As part of the regulatory process, our client is mandated to undertake a full review of all suppliers on a regular basis.
The Client has a cloud solution based on Office365 & Azure with Mimecast email and Azure Vault archiving. The solution is protected by Multi Factor Authentication and Geo Located in the West Asia Microsoft region (this is Singapore)
As the MAS focusses on data security and IT governance, cloud services are viewed as particularly high risk.
Amongst other things, institutions are expected to:
- perform the due diligence measures and apply the sound governance and risk management practices set out in the MAS Guidelines when subscribing to cloud services;
- take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing;
- ensure that its service provider has the ability to clearly identify and segregate customer data; and
- have in place robust access controls to protect customer information for the length of the contract.
The aim of the review is to determine any “material outsourcing arrangement” so the appropriate controls can be implemented.
“material outsourcing arrangement” as defined by the MAS Guidelines to mean an outsourcing arrangement that:
in the event of a service failure or security breach, has the potential either to materially impact an institution’s business operations, reputation or profitability, or its ability to manage risk and comply with applicable laws and regulations; or
involves customer information and, in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on an institution’s customers.
We assessed all vendors using a formal process based on the Form D7 (External Service Provider – outsourcing due diligence checklist) and D6 (Internal – outsourcing due diligence checklist) protocols. The outcome of the assessment was that office 365 & Microsoft Azure was a Material Service, whilst the other suppliers could be replaced easily and therefore were not material.
This required a full Due Diligence on the Policies & Procedures around the Data Governance, Service Level Agreements and Annual Auditing of the Microsoft Services.
This Due Diligence undertaken with the Assistance of Microsoft Singapore Office.
The outcome was a comprehensive Outsourcing Register disclosure for the client which the MAS accepted.