public-facing interfaces. Edge router security allows the
ability to detect intrusions and signs of vulnerability. Azure uses
industry-standard transport protocols such as SSL and TLS between
user devices and Microsoft data centers, and within data centers
themselves. With virtual networks, industry standard IPsec protocol
can be used to encrypt traffic between the corporate VPN gateway
and Azure. Encryption can be enabled for traffic between VMs and
end users. Microsoft also implements traffic throttling to prevent
denial-of-service attacks.
4. From a people and process standpoint, preventing breach involves
auditing all operator/administrator access and actions, zero standing
permission for administrators in the service, “Just-In-Time (JIT)
access and elevation” (that is, elevation is granted on an as-needed
and only-at-the-time-of-need basis) of engineer privileges to
troubleshoot the service, and segregation of the employee email
environment from the production access environment. Employees
who have not passed background checks are automatically rejected
from high privilege access, and checking employee backgrounds is a
highly scrutinized, manual-approval process. Data is also encrypted.
Confidential
Page 24 of 74
10006606-2
Ref. Question/requirement Template response and guidance
Further details are included in section F below.
(e) Basis for compensation and fees. This is clearly set out in our
contracts with Microsoft.
(f) Business resumption and contingency arrangements: There are
detailed business contingency provisions. See section G below for
more details.
(g) Reporting requirements: Our IT administrators have access to the
Azure Service Health Dashboard, which provides real-time and
continuous monitoring of the Azure service. The Service Health
Dashboard provides our IT administrators with information about the
current availability of each service or tool (and history of availability
status) details about service disruption or outage, scheduled
maintenance times. The information is provided via an RSS feed.
Amongst other things, it provides a contractual uptime guarantee for
the Azure product and covers performance monitoring and reporting
requirements which enable us to monitor Microsoft’s performance on
a continuous basis against service levels. As part of the support we
receive from Microsoft, we also have access to a technical account
manager who is responsible for understanding our challenges and
providing expertise, accelerated support and strategic advice tailored
to our organization. This includes both continuous hands-on
assistance and immediate escalation of urgent issues to speed
resolution and keep mission-critical systems functioning. We are
confident that such arrangements provide us with the appropriate
Confidential
Page 25 of 74
10006606-2
Ref. Question/requirement Template response and guidance
mechanisms for managing performance and problems.
(h) Dispute resolution. Our contract is subject to Washington state law
and jurisdiction. We have sought advice on this and are comfortable
with this position. The contract also includes dispute escalation
procedures.
(i) Default termination: The Microsoft Business and Services
Agreement (“MBSA”) contains usual termination provisions. The SLA
is contained with the MBSA is terminable by us for convenience at
any time by providing not less than 60 days’ notice. Any sub-
agreements to the MBSA are terminable by us for convenience at any
time by providing not less than 30 days’ notice. In addition, we have
standard rights of termination for material breach. This gives us the
flexibility and control we need to manage the relationship with
Microsoft because it means that we can terminate the arrangements
whether with or without cause.
(j) Sub-contracting. As set out above, Microsoft does use sub-
contractors to provide certain ancillary assistance, but not for any
critical path roles. An up-to-date list of all subcontractors used to
provide the ancillary services (including exact services) is available at
http://azure.microsoft.com/en-us/support/trust-center/. Microsoft
ensures that all sub-contractors that it deals with are subject to
stringent requirements and is experienced at managing such
relationships.
Confidential
Page 26 of 74
10006606-2
Ref. Question/requirement Template response and guidance
(k) Regulations and guidelines on Business Continuity: As set out in
section F below, we have ensured that Microsoft is required to
provide robust and comprehensive business continuity management
and processes.
(l) Continuity in the event of disruption: As set out in section F below,
we have ensured that Microsoft is required to provide robust and
comprehensive disaster recovery management and processes.
Microsoft provides a contractual financially-backed uptime guarantee
for the Azure product and covers performance monitoring and
reporting requirements which enable us to monitor Microsoft’s
performance on a continuous basis against service levels. Under the
service credits mechanism in the SLA, we may be entitled to a
service credit of up to 100% of the service charges. If a failure by
Microsoft also constitutes a breach of contract to which the service
credits regime does not apply, we would of course have ordinary
contractual claims available to us too under the contract.
(m) Audit rights. The extensive audit rights that Microsoft offers was a
key reason for our decision to choose Microsoft. Details of the
different audit rights are set out in section E below.
(n) Notification of breach. Microsoft implements “prevent, detect, and
mitigate breach”, which is a defensive strategy aimed at predicting
and preventing any security breach before it happens. This involves
continuous improvements to built-in security features, including port
scanning and remediation, perimeter vulnerability scanning, OS
Confidential
Page 27 of 74
10006606-2
Ref. Question/requirement Template response and guidance
patching to the latest updated security software, network-level DDOS
(distributed denial-of-service) detection and prevention, and multi-
factor authentication for service access. Wherever possible, human
intervention is replaced by an automated, tool-based process,
including routine functions such as deployment, debugging,
diagnostic collection, and restarting services. Azure continues to
invest in systems automation that helps identify abnormal and
suspicious behavior and respond quickly to mitigate security risk.
Microsoft is continuously developing a highly effective system of
automated patch deployment that generates and deploys solutions to
problems identified by the monitoring systems—all without human
intervention. This greatly enhances the security and agility of the
service.
In the event that a security incident or violation is detected, Microsoft
Customer Service and Support notifies Azure subscribers by updating
the Service Health Dashboard that is available on the Azure portal.
We would have access to Microsoft’s dedicated support staff, who
have a deep knowledge of the service. Microsoft provides a RTO (as
defined above) of 30 min or less for Virtual Machines and Storage, 1
hour or less for Virtual Network, and a Recovery Point Objective
(“RPO”) of 1 minute or less for Storage.
Finally, after the incident, Microsoft provides a thorough post-incident
review report (“PIR”). The PIR includes: (i) an incident summary and
event timeline; (ii) broad customer impact and root cause analysis;
(iii) actions being taken for continuous improvement. Microsoft will
Confidential
Page 28 of 74
10006606-2
Ref. Question/requirement Template response and guidance
provide the PIR within five business days following resolution of the
service incident. Administrators can also request a PIR using a
standard online service request submission through the Azure portal
or a phone call to Microsoft Customer Service and Support.
E. AUDIT
14. Has your organization made explicit provisions in the outsourcing
contracts or obtained letters of undertaking from Service Providers to
enable regulatory bodies and appointed personnel such as external and
internal auditors to carry out inspection or examination of the Service
Provider’s books, internal controls, facilities, systems, processes and data
relating to the services provided to your organization?
There are various provisions under Malaysia law that require this. In particular
see: (i) Section 148(1)(b) of the FSA; (ii) paragraphs 10.10 and 12.1 of the
BNM’s Guidelines on Outsourcing for Insurers provides that insurers shall, in
all cases, obtain an undertaking from their outsourcing service providers (or
sub-contractors as applicable), or include a provision within the SA, giving
authorized examiners of BNM the right to: (a) examine the books, records,
information, systems and the internal control environment in the service
provider (or sub-contractor as applicable), to the extent that they relate to the
service being performed for the insurer; and (b) access any internal audit or
external audit findings of the service provider (or sub-contractor as applicable)
that concern the service being performed for the insurer; (iii) paragraph 15(c),
Part II of the BNM’s Guidelines on Management of IT Environment; (iv)
paragraph 113 of the BNM’s BCM Guidelines; and (v) paragraph 1(c), Part V
of the BNM’s Guidelines on Management of IT Environment.
Yes.
We are confident that in our choice of Microsoft as Service Provider we have
far more extensive audit rights than most if not all other Service Provider’s
offer. This was an important factor in our decision to choose this Service
Confidential
Page 29 of 74
10006606-2
Ref. Question/requirement Template response and guidance
Provider.
In particular, the following audit protections are made available by Microsoft:
1. As part of Microsoft’s certification requirements, they are required to
undergo regular independent third party auditing (via the SSAE16
SOC1 Type II audit, a globally-recognized standard), and Microsoft
shares with us the independent third party audit reports. Microsoft
also agrees as part of the compliance program to customer right to
monitor and supervise. We are confident that such arrangements
provide us with the appropriate level of assessment of Microsoft’s
ability to meet our policy, procedural, security control and regulatory
requirements.
2. BNM is given a contractual right of audit/inspection over Microsoft’s
facilities, so that it can assess and examine systems, processes and
security and regulatory compliance.
Microsoft also offers a Compliance Framework Program. If you take-up the
Compliance Framework Program, you may add this additional information
about its key features: the regulator audit/inspection right, access to
Microsoft’s security policy, the right to participate at events to discuss
Microsoft’s compliance program, the right to receive audit reports and updates
on significant events, including security incidents, risk-threat evaluations and
significant changes to the business resumption and contingency plans.
Confidential
Page 30 of 74
10006606-2
Ref. Question/requirement Template response and guidance
F. CONFIDENTIALITY AND SECURITY
14. Have you obtained from the Service Provider a written undertaking to
protect and maintain the confidentiality of your customer data in
compliance with the secrecy provision pursuant to section 133 of the FSA
and the protection of your own confidential information?
Section 133(1) of the FSA which provides that no person who has access to
any document or information relating to the affairs or account of any customer
of a financial institution, including: (a) the financial institution; or (b) any
person who is or has been a director, officer or agent of the financial
institution, shall disclose to another person any document or information
relating to the affairs or account of any customer of the financial institution.
Paragraph 26.1 of the BNM’s Guidelines on Internet Insurance which provides
that any outsourcing of information technology services that relates to internet
insurance require that the service provider or software vendor to provide the
insurer with a written undertaking on its compliance with secrecy of
customers’ and the insurer’s information.
Yes.
Our contract with Microsoft contains robust confidentiality provisions to
prevent disclosure of confidential information whether of our customers or of
our own. Information will only be provided to Microsoft’s sub-contractors on a
need to know basis for the purposes of providing the services and subject to
similar restrictions on confidentiality. If anything further is required we would
work with Microsoft to provide whatever further clarity the regulator may
require in this regard.
It is also relevant to note that the European Union’s data protection authorities
have found that Microsoft’s enterprise cloud contracts meet the high
Confidential
Page 31 of 74
10006606-2
Ref. Question/requirement Template response and guidance
standards of EU privacy law. Microsoft is the first – and so far the only –
company to receive this approval.
15. Has senior management determined that there are adequate controls for
identifying, reporting and responding to suspected security incidents and
violations?
Paragraph 6(b), Part II of the BNM’s Guidelines on Management of IT
Environment. Paragraph 27, Guidelines on Internet Insurance. This contains
more specific requirements including that staff of the IC and any outsourcing
vendor are required to report all security breaches promptly to management.
Material security breaches, system downtime and degradation in system
performance that critically affects the IC should be reported to BNM: (i) an
initial report to BNM via telephone immediately upon detection by providing
‘initial information/observation’; and (ii) a formal report should be made within
2 days from the date of detection. These reporting obligations have to be
stated explicitly in the IC’s security policy and the IC should also establish
procedures for proper recording of occurrence of such incidents.
Yes.
Senior management is confident that there are adequate internal controls,
prevention measures and processes for early detection of errors, omissions
and security incidents. Our extensive due diligence and risk profiling at the
outset and processes in place for monitoring, auditing and security protections
assure us of this. We have set out details of this elsewhere in this document.
Microsoft’s systems including its real-time monitoring facilities enable us to
fulfill our reporting obligations to BNM in the event of a security breach
occurring.
Confidential
Page 32 of 74
10006606-2
Ref. Question/requirement Template response and guidance
16. Are the following security practices implemented by the Service Provider?
(a) Firewalls have been installed on all connection points between
the internal computer network and the Internet.
(b) Intrusion detection-prevention devices have been installed
(including denial-of-service security appliances where
appropriate).
(c) Virtual private networks (VPN) have been developed within a
public switch network to protect all transmissions from
unauthorized parties, while allowing the use of the public network
infrastructure.
(d) Public key infrastructure (PKI) is used to perform authentication
on the internet through a combination of digital certificates and
public key cryptography (PKC).
(e) Internationally accepted well-defined industry standards of
payment protocol are used to provide a secure environment for
online credit card payments.
(f) Penetration testing is conducted at least once a year or whenever
substantial changes are made to the internet-related systems.
(g) Implement anti-virus software and apply updates regularly.
There are specific security practice requirements contained in Part III of the
BNM’s Guidelines on Management of IT Environment (although note that
these are considerations and not specific requirements that are considered
necessary in all circumstances) and in paragraph 21.5 of the BNM Guidelines
on Internet Insurance.
Yes.
This is an issue that we take very seriously. We have therefore checked these
procedures in detail with Microsoft and are confident that they provide
excellent means to enable us to identify, report and respond properly and
promptly in the event of any security incident or violation. We are assured that
Microsoft is committed to protecting the privacy of our and Microsoft makes
this statement in its Azure Privacy Statement.
Taking each of the points in turn:
(a) Firewalls. Microsoft uses multiple layers of network devices in order
to segregate network security zones and block access to resources
placed in high security zones from external parties.
(b) Intrusion detection-prevention devices. There are robust
procedures offered by Microsoft that enable the prevention of security
incidents and violations in the first place. Specifically:
1. Microsoft implements 24 hour monitored physical hardware. Data
center access is restricted 24 hours per day by job function so that
Confidential
Page 33 of 74
10006606-2
Ref. Question/requirement Template response and guidance
(h) Access to security logs and audit trails.
(i) Analysis of security logs for suspicious traffic and intrusion
attempts.
(j) Conducting security awareness education and programs.
(k) Providing separate physical/logical environments for systems
development, testing and production.
(l) Encrypting critical or sensitive information which is stored or
transmitted over communication networks.
only essential personnel have access to customer applications and
services. Physical access control uses multiple authentication and
security processes, including badges and smart cards, biometric
scanners, on-premises security officers, continuous video
surveillance, and two-factor authentication.
2. Microsoft implements “prevent, detect, and mitigate breach”, which is
a defensive strategy aimed at predicting and preventing a security
breach before it happens. This involves continuous improvements to
built-in security features, including port scanning and remediation,
perimeter vulnerability scanning, OS patching to the latest updated
security software, network-level DDOS (distributed denial-of-service)
detection and prevention, and multi-factor authentication for service
access.
3. Wherever possible, human intervention is replaced by an automated,
tool-based process, including routine functions such as deployment,
debugging, diagnostic collection, and restarting services. Azure
continues to invest in systems automation that helps identify
abnormal and suspicious behavior and respond quickly to mitigate
security risk. Microsoft is continuously developing a highly effective
system of automated patch deployment that generates and deploys
solutions to problems identified by the monitoring systems—all
without human intervention. This greatly enhances the security and
agility of the service.
(c) VPNs. Not applicable. Azure is a multi-tenanted service and Microsoft
Confidential
Page 34 of 74
10006606-2
Ref. Question/requirement Template response and guidance
does not use VPN for customer to access Azure services.
(d) PKI. Azure provides us with the option to use PKI based user-
authentication.
(e) Payment protocols. Not applicable to the services being outsourced
by us.
(f) Penetration testing. Microsoft conducts penetration tests to enable
continuous improvement of incident response procedures. These
internal tests help Azure security experts create a methodical,
repeatable, and optimized stepwise response process and
automation.
(g) Anti-virus software. All services in Azure are virus-scanned every
day with the latest virus definitions.
(h) Access to security logs and audit trails. In the event that a security
incident or violation is detected, Microsoft Customer Service and
Support notifies Azure subscribers by updating the Service Health
Dashboard that is available on the Azure portal. In addition, we have
extensive audit rights as described in Section E.
(i) Analysis of security logs for suspicious traffic and intrusion
attempts. Microsoft has robust automated processes which are
constantly monitoring in this regard. See response at (b) above for
more details.
Confidential
Page 35 of 74
10006606-2
Ref. Question/requirement Template response and guidance
(j) Conducting security awareness education and programs. All
personnel with access to customer data are subject to background
screening, security training and access approvals. In addition, the
access levels are reviewed on a periodic basis to ensure that only
users who have appropriate business justification have access to the
systems. User access to data is also limited by user role. For
example, system administrators are not provided with database
administrative access. All appropriate Microsoft Staff take part in a
Microsoft Online Services sponsored security training program, and
are recipients of periodic security awareness updates when
applicable. Security education is an on-going process and is
conducted regularly in order to minimize risks.
(k) Providing separate physical/logical environments for systems
development, testing and production. Microsoft has an operational
change control procedure in place. The operational change control
procedure includes an assessment process of possible change
impact change testing in an approved non-production environment.
(l) Encrypting critical or sensitive information which is stored or
transmitted over communication networks: Networks within the
Azure data centers are segmented to provide physical separation of
critical back-end servers and storage devices from the public-facing
interfaces. Edge router security allows the ability to detect intrusions
and signs of vulnerability. Azure uses industry-standard transport
protocols such as SSL and TLS between user devices and Microsoft
data centers, and within data centers themselves. With virtual
Confidential
Page 36 of 74
10006606-2
Ref. Question/requirement Template response and guidance
networks, industry standard IPsec protocol can be used to encrypt
traffic between the corporate VPN gateway and Azure. Encryption
can be enabled for traffic between VMs and end users.Microsoft also
implements traffic throttling to prevent denial-of-service attacks.
Customer data in Azure exists in two states: (i) at rest on storage
media; and (ii) in transit from a data center over a network to a
customer device.
Azure offers a wide range of data encryption capabilities up to AES-
256. Options include .NET cryptographic services, Windows Server
public key infrastructure (PKK) components, Active Directory Rights
Management Services (AD RMS), and Bitlocker for data import/export
scenarios.
Azure uses industry-standard transport protocols such as SSL and
TLS between user devices and Microsoft data centers, and within
data centers themselves. With virtual networks, industry standard
IPsec protocol can be used to encrypt traffic between the corporate
VPN gateway and Azure. Encryption can be enabled for traffic
between VMs and end users.
17. How are customers authenticated? For internal systems, how are staff in
your organization authenticated?
Paragraph 2(a), Part III of the BNM’s Guidelines on Management of IT
Environment. You will need to supplement this with details of your own
internal authentication processes for internal systems.
Yes.
Confidential
Page 37 of 74
10006606-2
Ref. Question/requirement Template response and guidance
Azure can uses two-factor authentication to enhance security. Typical
authentication practices that require only a password to access resources
may not provide the appropriate level of protection for information that is
sensitive or vulnerable. Two-factor authentication is an authentication method
that applies a stronger means of identifying the user. The Microsoft phone-
based two-factor authentication solution allows users to receive their PINs
sent as messages to their phones, and then they enter their PINs as a second
password to log on to their services.
18. Is the Service Provider able to isolate and clearly identify your customer
data, documents, records and assets to protect their confidentiality?
Paragraph 6(b), Part II of the BNM’s Guidelines on Management of IT
Environment and FSA as above.
Yes.
Microsoft’s transparency as to data location was a key consideration as part
of the service provider selection process. Active Directory isolates customers
using security boundaries (also known as silos). This safeguards a customer’s
data so that the data cannot be accessed or compromised by co-tenants.
19. Are your data / applications stored in the vendor systems commingled
with those of other subscribers? Is the Service Provider able to isolate
and clearly identify your customer data, documents, records and assets to
protect their confidentiality?
Paragraph 10.10(c) of BNM’s Guidelines on Outsourcing for Insurers which
states that the SA entered into between the insurer and the service provider
should provide for clear identification and establishment of ownership of all
assets relating to the outsourcing arrangement. The SA should specify the
terms governing the use of the insurer’s premises, personnel and equipment,
where relevant.
Data and applications are not commingled with those of other customers and
Confidential
Page 38 of 74
10006606-2
Ref. Question/requirement Template response and guidance
yes the Service Provider is able to clearly identify our customer data,
documents, records and assets to protect their confidentiality.
Networks within the Azure data centers are segmented to provide physical
separation of critical back-end servers and storage devices from the public-
facing interfaces.
20. Are there documented system for monitoring and managing the computer
center’s resources (i.e. utilization of the central processing unit (CPU),
hard disk and memory, problem reporting and prioritization, equipment
malfunctions, frequency and duration of system down time and network
activities to detect suspicious trends and attempts to gain access to the
system)?
Paragraph 3(g), Part V of the BNM’s Guidelines on Management of IT
Environment.
Yes. The security procedures for safeguarding hardware, software and
security are documented in detail by Microsoft in its Standard Response to
Request for Information – Security and Privacy. This confirms how the
following aspects of Microsoft’s operations safeguard hardware, software and
data:
Compliance;
Data Governance;
Facility;
Human Resources;
Information Security;
Legal;
Confidential
Page 39 of 74
10006606-2
Ref. Question/requirement Template response and guidance
Operations;
Risk Management;
Release Management;
Resiliency; and
Security Architecture.
21. Are the following physical and environmental controls available at the
data center?
(a) All computer and telecommunications peripherals adequately
labeled for proper identification
(b) Uninterruptible power supply
(c) Air conditioning system
(d) Temperature sensor
(e) Fire detector
(f) Smoke detector
(g) Fire suppression system
Part V of the BNM’s Guidelines on Management of IT Environment.
Taking each one in turn:
(a) All computer and telecommunications peripherals adequately
labeled for proper identification. Yes.
(b) Uninterruptible power supply (“UPS”). Microsoft’s data centers
have dedicated 24x7 UPS and emergency power support, i.e.
generators. Regular maintenance and testing is conducted for both
the UPS and generators. Data centers have made arrangements for
emergency fuel delivery. The data centers have dedicated Facility
Operations Centers to monitor the power systems, including all critical
electrical components – generators, transfer switch, main switchgear,
power management module and UPS equipment.
(c) Air conditioning system. Microsoft has implemented environmental
controls to protect the data centers including ventilation and air
Confidential
Page 40 of 74
10006606-2
Ref. Question/requirement Template response and guidance
(h) Raised floor
(i) Water leakage detection system
conditioning.
(d) Temperature sensor. Microsoft has implemented environmental
controls to protect the data centers including temperature control and
heating. The data centers’ Facility Operations Centers monitor the
heating, ventilation and air conditioning system, which controls and
monitors space temperature and humidity within the data centers,
space pressurization and outside air intake.
(e) Fire detector. Fire Detection and Suppression systems exist at all
Microsoft’s data centers. Additionally, portable fire extinguishers are
available at various locations in the data center. Routine maintenance
is performed on facility and environmental protection equipment.
(f) Smoke detector. See above. In addition, Microsoft’s equipment is
placed in environments which have been engineered to be protective
from environmental risks such as smoke.
(g) Fire suppression system. Fire Detection and Suppression systems
exist at all Microsoft’s data centers. Additionally, portable fire
extinguishers are available at various locations in the data center.
Routine maintenance is performed on facility and environmental
protection equipment.
(h) Raised floor. Microsoft’s equipment is placed in environments which
have been engineered to be protective from environmental risks such
as water.
Confidential
Page 41 of 74
10006606-2
Ref. Question/requirement Template response and guidance
(i) Water leakage detection system. Microsoft has water leakage
detection systems for water-cooling data centers.
22. Who is primarily in charge of security administration and systems access
functions?
Paragraph 1(e), Part III of the BNM’s Guidelines on Management of IT
Environment which provides that a security administrator and/ or a system
administrator who are responsible for the system security and/ or
administration functions and to implement policies as well as adopted
standards, should be formally appointed.
Overall responsibility for these matters remains with our organization and we
have procedures in place to monitor overall performance. Our [security
administrator/system administrator is insert name].
Microsoft will perform the technical monitoring and management functions on
our behalf. System level data such as configuration data/file and commands
are managed as part of the configuration management system. Any changes
or updates to or deletion of those data/files/commands will be automatically
deleted by the configuration management system as anomalies.
We will receive information about system integrity, security monitoring and
network performance through the Azure Service Health Dashboard, as
described above.
23. Does the Service Provider adhere to the provisions of the Personal Data
Protection Act 2010 (“PDPA”)?
Paragraph 26.1 of the BNM’s Guidelines on Internet Insurance which provides
that any outsourcing of information technology services that relates to internet
insurance require that the vendor abide by any data protection legislation that
Confidential
Page 42 of 74
10006606-2
Ref. Question/requirement Template response and guidance
is in effect. The PDPA can be found here.
Yes.
Our use of Microsoft Azure would not cause us to fail to meet any obligation
we may have under the PDPA. In fact, we think that Microsoft Azure has
features that will help us comply with certain provisions (including security
obligations). We will continue to maintain overall responsibility and
accountability for compliance with the PDPA.
In relation to the specific requirements of the PDPA that apply to the use of
cloud services:
1. We have an obligation to implement reasonable and appropriate
organizational, physical and technical measures to protect
personal information. We are satisfied with Microsoft’s security
procedures, as described in its Standard Response to Request for
Information – Security and Privacy (and further described in other
parts of this document).
2. We have an obligation to use contractual or other reasonable
means to provide a comparable level of protection while the
information is being processed by Microsoft. We are satisfied that our
legally-binding agreement with Microsoft, and the operational
procedures we have in place to monitor compliance, together with our
choice of service provider, will provide at least a comparable level of
protection for personal information. Our contract with Microsoft
Confidential
Page 43 of 74
10006606-2
Ref. Question/requirement Template response and guidance
ensures that all data (but in particular any customer data) is treated
with the highest level of security enabling us to continue to comply
with our legal and regulatory obligations and our commitments to
customers.
3. In addition Microsoft commits to comply with ISO/IEC 27018. In
February 2015, Microsoft became the first major cloud provider to
adopt the world’s first international standard for cloud privacy,
ISO/IEC 27018. The standard was developed by the International
Organization for Standardization (ISO) to establish a uniform,
international approach to protecting privacy for personal data stored
in the cloud. The British Standards Institute (BSI) has now
independently verified that Microsoft is aligned with the standard’s
code of practice for the protection of Personally Identifiable
Information (PII) in the public cloud. The controls set out in ISO/IEC
27018 match the protections required by the PDPA. For more
information on this, follow this link.
G. DATA BACKUP AND DISASTER RECOVERY
24. Does the Service Provider have a fully documented and adequately
resourced business continuity plan (“BCP”) and disaster recovery plan
(“DRP”)? If yes, provide documentation or details.
Paragraph 112 of the BNM’s BCM Guidelines.
Yes.
Microsoft offers contractually-guaranteed uptime, globally available data
centers for primary and backup storage, physical redundancy at disk, NIC,
power supply and server levels, constant content replication, robust backup,
Confidential
Page 44 of 74
10006606-2
Ref. Question/requirement Template response and guidance
restoration and failover capabilities, real-time issue detection and automated
response such that workloads can be moved off any failing infrastructure
components with no perceptible impact on the service, 24/7 on-call
engineering teams.
Microsoft’s arrangements are as follows:
Redundancy
Physical redundancy at server, data center, and service levels;
Data redundancy with robust failover capabilities; and
Functional redundancy with offline functionality.
Resiliency
Active load balancing;
Automated failover with human backup; and
Recovery testing across failure domains.
Distributed Services
Distributed component services limit scope and impact of any failures
in a component;
Confidential
Page 45 of 74
10006606-2
Ref. Question/requirement Template response and guidance
Directory data replicated across component services insulates one
service from another in any failure events; and
Simplified operations and deployment.
Monitoring
Internal monitoring built to drive automatic recovery;
Outside-in monitoring raises alerts about incidents; and
Extensive diagnostics provide logging, auditing, and granular tracing.
Simplification
Standardized hardware reduces issue isolation complexities;
Fully automated deployment models; and
Standard built-in management mechanism.
Human backup
Automated recovery actions with 24/7 on-call support;
Team with diverse skills on the call provides rapid response and
resolution; and
Confidential
Page 46 of 74
10006606-2
Ref. Question/requirement Template response and guidance
Continuous improvement by learning from the on-call teams.
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review
every time; and
Microsoft’s post-incident review consists of analysis of what
happened, Microsoft’s response, and Microsoft’s plan to prevent it in
the future.
For the avoidance of doubt, the nature of the services provided as part of
Azure does not give rise to a risk that the Bank itself could become “offline”
(i.e. there would be no implication for core banking functions such as
transaction processing).
25. What are the data backup and recovery arrangements for your
organization’s data that reside with the Service Provider?
Paragraph 71 of the BNM’s BCM Guidelines, which states that an institution
should make available a functional alternate and recovery site for their
business functions and technology in the event the business premises, key
infrastructure and systems supporting critical business functions become
unavailable. Pursuant to paragraph 110 of the BNM’s BCM Guidelines, the
institution should ensure that the service provider is subjected to the BCM
Guidelines, where appropriate. Therefore, the service provider should ensure
that it has a functional alternate and recovery site.
See response directly above for details.
Confidential
Page 47 of 74
10006606-2
Ref. Question/requirement Template response and guidance
26. Has a testing of the BCP and DRP of the Service Provider been
conducted?
Paragraph 112 of the BNM’s BCM Guidelines which provides that the
institution should ensure that periodic testing is conducted by the outsourcing
vendor on its BCP and DRP at least annually and twice a year, respectively.
Yes.
As part of Microsoft’s certification requirements, it is required to undergo
regular independent third party auditing and Microsoft shares with us the
independent third party audit reports.
27. How frequently does the Service Provider conduct tests on its BCP and
DRP?
Paragraph 112 of the BNM’s BCM Guidelines which provides that periodic
testing should be conducted by the outsourcing vendor at least twice a year
on its BCP and DRP, respectively.
Microsoft carries out disaster recovery testing at least once per year.
28. Does your organization’s BCP address the reasonably foreseeable
situations in the event that the Service Provider fails to provide the
required services, causing disruptions to your organization’s operations?
Paragraph 115 of BNM’s BCM Guidelines which provides that the institution’s
own BCP should address reasonably foreseeable situations where the
outsourcing vendor fails to provide the required services, causing disruptions
to the institution’s operations.
Note, this question, primarily concerns your own internal BCP. If you have any
questions or we can help in any way, just let us know.
29. Have you tailored and tested your disaster recovery or business
continuity plan?
Part B.2.9 of the BNM’s BCM Guidelines which provides for the testing of the
BCP and DRP by the institution. BCP should be tested at least once a year
for all critical business functions, while the DRP for all critical application
Confidential
Page 48 of 74
10006606-2
Ref. Question/requirement Template response and guidance
systems should be tested at least twice a year, of which one of the tests
should be a “live run”.
This question concerns your own testing as opposed to that which Microsoft
carries out. You will need to be able to demonstrate that you comply with the
requirements set out above in terms of frequency of testing.
30. Is the Service Provider required to notify you in the event that it makes
significant changes to its BCP and DRP, or encounters other
circumstances that might have a serious impact on its services?
Paragraph 114 of the BNM’s BCM Guidelines.
Yes.
Microsoft will inform us if there are any important changes to the service with
respect to security, privacy, and compliance. Microsoft will also promptly
notify us if your data has been accessed improperly.
In the event that a security incident or violation is detected, Microsoft
Customer Service and Support notifies Azure subscribers by updating the
Service Health Dashboard that is available on the Azure portal. We would
have access to Microsoft’s dedicated support staff, who have a deep
knowledge of the service. Microsoft provides a RTO (as defined above) of 30
min or less for Virtual Machines and Storage, 1 hour or less for Virtual
Network, and a Recovery Point Objective (“RPO”) of 1 minute or less for
Storage.
After the incident, Microsoft provides a thorough PIR. See our response
above for more information.
Confidential
Page 49 of 74
10006606-2
Ref. Question/requirement Template response and guidance
31. What are the RTO of systems or applications outsourced to the Service
Provider?
Part G of the BNM’s BCM Guidelines, ‘Recovery Time Objective’.
RTO: 30 min or less for Virtual Machines and Storage, 1 hour or less for
Virtual Network.
H. EXIT STRATEGY
32. Do you have the right to terminate the SA in the event of default,
ownership change, change of security or serious deterioration of service
quality?
Paragraph 10.10(i) of BNM’s Guidelines on Outsourcing for Insurers which
states that the SA between the insurer and the service provider should
provide for default events and remedies, which should include a termination
clause. In particular, the insurer should have the right to terminate the
agreement if the agreed service levels are consistently not met or when the
service provider undergoes a material change in ownership or encounters
other circumstances that might seriously impair its ability to provide the
agreed services.
Yes.
Our main agreement with Microsoft contains usual termination provisions. The
SLA is contained with the MBSA is terminable by us for convenience at any
time by providing not less than 60 days’ notice. Any sub-agreements to the
MBSA are terminable by us for convenience at any time by providing not less
than 30 days’ notice. In addition, we have standard rights of termination for
material breach. This gives us the flexibility and control we need to manage
the relationship with Microsoft because it means that we can terminate the
arrangements whether with or without cause.
Confidential
Page 50 of 74
10006606-2
Ref. Question/requirement Template response and guidance
33. In the event of contract termination with the Service Provider, either on
expiry or prematurely, are you able to have all IT information and assets
promptly removed or destroyed?
Paragraph 10.10(i) of the BNM’s Guidelines on Outsourcing for Insurers
which states that the SA should also lay down clear procedures for the return
of the insurer’s intellectual or physical property in a timely manner, in the
event of default or termination.
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST
800-88 compliant. For hard drives that can’t be wiped it uses a destruction
process that destroys it (i.e. shredding) and renders the recovery of
information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The
appropriate means of disposal is determined by the asset type. Records of
the destruction are retained.
All Microsoft Online Services utilize approved media storage and disposal
management services. Paper documents are destroyed by approved means
at the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered
under the ISO/IEC 27001 standards against which Microsoft is certified.
I. INFORMATION TO BE SUBMITTED FOR APPLICATIONS TO OUTSOURCE ABROAD
BNM’s prior approval is required for ICs to enter into any outsourcing arrangement (material or not) which results in services being provided in a
location outside Malaysia. Applications to outsource abroad should include the information set out below (see Appendix III of the BNM Guidelines on
Outsourcing for Insurers).
Confidential
Page 51 of 74
10006606-2
Ref. Question/requirement Template response and guidance
34. Full description of services to be outsourced. You can find the details in the contract which comprehensively sets out the
scope of the arrangement and the respective commitments of the parties. The
online services are ordered under the Enrollment, and the order will set out
the online services and relevant prices.
The services are broadly described, along with the applicable usage rights, in
the Product List and the PUR. The services are described in detail in the
Service Description, which is not part of the contract. However, Microsoft
makes a functionality commitment in the Core Features Amendment, and as a
minimum the online services will meet that commitment during the term of the
contract.
35. Business case. You will need to provide a business case. You can draw upon some of the
information contained in section B above.
36. Materiality assessment. For ICs, see the relevant considerations regarding what is ‘material’ in Part
VIII of the BNM Guidelines on Outsourcing for Insurers.
37. Due diligence of Service Provider. You can draw upon the information provided in section C above.
38. Confirmation that the relevant laws of the foreign jurisdiction and terms
and conditions of the SA allow for BNM to have reasonable and timely
access to information/data belonging to the IC.
You will likely want to undertake your own legal review in this regard.
Microsoft is not aware of any laws in the countries in which it would be
providing the services that would impact BNM having such access.
39. Description of the manner in which the IC will ensure effective control and
oversight over the service outsourced (should include a description of
identified risks involved in the arrangement and the strategies put in place
You can draw upon the information contained in section B above which
contains detailed information regarding risk assessment and management
and control and oversight.
Confidential
Page 52 of 74
10006606-2
Ref. Question/requirement Template response and guidance
to address the risks).
40. Confirmation that the services are not available locally at comparable
costs and service levels or, if available, the justification for the use of the
foreign Service Provider.
You will need to confirm this point from your own analysis.
41. Description of any reciprocal services provided out of Malaysia. Not applicable.
Confidential
Page 53 of 74
10006606-2
APPENDIX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
This table sets out the specific items that must be covered in the IC’s agreement with the Service Provider.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
SLA = Online Services Service Level Agreement
Confidential
Page 54 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
1. General obligations:
- All material outsourcings should be documented by clearly written
service agreements that address, as far as possible within the
contract, all issues relevant to managing the risks associated with
the outsourcing arrangement.
- The agreement should be reviewed by the IC’s legal counsel to
ensure that the IC’s interests are safeguarded.
- Agreements should be signed by the relevant parties prior to the
commencement of the services. Thereafter, material modifications to
the service agreement should not be permitted without the prior
consent of the IC.
Paragraph 10.9, BNM Guidelines on outsourcing for Insurers
Documented:
Yes.
The contractual documents are all written and clear.
Reviewed by legal counsel:
Yes.
Microsoft recommends that you do seek legal advice on the use of cloud
computing services in relation to statutory / regulatory / common law
requirements. You will need to be able to confirm this review has been
undertaken.
Signed by relevant parties prior to commencement of the services
and material modifications not permitted without the consent of the
IC:
Yes.
The document is signed by the parties. Section 11k of the MBSA states
that the contract may be amended only by a formal written agreement
signed by both parties.
Confidential
Page 55 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
2. The description of the services to be provided including the frequency,
content and format of the services.
Paragraph 10.10(a), BNM Guidelines on outsourcing for Insurers
Yes.
The contract pack comprehensively sets out the scope of the arrangement
and the respective commitments of the parties. The services are
described, along with the applicable usage rights, in the Product List and
OST (pages 14 and 15). The services are described in detail in the
Services Description, which is not part of the contract. However, Microsoft
makes a functionality commitment in the Core Features Amendment and
as a minimum the online services will meet that commitment.
3. Service levels and performance measures which should be consistent with
the IC’s outsourcing objectives and strategies.
Paragraph 10.10(b), BNM Guidelines on outsourcing for Insurers
Yes.
The SLA contains Microsoft’s service level commitment, as well as the
remedies for the customer in the event that Microsoft does not meet the
commitment. The terms of the SLA current at the start of the applicable
initial or renewal term of the Enrollment are fixed for the duration of that
term.
4. Clear identification and establishment of ownership of all assets (intellectual
and physical) relating to the outsourcing arrangement. Where relevant, the
service agreement should specify the terms governing the use of the IC’s
premises, personnel and equipment.
Paragraph 10.10(c), BNM Guidelines on outsourcing for Insurers
Yes.
Ownership of Customer Data remains at all times with the customer (see
Confidential
Page 56 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
OST, page 8).
Terms governing the use of our premises, personnel and equipment are
not relevant.
5. Agreed responsibilities and duties of the Service Provider including:
- Compliance with relevant regulatory requirements and internal
policies of the IC;
- Provisions dealing with the protection and maintenance of the IC’s
data and assets which should be capable of logical separation at all
times from those handled by the Service Provider for other clients;
- Obligation of the Service Provider to maintain adequate insurance
coverage;
- Reporting requirements necessary to enable tie IC to effectively
monitor the performance of the Service Provider in a timely manner
as well as reporting of events that may materially affect the delivery
of service.
Paragraph 10.10(d), BNM Guidelines on outsourcing for Insurers
Compliance with relevant regulatory requirements and internal
policies of the IC:
Yes.
MBSA section 11m states that Microsoft and the customer each commit to
comply with all applicable privacy and data protection laws and
regulations.
Provisions dealing with the protection and maintenance of the IC’s
data and assets which should be capable of logical separation at all
times from those handled by the Service Provider for other clients:
Yes.
The customer retains the ability to access its Customer Data at all times
(OST, page 10), and Microsoft will deal with Customer Data in accordance
with Enrollment clause 6c(iv) and the OST. In summary: following
termination Microsoft will (unless otherwise directed by the customer)
delete the Customer Data after a 90 day retention period. Finally, from a
Confidential
Page 57 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
technical perspective the wide availability and usage of Microsoft’s
products means that Customer Data can generally be extracted in a format
compatible with commonly available alternative products
Microsoft also makes specific commitments with respect to Customer Data
in the OST. In summary Microsoft commits that:
1. Ownership of Customer Data remains at all times with the customer
(see OST, page 8).
2. Customer Data will only be used to provide the online services to the
customer. Customer Data will not be used for any other purposes,
including for advertising or other commercial purposes (see OST,
page 8).
3. Microsoft will not disclose Customer Data to law enforcement unless it
is legally obliged to do so, and only after not being able to redirect the
request to the customer (see OST, page 8).
4. Microsoft will implement and maintain appropriate technical and
organizational measures, internal controls, and information security
routines intended to protect Customer Data against accidental,
unauthorized or unlawful access, disclosure, alteration, loss, or
destruction (see OST, page 8 and pages 11-13 for more details).
5. Microsoft will notify the customer if it becomes aware of any security
incident, and will take reasonable steps to mitigate the effects and
Confidential
Page 58 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
minimize the damage resulting from the security incident (see OST,
page 9).
Obligation of the Service Provider to maintain adequate insurance
coverage:
Yes.
MBSA section 10 deals with insurance. In practice, Microsoft maintains
self-insurance arrangements for much of the areas where third party
insurance is typically obtained. Microsoft has taken the commercial
decision to take this approach, and does not believe that this detrimentally
impacts upon its customers given that Microsoft is an extremely
substantial entity.
Reporting requirements necessary to enable tie IC to effectively
monitor the performance of the Service Provider in a timely manner
as well as reporting of events that may materially affect the delivery
of service:
Yes.
The OST specifies the audit and monitoring mechanisms that Microsoft
puts in place in order to verify that the online services meet appropriate
security and compliance standards. This commitment is reiterated in the
FSA.
Confidential
Page 59 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
Clause 1f of the FSA gives the customer the opportunity to participate in
the Microsoft Online Services Customer Compliance Program, which is a
for-fee program that facilitates the customer’s ability to (a) assess the
services’ controls and effectiveness, (b) access data related to service
operations, (c) maintain insight into operational risks of the services, (d) be
provided with additional notification of changes that may materially impact
Microsoft’s ability to provide the services, and (e) provide feedback on
areas for improvement in the services.
6. Obligations of the Service Provider to protect confidential information. This
should include a provision prohibiting the Service Provider and its agent from
using or disclosing the IC’s proprietary information or that of its customers,
except as necessary to provide the contracted services and to meet
regulatory and statutory provisions. The agreements should provide for the
IC to be promptly notified of any breach of confidentiality and address liability
for losses that might result from such a breach.
Paragraph 10.10(e), BNM Guidelines on outsourcing for Insurers
Yes.
MBSA section 3 deals with confidentiality. Under this section Microsoft
commits not to disclose our confidential information (which includes our
data) to third parties and to only use our confidential information for the
purposes of Microsoft’s business relationship with us. If there is a breach
of confidentiality by Microsoft, we are able to bring a claim for breach of
contract against Microsoft.
MBSA section 11m states that Microsoft and the customer each commit to
comply with all applicable privacy and data protection laws and
regulations.
Microsoft will notify the customer if it becomes aware of any security
incident, and will take reasonable steps to mitigate the effects and
minimize the damage resulting from the security incident (see OST, page
Confidential
Page 60 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
9).
MBSA section 6 deals with liability. MBSA section 5 sets out Microsoft’s
obligation to defend the regulated entity against third party infringement
and breach of confidence claims. Microsoft’s liability under section 5 is
unlimited.
7. The basis for compensation and fees for the services provided as well as
circumstances under which additional charges may be imposed. Conditions
under which the payment structure may be changed should also be
addressed.
Paragraph 10.10(f), BNM Guidelines on outsourcing for Insurers
Yes.
Sales of Microsoft product to enterprise customers are made via a
Microsoft reseller, who sets the end price with the customer. The basis for
the pricing will therefore be set out in a separate agreement with
Microsoft’s reseller.
Microsoft has a variety of flexible licensing models. Please refer to the
arrangements with your Microsoft reseller for more information. In general,
the customer is required to commit to annual payments (payable in
advance) based upon the customer’s number of users.
8. Contingency arrangements outlining the Service Provider’s measures for
ensuring the continuation of the outsourced activity in the event of problems
affecting the Service Provider’s operation. The agreement should place an
obligation on the Service Provider to regularly test its business resumption
and contingency systems and to notify the IC of the test results. In addition,
the IC should be notified in the event that the Service Provider makes
Paragraph 10.10(g), BNM Guidelines on outsourcing for Insurers
Yes.
Business Continuity Management forms part of the scope of the
accreditation that Microsoft remains in relation to the online services, and
Confidential
Page 61 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
significant changes to its contingency plans. Microsoft commits to maintain a data security policy that complies with
these accreditations (see OST page 13). Business Continuity
Management also forms part of the scope of Microsoft’s annual third party
compliance audit.
Under the Compliance Framework Program (if taken up by the customer),
Microsoft will provide communications to the customer regarding
significant changes to the business resumption and contingency plans.
9. Mechanisms for resolving disputes. This should include recourse of the
respective parties, procedures and period for resolution, indemnities,
obligations of the respective parties in the event of a dispute (such as
whether the Service Provider must continue to provide the service during the
dispute) as well as applicable laws and jurisdiction under which disputes will
be settled.
Paragraph 10.10(h), BNM Guidelines on outsourcing for Insurers
Yes.
MBSA section 11 contains provisions that describe how a dispute under
the contract is to be conducted.
MBSA section 11e sets out the jurisdictions in which parties should bring
their actions. Microsoft must bring actions against the customer in the
countries where the customer’s contracting party is headquartered. The
customer must bring actions against: (a) in Ireland if the action is against a
Microsoft affiliates in Europe; (b) in the State of Washington, if the action is
against a Microsoft affiliate outside of Europe; or (c) in the country where
the Microsoft affiliate delivering the services has its headquarters if the
action is to enforce a Statement of Services.
MBSA section 11h sets out the choice of law provision. Either, the
contract is governed by the laws of the State of Washington if the contract
Confidential
Page 62 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
is with a Microsoft affiliate located outside of Europe; or the contract is
governed by the laws of Ireland if the contract is with a European Microsoft
affiliate.
MBSA section 6 deals with liability and rights of action. MBSA section 5
sets out Microsoft’s obligation to defend the regulated entity against third
party infringement and breach of confidence claims. Subject to the terms
of the MBSA, Microsoft’s liability under section 5 is unlimited.
10. Default events and remedies which should include a termination clause. In
particular, an IC should have the right to terminate the agreement if agreed
service levels are consistently not met, or when the Service Provider
undergoes a material change in ownership or encounters other
circumstances that might seriously impair its ability to provide the agreed
services. Appropriate notice should be required for termination which should
allow the IC to make alternative arrangements without significantly disrupting
operations. Clear procedures should also be specified for the return of the
IC’s intellectual or physical property in a timely manner.
Paragraph 10.10(i), BNM Guidelines on outsourcing for Insurers
Yes.
Termination rights for the Enrollment are set out in the Enrollment itself,
and in section 6 of the EA. If the Enrollment is terminated, this will
terminate all products and services ordered under the Enrollment (except
to the extent that the customer has perpetual rights).
Online services may also be terminated or suspended in the
circumstances described in section 6d of the EA, and as specified in the
OST, pages 5, 11 and 30.
In the event of default, the provisions of the SLA will apply to service level
failures and page 9 of the OST sets out arrangements in the event of
security incidents. Other defaults are addressed in the MBSA and EA. A
termination right for cause is set out at section 6c of the EA.
Confidential
Page 63 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
The contract also allows the customer to terminate the arrangement with
Microsoft for convenience (MBSA section 8) which means the customer
has the right to terminate in the event of default including change of
ownership, insolvency or where there is a breach of security or
confidentiality or demonstrable deterioration in the ability of the Service
Provider to perform the service as contracted.
Note also that customers have control over the use they make of, and data
they load into, the online service.Yes.
Microsoft contractually commits to retain our data stored in the Online
Service in a limited function account for 90 days after expiration or
termination of our subscription so that we may extract the data. After the
90 day retention period ends, Microsoft will disable our account and delete
our data (OST, page 5).
In addition, the customer retains the ability to access its Customer Data at
all times (OST, page 10), and Microsoft will deal with Customer Data in
accordance with Enrollment clause 6c(iv) and the OST. Finally, MBSA
section 11m states that Microsoft and the customer each commit to
comply with all applicable privacy and data protection laws and
regulations.
11. Audit and inspection rights for the insurer to evaluate or alternatively cause
an independent auditor to evaluate on its behalf the service provided. This
should include the ability of the IC to review all books, records, information,
systems and the internal control environment (including access to relevant
Paragraph 10.10(j), BNM Guidelines on outsourcing for Insurers
Yes.
Confidential
Page 64 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
audit reports) in the Service Provider that are relevant to the outsourced
activity.
The OST specifies the audit and monitoring mechanisms that Microsoft
puts in place in order to verify that the online services meet appropriate
security and compliance standards. This commitment is reiterated in the
FSA.
In addition, clauses 1e and 1f of the FSA detail the examination and
influence rights that are granted to the customer and BNM.
Clause 1e sets out a process which can culminate in the regulator’s
examination of Microsoft’s premises.
Clause 1f gives the customer the opportunity to participate in the Microsoft
Online Services Customer Compliance Program, which is a for-fee
program that facilitates the customer’s ability to (a) assess the services’
controls and effectiveness, (b) access data related to service operations,
(c) maintain insight into operational risks of the services, (d) be provided
with additional notification of changes that may materially impact
Microsoft’s ability to provide the services, and (e) provide feedback on
areas for improvement in the services.
12. Appropriate limitations concerning the ability of the Service Provider to
subcontract any part of the outsourced activity to a third party. The approval
of the IC should be required for the use of subcontractors and the IC is
expected to ensure that the conditions for subcontracting allow the IC to
maintain similar control over the outsourcing relationship and outsourcing
risks as if the service were not subcontracted.
Paragraph 10.10(k), BNM Guidelines on outsourcing for Insurers
Yes.
See page 9 of the OST, under which Microsoft is permitted to hire
subcontractors.
Confidential
Page 65 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
The confidentiality of our data is protected when Microsoft uses
subcontractors because Microsoft commits that its subcontractors “will be
permitted to obtain Customer Data only to deliver the services Microsoft
has retained them to provide and will be prohibited from using Customer
Data for any other purpose” (OST, page 9).
Microsoft commits that any subcontractors to whom Microsoft transfers our
data will have entered into written agreements with Microsoft that are no
less protective than the data processing terms in the OST (OST, page 11).
Under the terms of the OST, Microsoft remains contractually responsible
(and therefore liable) for its subcontractors’ compliance with Microsoft’s
obligations in the OST (OST, page 9). In addition, Microsoft’s commitment
to ISO/IEC 27018, requires Microsoft to ensure that its subcontractors are
subject to the same security controls as Microsoft is subject to. Finally, the
EU Model Clauses, which are included in the OST, require Microsoft to
ensure that its subcontractors outside of Europe comply with the same
requirements as Microsoft and set out in detail how Microsoft must achieve
this.
Microsoft maintains a list of authorized subcontractors for the online
services that have access to our data and provides us with a mechanism
to obtain notice of any updates to that list (OST, page 10). The actual list is
published on the applicable Trust Center. If we do not approve of a
subcontractor that is added to the list, then we are entitled to terminate the
affected online services.
Confidential
Page 66 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
13. The service agreement should stipulate a defined time frame for the
provision of services which may include an option for the IC to renew the
terms of the service if desired. ICs are expected to regularly review the
service agreement to assess whether the agreement needs to be
renegotiated to bring it in line with current market standards and to cope with
changes in business strategies. For this purpose, a clause should be
included in the service agreement to allow for such interim reviews under
reasonable circumstances.
Paragraph 10.11, BNM Guidelines on outsourcing for Insurers
Enrollments have a three year term, and may be renewed for a further
three year term. A review would therefore take place at least every three
years, although amendments can be made more regularly. Section 11k of
the MBSA states that the contract may be amended only by a formal
written agreement signed by both parties.
14. The service agreement must not contain any clause that would:
- Prevent an IC from modifying or terminating an outsourcing
arrangement pursuant to a directive of the bank;
- Affect the right of a customer against the IC, including the right to
obtain redress;
- Impede the IC from meeting its regulatory obligations, or the BNM
from exercising its supervisory powers; or
- Preclude the service from being continued in situations where the
BNM or a person appointed by the BNM takes control of the IC or
where the IC is in liquidation.
Paragraph 10.12, BNM Guidelines on outsourcing for Insurers
Microsoft does not believe that any of these provisions are included in the
contractual documents. You should confirm that this is the case. If you
have any questions, please do not hesitate to get in touch with your
Microsoft contact.
We confirm that our agreement with Microsoft does not contain any such
clauses.
15. The service agreement should specify the requirements for ensuring the
continuity of the outsourcing vendor’s services. Recovery time objectives
(RTO) should be built into the outsourcing contract with provisions for legal
Paragraph 111, BCM Guidelines
Yes.
Confidential
Page 67 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
liability should the RTO not be achieved. Business Continuity Management forms part of the scope of the
accreditation that Microsoft remains in relation to the online services, and
Microsoft commits to maintain a data security policy that complies with
these accreditations (see OST page 13). Business Continuity
Management also forms part of the scope of Microsoft’s annual third party
compliance audit.
RTO requirements are set out in the SLA and this also includes the
provision for service credits if Microsoft fails to meet the commitments in
the SLA. If a failure by Microsoft also constitutes a breach of contract to
which the service credits regime does not apply, we would of course have
ordinary contractual claims available to us too under the contract.
16. Service agreements for contracted services should clearly prohibit the
unauthorized disclosure of confidential data by the external party and provide
for adequate remedies.
Paragraph 4.25, Guidelines on Data Management and MIS Framework
Yes.
MBSA section 3 deals with confidentiality. Under this section Microsoft
commits not to disclose our confidential information (which includes our
data) to third parties and to only use our confidential information for the
purposes of Microsoft’s business relationship with us. If there is a breach
of confidentiality by Microsoft, we are able to bring a claim for breach of
contract against Microsoft.
17. The written, enforceable agreement should set out the governing roles,
relationships, obligations and responsibilities of all contracting parties. It
should also cover: performance expectations, service levels, availability,
Section II, paragraph 15(c), Guidelines on Management of IT Environment
Confidential
Page 68 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
reliability, scalability, compliance, security and confidentiality, back processes
facility, contingency planning, right to audit contractual responsibilities and
discontinuation of services and returning all information.
Yes.
All of these points are covered, taking each in turn:
1. The contract pack comprehensively sets out the scope of the
arrangement and the respective commitments of the parties. The
services are broadly described, along with the applicable usage
rights, in the Product List and the OST. The services are
described, along with the applicable usage rights, in the Product
List and OST (pages 14 and 15). The services are described in
detail in the Services Description, which is not part of the contract.
However, Microsoft makes a functionality commitment in the Core
Features Amendment and as a minimum the online services will
meet that commitment.
2. The SLA contains Microsoft’s service level commitment, as well as
the remedies for the customer in the event that Microsoft does not
meet the commitment.
3. MBSA section 11m states that Microsoft and the customer each
commit to comply with all applicable privacy and data protection
laws and regulations.
4. Microsoft also makes specific commitments with respect to
Customer Data in the OST, including that Microsoft will implement
and maintain appropriate technical and organizational measures,
internal controls, and information security routines intended to
protect Customer Data against accidental, unauthorized or
unlawful access, disclosure, alteration, loss, or destruction (see
Confidential
Page 69 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
OST, page 8 and pages 11-13 for more details).
5. MBSA section 3 deals with confidentiality. Under this section
Microsoft commits not to disclose our confidential information
(which includes our data) to third parties and to only use our
confidential information for the purposes of Microsoft’s business
relationship with us. If there is a breach of confidentiality by
Microsoft, we are able to bring a claim for breach of contract
against Microsoft.
6. Business Continuity Management forms part of the scope of the
accreditation that Microsoft remains in relation to the online
services, and Microsoft commits to maintain a data security policy
that complies with these accreditations (see OST page 13).
7. The OST specifies the audit and monitoring mechanisms that
Microsoft puts in place in order to verify that the online services
meet appropriate security and compliance standards. This
commitment is reiterated in the FSA.
8. Online services may also be terminated or suspended in the
circumstances described in section 6d of the EA, and as specified
in the OST, pages 5, 11 and 30. The contract also allows the
customer to terminate the arrangement with Microsoft for
convenience (MBSA section 8).
9. Microsoft contractually commits to retain our data stored in the
Online Service in a limited function account for 90 days after
expiration or termination of our subscription so that we may extract
the data. After the 90 day retention period ends, Microsoft will
disable our account and delete our data (OST, page 5).
Confidential
Page 70 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
18. The agreement should explicitly mention BNM’s right to independently
assess, when necessary and regardless of the location, the competence and
the operational and financial performance of the service provider.
Section II, paragraph 15(c), Guidelines on Management of IT Environment
Yes.
The OST specifies the audit and monitoring mechanisms that Microsoft
puts in place in order to verify that the online services meet appropriate
security and compliance standards. This commitment is reiterated in the
FSA.
In addition, clauses 1e and 1f of the FSA detail the examination and
influence rights that are granted to the customer and BNM.
Clause 1e sets out a process which can culminate in the regulator’s
examination of Microsoft’s premises.
Clause 1f gives the customer the opportunity to participate in the Microsoft
Online Services Customer Compliance Program, which is a for-fee
program that facilitates the customer’s ability to (a) assess the services’
controls and effectiveness, (b) access data related to service operations,
(c) maintain insight into operational risks of the services, (d) be provided
with additional notification of changes that may materially impact
Microsoft’s ability to provide the services, and (e) provide feedback on
areas for improvement in the services.
19. The agreement should be legally binding. It should outline all expected
service levels and the agreement is properly executed to protect the
Part IV, paragraph 1(e), Guidelines on Management of IT Environment
Confidential
Page 71 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
institution’s interests. Yes.
The contractual documents are all written and clear and legally binding.
The SLA contains Microsoft’s service level commitment, as well as the
remedies for the customer in the event that Microsoft does not meet the
commitment. The terms of the SLA current at the start of the applicable
initial or renewal term of the Enrollment are fixed for the duration of that
term.
20. The agreement should be legally binding and properly executed. The
agreement should oblige vendors to comply with good business practices
that maintain the confidentiality and integrity of information and permit their
activities to be audited.
Part V, paragraph 1(c), Guidelines on Management of IT Environment
Yes.
The contractual documents are all written and clear and legally binding.
The agreement is signed.
MBSA section 4(a)(i) deals with professional conduct. Microsoft warrants
that its services will be performed with professional care and skill.
MBSA section 3 deals with confidentiality. Under this section Microsoft
commits not to disclose our confidential information (which includes our
data) to third parties and to only use our confidential information for the
purposes of Microsoft’s business relationship with us. If there is a breach
of confidentiality by Microsoft, we are able to bring a claim for breach of
contract against Microsoft.
Confidential
Page 72 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
The OST specifies the audit and monitoring mechanisms that Microsoft
puts in place in order to verify that the online services meet appropriate
security and compliance standards. This commitment is reiterated in the
FSA.
21. If communications services are obtained from external service providers, the
institution should ensure that the roles and responsibilities and expected
service levels are defined in formal and enforceable agreements. The
agreement should specific arrangements for ensuring continuity of service
(i.e. detection and recovery from service interruptions).
Part VI, paragraph 3(c), Guidelines on Management of IT Environment
Yes.
The contract pack comprehensively sets out the scope of the arrangement
and the respective commitments of the parties. The SLA contains
Microsoft’s service level commitment, as well as the remedies for the
customer in the event that Microsoft does not meet the commitment.
Business Continuity Management forms part of the scope of the
accreditation that Microsoft remains in relation to the online services, and
Microsoft commits to maintain a data security policy that complies with
these accreditations (see OST page 13). Business Continuity
Management also forms part of the scope of Microsoft’s annual third party
compliance audit.
22. The agreement should be legally binding and properly executed to protect
the institution’s interests. The agreement should oblige vendors to comply
with good business practices that maintain the confidentiality and integrity of
information, provide regular reports on network performance, maintain
continuity of services in the event of a disaster and permit the vendor’s
Part VI, paragraph 3(e), Guidelines on Management of IT Environment
Yes.
The contractual documents are all written and clear and legally binding.
Confidential
Page 73 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
activities to be audited. All of these points are covered, taking each in turn:
1. MBSA section 4(a)(i) deals with professional conduct. Microsoft
warrants that its services will be performed with professional care
and skill.
2. MBSA section 3 deals with confidentiality. Under this section
Microsoft commits not to disclose our confidential information
(which includes our data) to third parties and to only use our
confidential information for the purposes of Microsoft’s business
relationship with us. If there is a breach of confidentiality by
Microsoft, we are able to bring a claim for breach of contract
against Microsoft.
3. The customer may monitor the performance of the online services
via the administrative dashboard, which includes real time
information as to Microsoft compliance with its SLA commitments.
4. Business Continuity Management forms part of the scope of the
accreditation that Microsoft remains in relation to the online
services, and Microsoft commits to maintain a data security policy
that complies with these accreditations (see OST page 13).
5. The OST specifies the audit and monitoring mechanisms that
Microsoft puts in place in order to verify that the online services
meet appropriate security and compliance standards. This
commitment is reiterated in the FSA. Clause 1f of the FSA gives
the customer the opportunity to participate in the Microsoft Online
Services Customer Compliance Program, which is a for-fee
program that facilitates the customer’s ability to (a) assess the
Confidential
Page 74 of 74
10006606-2
Ref. Requirement Microsoft agreement reference
services’ controls and effectiveness, (b) access data related to
service operations, (c) maintain insight into operational risks of the
services, (d) be provided with additional notification of changes
that may materially impact Microsoft’s ability to provide the
services, and (e) provide feedback on areas for improvement in
the services.