Confidential
Page 1 of 39
10004325-2
HONG KONG – BANKS
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES INSTITUTIONS
USING CLOUD COMPUTING
Last updated: November 2014
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using
cloud computing. In this guidance financial services institutions means banks, also referred to in Hong Kong as authorized institutions (“FSIs”). Note that
insurance companies are subject to separate regulation in Hong Kong. Microsoft has prepared a guidance document for insurance companies which is
available on request.
Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.
Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to the
use of cloud services. Although there is no requirement to complete a checklist like this one, we have received feedback from FSIs that a checklist
approach like this is very helpful. The checklist can be used:
(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and
(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to
compliance with their requirements.
Appendix One also contains a list of the mandatory contractual requirements required by relevant regulation.
Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of
Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your
Confidential
Page 2 of 39
10004325-2
technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your
Microsoft contact.
2. WHAT LAWS, REGULATIONS AND GUIDANCE ARE RELEVANT?
There are two key regulatory documents that HKMA has developed in this area:
HKMA’s Guidelines on Outsourcing (“Guidelines on Outsourcing”); and
HKMA’s General Principles for Technology Risk Management (“Technology Risk Principles”).
3. WHO IS/ARE THE RELEVANT REGULATORS(S)?
The Hong Kong Monetary Authority (“HKMA”)
4. IS REGULATORY APPROVAL REQUIRED IN HONG KONG?
No.
HKMA does not require FSIs to obtain prior approval before engaging service providers to provide cloud services.
5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?
No.
Unlike in certain jurisdictions, such as Singapore, there are no specific forms or questionnaires that an FSI must complete when considering cloud
computing solutions.
Confidential
Page 3 of 39
10004325-2
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
Yes.
These are not set out by HKMA in a comprehensive list but the Guidelines on Outsourcing and Technology Risk Principles do contain certain provisions
which HKMA states should be set out in the FSI’s agreement with its service provider. Appendix One contains a comprehensive list and details of where
in the Microsoft contractual documents these points are covered.
Confidential
Page 4 of 39
10004325-2
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point
raised in the checklist. The suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to provide this
if you get in touch with your Microsoft contact. Some points are specific to your own internal operations and processes and you will need to complete
these answers as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref. Question/requirement Templates response and guidance
A. OVERVIEW
1. Who is the proposed Service Provider? The Service Provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft
Corporation, a global provider of information technology devices and services, which is publicly-listed in
the USA (NASDAQ: MSFT). Microsoft’s full company profile is available here:
https://www.microsoft.com/en-us/news/inside_ms.aspx.
2. How would cloud computing be
implemented in your organization?
Through adoption of Microsoft’s “Office 365” product, which is described in more detail here: Microsoft’s
Office 365
Amongst other things, the Office 365 service includes:
Microsoft Office applications hosted in the “cloud”
Hosted email
Confidential
Page 5 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
Web conferencing, presence and instant messaging
Data and application hosting
Spam and malware protection
IT support services.
3. List all proposed activities and operations to
be outsourced to the Service Provider.
1. Microsoft Office applications
2. Hosted email
3. Web conferencing, presence, and instant messaging
4. Data and application hosting
5. Spam and malware protection
6. IT support services
4. What data will be processed by the service
provider on behalf of the AI?
When you choose a Microsoft Office 365 solution the types of data impacted are within your control so
the template response will need to be tailored depending on what data you have selected is relevant to
the solution.
We ensure that all data (but in particular any customer data) is treated with the highest level of security
in accordance with good industry practice to ensure that we and our service provider comply with our
legal and regulatory obligations and our commitments to customers. We do of course only collect and
process data that is necessary for our business operations in compliance with all applicable laws and
Confidential
Page 6 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
regulation and this applies whether we process the data on our own systems or via a cloud solution
such as Microsoft Office 365. Typically the types of data that would be processed and stored by the
Office 365 service would include:
Customer data (including customer name, contact details, account information, payment card data,
security credentials and correspondence).
Employee data (including employee name, contact details, internal and external correspondence by
email and other means and personal information relating to their employment with the organization).
Transaction data (data relating to transactions in which the organization is involved).
Indices (for example, market feeds).
Other personal and non-personal data relating to the organization’s business operations as a
financial institution.
B. ACCOUNTABILITY
5. In any outsourcing arrangement, the Board
of Directors and management of FSIs
should retain ultimate accountability for the
outsourced activity.
Paragraph 2.1.1, Guidelines on Outsourcing (Accountability).
We would also suggest including a list, setting out the position of the key people involved in the
selection and any decision-making and approvals processes used.
Management in our organization has been involved throughout to ensure that the project aligns with our
organization’s overall business and strategic objectives. At the center of our objectives are of course
legal and regulatory compliance and customer satisfaction and these were the key objectives that
management had in mind when it considered this project. We are satisfied that this solution will ensure
Confidential
Page 7 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
legal and regulatory compliance because of the key features (including the security and audit rights)
forming part of the Office 365 service. We are also satisfied that customer satisfaction will be
maintained because we believe that Office 365 will actually have some major benefits for our IT
operations and, accordingly, improve the overall service that we are able to provide to customers.
6. Outsourcing can allow management to
transfer their day-to-day managerial
responsibility, but not accountability, for an
activity or a function to a service provider.
FSIs should therefore continue to retain
ultimate control of the outsourced activity.
Paragraph 2.1.1, Guidelines in Outsourcing (Accountability).
The handing over of certain day to day responsibility to an outsourcing provider does present some
challenges in relation to control. Essential to us is that, despite the outsourcing, we retain control over
our own business operations, including control of who can access data and how they can use it. At a
contractual level, we have dealt with this via our contract with Microsoft, which provides us with legal
mechanisms to manage the relationship including appropriate allocation of responsibilities, oversight
and remedies. At a practical level, we have selected the Office 365 product since it provides us with
control over data location, authentication and advanced encryption controls. We (not Microsoft) will
continue to own and retain all rights to our data and our data will not be used for any purpose other than
to provide us with the Office 365 services.
C. RISK ASSESSMENT
7. The Board of Directors and management of
FSIs should ensure that the proposed
outsourcing arrangement has been subject
to a comprehensive risk assessment (in
respect of operational, legal and reputation
risks) and that all the risks identified have
been adequately addressed before launch.
Paragraph 2.2.1, Guidelines on Outsourcing (Risk Assessment).
Clearly the HKMA expects that your organization would have carried out a risk assessment. In
summary, this would need to include:
risk identification;
analysis and quantification of the potential impact and consequences of these risks;
Confidential
Page 8 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
risk mitigation and control strategy; and
ongoing risk monitoring and reporting.
Ideally this should also include all of the items listed in the next section (8). If you have any questions
when putting together a risk assessment, please do not hesitate to get in touch with your Microsoft
contact.
Yes, led by our management we have carried out a thorough risk assessment of the move to Office 365.
This risk assessment included:
[ ];
[ ]; and
[ ].
[A copy of the risk assessment can be provided to the HKMA upon request.]
8. Specifically, the risk assessment should
cover inter alia the following:
a. the importance and criticality of the
services to be outsourced;
Paragraph 2.2.1, Guidelines on Outsourcing (Risk Assessment).
Yes.
The risk assessment covered this.
Confidential
Page 9 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
We acknowledge that the services to be outsourced (being [Microsoft Office applications, Hosted email,
Web conferencing, presence, and instant messaging, Data and application hosting, Spam and malware
protection and IT support services]) are critical to our “business-as-usual” activities and that disruption
would have a material impact on our organization.
We have managed this risk through:
our choice of service provider, which was itself the result of a formal selection process that
amongst other things covered its [competence and track record, financial services credentials,
hiring and screening processes, financial and parent company strength, inputs from its
customers and its approach to continuity planning];
the controls we have in place to manage our relationship with the service provider (for example,
our contractual agreement, service levels and the rights of audit and inspection that we have in
place); and
our own internal controls should an issue arise (for example, our disaster recovery planning
process).
b. Reasons for the outsourcing (e.g.
cost and benefit analysis); and
Paragraph 2.2.1, Guidelines on Outsourcing (Risk Assessment).
Yes.
The risk assessment covered this.
Specifically, we have chosen to use Microsoft Office 365 for these services because we believe that it
will deliver benefits in terms of operating costs, service standard and security, and these requirements
Confidential
Page 10 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
were central to our selection process.
c. the impact on the FSI’s risk profile
(in respect of operational, legal and
reputation risks) of the outsourcing.
Paragraph 2.2.1, Guidelines on Outsourcing (Risk Assessment).
Yes, the risk assessment covered this.
Operational risk: We managed this through our choice of service provider (see for example,
question 13), the controls we have in place to manage our relationship with the service provider
(for example, our contractual agreement, service levels, access to a Microsoft technical account
manager and the regulator rights of audit and inspection that we have in place) and our own
internal controls (for example, our business continuity and disaster recovery plans).
Legal risk: We have in place with Microsoft a legally-binding agreement regarding our
respective roles and responsibilities in respect of the outsourcing. We chose Microsoft for this
project because we believe it can help us to comply with our legal obligations – for example, the
fact that Microsoft permits data audits by regulators was a key advantage over other cloud
solutions that we considered.
Reputational risk: We chose Microsoft because of its reputation in this sector. It is an industry
leader in cloud computing. Office 365 was built based on ISO 27001 standards and was the first
major business productivity public cloud service to have implemented the rigorous set of global
standards covering physical, logical, process and management controls.
9. After FSIs implement an outsourcing plan,
they should regularly re-perform this
assessment.
Paragraph 2.2.2, Guidelines on Outsourcing (Risk Assessment). The Guidelines do not specify exactly
how often this needs to be done but the HKMA may wish to know how often you plan to re-perform the
assessment (e.g. annually may be a good suggestion and/or whenever any material changes occur).
Confidential
Page 11 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
D. ABILITY OF THE SERVICE PROVIDER
10. Before selecting a service provider FSIs
should perform appropriate due diligence.
Paragraph 2.3 (Ability of Service Providers), Guidelines on Outsourcing (Risk Assessment). See
question 13 below for detail regarding the specific issues that HKMA considers should be taken into
account.
We have undertaken a thorough due diligence of Microsoft’s processes and procedures in relation to
Office 365.
As part of Microsoft’s certification requirements, they are required to undergo regular independent third
party auditing and Microsoft shares with us the independent third party audit reports. Microsoft also
agrees as part of the compliance program to customer right to monitor and supervise. We are confident
that such arrangements provide us with the appropriate level of up-front and on-going assessment of
Microsoft’s ability to meet our policy, procedural, security control and regulatory requirements.
11. In case of outsourcing of critical technology
services (e.g. data center operations), FSIs
are expected to commission a detailed
assessment of the technology service
provider’s IT control environment. The
assessment should ideally be conducted by
a party independent of the service provider.
The independent assessment report should
set out clearly the objectives, scope and
results of the assessment and should be
provided to the HKMA for reference.
Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing) which sets out
some additional controls that FSIs should take into account.
We have not had cause to commission an independent assessment since numerous independent
assessments of Microsoft’s IT control environment have already been carried out.
By way of example, Microsoft is certified for ISO/IEC 27001. ISO/IEC 27001 is one of the best security
benchmarks available across the world. Office 365 is the first major business productivity public cloud
service to have implemented the rigorous set of physical, logical, process, and management controls
defined by ISO 27001.
Confidential
Page 12 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
12. FSIs should conduct an annual assessment
to confirm the adequacy of the IT control
environment of the provider of critical
technology services.
Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing).
The HKMA expects that you repeat your assessment of the adequacy of the Office 365 solution at least
once a year. If you require any input from Microsoft, please do not hesitate to get in touch with your
Microsoft contact.
13. In assessing a provider, apart from the cost
factor and quality of services FSIs should
take into account the provider’s (a) financial
soundness, (b) reputation, (c) managerial
skills, (d) technical capabilities, (e)
operational capability and capacity, (f)
compatibility with the FSI’s corporate culture
and future development strategies, (g)
familiarity with the banking industry and (h)
capacity to keep pace with innovation in the
market.
Paragraph 2.3.1, Guidelines on Outsourcing (Ability of Service Providers) which lists these specific
considerations.
(a) Financial Soundness: Microsoft Corporation is publicly-listed in the United States and is amongst
the world’s largest companies by market capitalization. Microsoft’s audited financial statements
indicate that it has been profitable for each of the past three years. Its market capitalization is in the
region of USD 280 billion. Accordingly, we have no concerns regarding its financial strength.
(b) Reputation: Microsoft is an industry leader in cloud computing. Office 365 was built based on ISO
27001 standards and was the first major business productivity public cloud service to have
implemented the rigorous set of global standards covering physical, logical, process and
management controls. 40% of the world’s top brands use Office 365. Some case studies are
available on the Microsoft website.
(c) Managerial skills: The fact that Microsoft already manages these services for financial institutions
in leading markets around the world and that it has achieved an ISO 27001 accreditation (which,
amongst other things, assesses management controls) gives us confidence that it has the
necessary managerial skills.
(d) Technical capabilities: Microsoft’s ISO 27001 accreditation confirms that it has the technical
capability required for the service.
Confidential
Page 13 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
(e) Operational capability and capacity: Microsoft has demonstrated its operational capability
through its reputation (including the fact that 40% of the world’s top brands use Office 365) and its
ISO 27001 accreditation and we have no concerns as to its operational capacity as it is one of the
largest providers of cloud computing services in the world.
(f) Compatibility with the FSI’s corporate culture and future development strategies: We are
confident that the use of Office 365 will align well with our corporate culture and the fact that the
service is scalable (i.e. it can be expanded or reduced to meet our demand) means that it is
compatible with our future development strategy.
(g) Familiarity with the banking industry: Financial Institution customers in leading markets,
including in the UK, France, Germany, Australia, Hong Kong, Canada, the United States and many
other countries have performed their due diligence and, working with their regulators, are satisfied
that Office 365 meets their respective regulatory requirements. This gives us confidence that the
service provider is able to help meet the high burden of financial services regulation and is
experienced in meeting and understanding these requirements.
(h) Capacity to keep pace with innovation in the market: Microsoft has the financial, operational and
managerial capacity to lead innovation in the cloud computing market and it has demonstrated this
to date.
14. Technology service providers should have
sufficient resources and expertise to comply
with the substance of the FSI’s IT control
policies.
Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing).
Yes. We are confident that Microsoft has sufficient resources and expertise to comply with the
substance of our requirements. In particular, we considered the following:
a. Competence and experience. Microsoft is an industry leader in cloud computing. Office 365 was
Confidential
Page 14 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
built based on ISO 27001 standards and was the first major business productivity public cloud
service to have implemented the rigorous set of global standards covering physical, logical, process
and management controls.
b. Past track-record. 40% of the world’s top brands use Office 365. We consulted various case
studies relating to Office 365, which are available on the Microsoft website and also considered the
fact that Microsoft has amongst its customers some of the world’s largest organizations and
financial institutions.
c. Specific financial services credentials. Financial Institution customers in leading markets,
including in the UK, France, Germany, Australia, Singapore, Canada, the United States and many
other countries have performed their due diligence and, working with their regulators, are satisfied
that Office 365 meets their respective regulatory requirements. This gives us confidence that
Microsoft is able to help meet the high burden of financial services regulation and is experienced in
meeting these requirements.
d. Microsoft’s staff hiring and screening process. All personnel with access to customer data are
subject to background screening, security training and access approvals. In addition, the access
levels are reviewed on a periodic basis to ensure that only users who have appropriate business
justification have access to the systems. User access to data is also limited by user role. For
example, system administrators are not provided with database administrative access.
e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed in the United States and is
amongst the world’s largest companies by market capitalization. Microsoft’s audited financial
statements indicate that it has been profitable for each of the past three years. Its market
capitalization is in the region of USD 280 billion. Accordingly, we have no concerns regarding its
Confidential
Page 15 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
financial strength.
f. Business resumption and contingency plan. Microsoft offers contractually-guaranteed 99.9%
uptime, hosted out of world class data centers with physical redundancy at disk, NIC, power supply
and server levels, constant content replication, robust backup, restoration and failover capabilities,
real-time issue detection and automated response such that workloads can be moved off any failing
infrastructure components with no perceptible impact on the service, with 24/7 on-call engineering
teams.
g. Security and internal controls, audit, reporting and monitoring. Microsoft is an industry leader
in cloud security and implements policies and controls on par with or better than on-premises data
centers of even the most sophisticated organizations. We have confidence in the security of the
solution and the systems and controls offered by Microsoft. In addition to the ISO 27001
certification, Office 365 is designed for security with BitLocker Advanced Encryption Standard
(“AES”) encryption of email at rest and secure sockets layer (“SSL”)/transport layer security
(“TLS”) encryption of data in transit.
15. FSIs should try to avoid placing excessive
reliance on a single outside service provider
in providing critical technology services.
Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing). You may also
want to provide details of any other suppliers you use or intend to use.
To ensure control, transparency and consistency, it is necessary for the applications and services
forming part of Office 365 to be provided by one provider (i.e. Microsoft). Because of the due diligence
and risk management processes we have implemented we do not think that our use of Office 365
represents an excessive reliance on one partner. Nonetheless, we do have in place contractual rights to
exit the arrangements with Microsoft at any time for convenience, which gives us the flexibility to move
to another provider (or to revert to a local, non-cloud based offering, such as Microsoft Office) should we
Confidential
Page 16 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
choose to do so.
E. OUTSOURCING AGREEMENT
Note: See also Appendix One of this guidance document for a comprehensive list of the contractual terms that HKMA mandates should be included in
the outsourcing agreement and how these are addressed by the Microsoft contractual documents.
16. The type and level of services to be
provided and the contractual liabilities and
obligations of the service provider should be
clearly set out in a service agreement
between FSIs and their service provider.
Paragraph 2.4.1, Guidelines on Outsourcing (Outsourcing Agreement).
Yes.
Microsoft’s Service Level Agreement (“SLA”) and its Business and Services Agreement apply to the
Office 365 service. Amongst other things, they provide details of the contractual liabilities and
obligations of Microsoft (one of which is a contractual 99.9% uptime guarantee for the Office 365
product).
Please find a copy of the SLA at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37
Microsoft’s Business and Services Agreement is available upon request.
17. FSIs should regularly (e.g. annually) review
their outsourcing agreements. They should
assess whether the agreements should be
renegotiated and renewed to bring them in
line with current market standards and to
cope with changes in their business
Paragraph 2.4.2, Guidelines on Outsourcing (Outsourcing Agreement).
The HKMA seems to expect that you review your arrangements at least once per year. If you require
any input from Microsoft, please do not hesitate to get in touch with your Microsoft contact.
Confidential
Page 17 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
strategies.
18. The outsourcing agreement should specify
clearly, among other things, the
performance standards and other
obligations of the technology service
provider, and the issue of software and
hardware ownership.
Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing).
Yes.
Microsoft’s SLA and the Microsoft Business and Services Agreement specify clearly the performance
standards of Microsoft (for example, a 99.9% uptime) and other obligations of Microsoft (for example, its
obligations to provide access in the event of an audit/inspection). It also covers clearly the issue of
software and hardware ownership (the software and hardware are both owned by Microsoft but use of
the software and hardware are licensed to us as users of the Office 365 service).
19. As technology service providers may further
sub-contract their services to other parties,
FSIs should consider including a notification
or an approval requirement for significant
sub-contracting of services and a provision
that the original technology service provider
is still responsible for its sub-contracted
services.
Paragraph 7.1.1, Technology Risk Principles (Management of Technology Outsourcing).
Microsoft assures us that it will inform us of any partners or subcontractors that Microsoft uses and why.
Microsoft assures us that Microsoft contractually obligates its subcontractors to security and privacy
standards equivalent to its own and Microsoft subcontractors only handle our data when required to
provide or maintain the services.
F. CUSTOMER DATA CONFIDENTIALITY
20. FSIs should ensure that the proposed
outsourcing arrangement complies with
relevant statutory requirements (e.g. the
Personal Data (Privacy) Ordinance - PDPO)
Paragraph 2.5.1, Guidelines on Outsourcing (Customer Data Confidentiality).
Microsoft recommends that you do seek legal advice on the use of cloud computing services in relation
Confidential
Page 18 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
and common law customer confidentiality.
This will generally involve seeking legal
advice.
to statutory/regulatory/common law requirements.
We are confident that the proposed use of Office 365 complies with relevant statutory requirements,
including the PDPO and common law customer confidentiality requirements.
Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and
controls on par with or better than on-premises data centers of even the most sophisticated
organizations. In relation to the PDPO, Office 365 includes the following features and commitments from
Microsoft to ensure compliance with the requirements of the PDPO: (i) Microsoft will not use our data for
other purposes other than providing the services; (ii) Microsoft has security policies and controls and
security measures which are verified by independent auditors. These measures include security
features on its hardware, software and physical data center, restricted physical data center access,
Office 365 is ISO 27001 compliant and data is encrypted both at rest and via the network as it is
transmitted between data center and a user; (iii) Microsoft will inform us promptly if our data has been
accessed improperly; (iv) our data will be deleted at the end of the service term, once we have been
able to take a copy of our data as necessary.
In addition Microsoft commits to comply with ISO/IEC 27018. In February 2015, Microsoft became the
first major cloud provider to adopt the world’s first international standard for cloud privacy, ISO/IEC
27018. The standard was developed by the International Organization for Standardization (ISO) to
establish a uniform, international approach to protecting privacy for personal data stored in the cloud.
The British Standards Institute (BSI) has now independently verified that Microsoft is aligned with the
standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public
cloud. The controls set out in ISO/IEC 27018 match the protections required by the PDPO. For more
information on this, follow this link.
In choosing Microsoft, we also took into account the fact that Microsoft offers access and regulatory
Confidential
Page 19 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
audit rights, thereby allowing us to comply with our regulatory obligations in this respect.
21. FSIs should have controls in place to
ensure that the requirements of customer
data confidentiality are observed and proper
safeguards are established to protect the
integrity and confidentiality of customer
information. Typical safeguards include,
among other things:
undertakings by the service
provider that the company and its
staff will abide by confidentiality
rules, including taking account of
the data protection principles set
out in PDPO;
FSIs' contractual rights to take
action against the service provider
in the event of a breach of
confidentiality;
segregation or
compartmentalization of FSIs'
customer data from those of the
service provider and its other
Paragraph 2.5.2, Guidelines on Outsourcing (Customer Data Confidentiality).
Microsoft recommends that you seek legal advice as to PDPO requirements.
As above, Microsoft as an outsourcing partner is an industry leader in cloud security and implements
policies and controls on par with or better than on-premises data centers of even the most sophisticated
organizations. Office 365 was built based on ISO 27001 standards, a rigorous set of global standards
covering physical, logical, process and management controls.
Regarding the specific safeguards referred to in the HKMA Supervisory Policy Manual:
Undertakings by the service provider that the company and its staff will abide by
confidentiality rules, including taking account of the data protection principles set out in
PDPO: Yes. We have contractual confidentiality terms in our agreements with Microsoft.
FSIs' contractual rights to take action against the service provider in the event of a
breach of confidentiality: Yes. We would expect to have a breach of contract claim in this
situation.
Segregation or compartmentalization of FSIs' customer data from those of the service
provider and its other clients: Yes. Data storage and processing is segregated through Active
Directory structure and capabilities specifically developed to help build, manage, and secure
multi-tenant environments. Active Directory isolates customers using security boundaries (also
known as silos). This safeguards a customer’s data so that the data cannot be accessed or
Confidential
Page 20 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
clients; and
access rights to FSIs' data
delegated to authorize employees
of the service provider on a need
basis.
compromised by other parties.
Access rights to FSIs' data delegated to authorize employees of the service provider on a
need basis: Yes. Microsoft applies strict controls over which personnel roles and personnel will
be granted access to customer data. Personnel access to the IT systems that store customer
data is strictly controlled via role-based access control (“RBAC”) and lock box processes.
Access control is an automated process that follows the separation of duties principle and the
principle of granting least privilege. This process ensures that the engineer requesting access to
these IT systems has met the eligibility requirements, such as a background screen,
fingerprinting, required security training and access approvals. In addition, the access levels are
reviewed on a periodic basis to ensure that only users who have appropriate business
justification have access to the systems.
22. FSIs should notify their customers in
general terms of the possibility that their
data may be outsourced. They should also
give specific notice to customers of
significant outsourcing initiatives,
particularly where the outsourcing is to an
overseas jurisdiction.
Paragraph 2.5.3, Guidelines on Outsourcing (Customer Data Confidentiality).
Where you have existing outsourcing arrangements in place you would already have such notifications
in place. If so, contracting for Office 365 should not require additional notifications. Microsoft
recommends that you seek legal advice on your privacy policies and consent mechanisms to ensure
that they do comply with applicable law. If you require any information from Microsoft please do get in
touch with your Microsoft contact.
23. In the event of a termination of outsourcing
agreement, for whatever reason, FSIs
should ensure that all customer data is
either retrieved from the service provider or
destroyed.
Paragraph 2.5.4, Guidelines on Outsourcing (Customer Data Confidentiality).
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard
drives that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the
Confidential
Page 21 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
recovery of information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate
means of disposal is determined by the asset type. Records of the destruction are retained. All
Microsoft Online Services utilize approved media storage and disposal management services. Paper
documents are destroyed by approved means at the pre-determined end-of-life cycle. “Secure disposal
or re-use of equipment and disposal of media” is covered under the ISO 27001 standards against which
Microsoft is certified.
G. CONTROL OVER OUTSOURCED ACTIVITIES
24. FSIs should have controls in place (e.g.
comparison with target service level) to
monitor the performance of service
providers on a continuous basis.
FSIs should ensure that they have effective
procedures for monitoring the performance
of, and managing the relationship with, the
service provider and the risks associated
with the outsourced activity.
Such monitoring should cover, inter alia:
contract performance;
material problems encountered by
the service provider; and
Paragraphs 2.3.2, Guidelines on Outsourcing (Ability of Service Providers) and paragraphs 2.6.1 and
2.6.2 (Control over Outsourced Activities) for the detailed areas that the monitoring should cover. You
may also in this context wish to refer to any internal monitoring procedures you are putting in place.
Yes. Microsoft’s SLA applies to the Office 365 product. Our IT administrators also have access to the
Office 365 Service Health Dashboard, which provides real-time and continuous monitoring of the Office
365 service. The Service Health Dashboard provides our IT administrators with information about the
current availability of each service or tool (and history of availability status) details about service
disruption or outage, scheduled maintenance times. The information is provided via an RSS feed.
Amongst other things, it provides a contractual 99.9% uptime guarantee for the Office 365 product and
covers performance monitoring and reporting requirements which enable us to monitor Microsoft’s
performance on a continuous basis against service levels.
Please find a copy of the SLA at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37
Confidential
Page 22 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
regular review of the service
provider’s financial condition and
risk profile and the service
provider’s contingency plan, the
results of testing thereof and the
scope for improving it.
25. Responsibility for monitoring the service
provider and the outsourced activity should
be assigned to staff with appropriate
expertise.
Paragraph 2.6.3 (Control over Outsourced Activities), Guidelines on Outsourcing.
If requested by HKMA, Microsoft would suggest that you provide details of the relevant personnel and a
brief summary of their experience.
26. FSIs should establish reporting procedures
which can promptly escalate problems
relating to the outsourced activity to the
attention of the management of the FSI and
their service providers.
Paragraph 2.6.4 (Control over Outsourced Activities), Guidelines on Outsourcing.
Service Provider Escalation
As part of the support we receive from Microsoft we have access to a technical account manager who is
responsible for understanding our challenges and providing expertise, accelerated support and strategic
advice tailored to our organization. This includes both continuous hands-on assistance and immediate
escalation of urgent issues to speed resolution and keep mission-critical systems functioning. We are
confident that such arrangements provide us with the appropriate mechanisms for managing
performance and problems.
Internal escalation
[ ] You will need to describe your process for how any issues will be escalated internally.
Confidential
Page 23 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
27. The control procedures over the outsourcing
arrangement should be subject to regular
reviews by the Internal Audit.
Paragraph 2.6.5 (Control over Outsourced Activities), Guidelines on Outsourcing.
The HKMA expects that your internal audit function would regularly review the outsourcing arrangement
so you will need to confirm this.
H. CONTINGENCY PLANNING
28. FSIs should develop a contingency plan for
critical outsourced technology services to
protect them from unavailability of services
due to unexpected problems of the
technology service provider. This may
include an exit management plan and
identification of additional or alternate
technology service providers for such
support and services.
Paragraph 7.1.1 (Management of Technology Outsourcing), Technology Risk Principles.
The HKMA clearly expects you to have a contingency plan in place, covering disaster recovery/business
continuity. This would usually include:
performing a business impact analysis of a disaster situation;
considering the internal mechanisms to deal with such a situation; and
considering Office 365’s own disaster recovery and business continuity safeguards.
The following outlines Office 365’s own disaster recovery and business continuity safeguards:
Redundancy
Physical redundancy at server, data center, and service levels.
Data redundancy with robust failover capabilities.
Functional redundancy with offline functionality.
Confidential
Page 24 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
Resiliency
Active load balancing.
Automated failover with human backup.
Recovery testing across failure domains.
Distributed Services
Distributed component services like Exchange Online, SharePoint Online, and Lync Online limit
scope and impact of any failures in a component.
Directory data replicated across component services insulates one service from another in any
failure events.
Simplified operations and deployment.
Monitoring
Internal monitoring built to drive automatic recovery.
Outside-in monitoring raises alerts about incidents.
Extensive diagnostics provide logging, auditing, and granular tracing.
Simplification
Confidential
Page 25 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
Standardized hardware reduces issue isolation complexities.
Fully automated deployment models.
Standard built-in management mechanism.
Human backup
Automated recovery actions with 24/7 on-call support.
Team with diverse skills on the call provides rapid response and resolution.
Continuous improvement by learning from the on-call teams.
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every time.
Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response,
and Microsoft’s plan to prevent it in the future.
In the event the organization was affected by a service incident, Microsoft shares the post-
incident review with the organization.
29. Contingency plans should be maintained
and regularly tested by FSIs and their
service providers to ensure business
continuity, e.g. in the event of a breakdown
Paragraph 2.7.1 (Contingency Planning), Guidelines on Outsourcing.
Microsoft carries out disaster recovery testing at least once per year. Please see also question 28
above for a summary of the disaster recovery/business continuity safeguards provided as part of the
Confidential
Page 26 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
in the systems of the service provider or
telecommunication problems with the host
country.
Office 365 service.
30. Contingency arrangements in respect of
daily operational and systems problems
would normally be covered in the service
provider’s own contingency plan. FSIs
should ensure that they have an adequate
understanding of their service provider’s
contingency plan and consider the
implications for their own contingency
planning in the event that an outsourced
service is interrupted due to failure of the
service provider’s system.
Paragraph 2.7.2 (Contingency Planning), Guidelines on Outsourcing.
The HKMA requirements indicate the importance of you understanding the disaster recovery/business
continuity safeguards forming part of Office 365. As such, if you have any questions about these, please
do not hesitate to get in touch with your Microsoft contact.
Please see question 28 above for a summary of the disaster recovery / business continuity safeguards
provided as part of the Office 365 service.
31. In establishing a viable contingency plan,
FSIs should consider, among other things,
the availability of alternative service
providers or the possibility of bringing the
outsourced activity back in-house in an
emergency, and the costs, time and
resources that would be involved.
Paragraph 2.7.3 (Contingency Planning), Guidelines on Outsourcing.
The HKMA clearly expects you to have a plan in place if you did decide to stop using the Office 365
service.
To ensure control, transparency and consistency, it is necessary for the applications and services
forming part of Office 365 to be provided by one provider (i.e. Microsoft). Because of the due diligence
and risk management processes we have implemented we do not think that our use of Office 365
represents an excessive reliance on one partner. Nonetheless, we do have in place contractual rights to
exit the arrangements with Microsoft at any time for convenience, which gives us the flexibility to move
to another provider (or to revert to a local, non-cloud based offering, such as Microsoft Office) should we
Confidential
Page 27 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
choose to do so.
I. ACCESS TO OUTSOURCED DATA
32. FSIs should ensure that appropriate up-to-
date records are maintained in their
premises and kept available for inspection
by the HKMA in accordance with §§55 and
56 of the Banking Ordinance and that data
retrieved from the service providers are
accurate and available in Hong Kong on a
timely basis.
Access to data by the HKMA’s examiners
and the FSI’s internal and external auditors
should not be impeded by the outsourcing.
FSIs should ensure that the outsourcing
agreement with the service provider
contains a clause which allows for
supervisory inspection or review of the
operations and controls of the service
provider as they relate to the outsourced
activity.
Paragraphs 2.8.1 and 2.8.2 (Access to Outsourced Data), Guidelines on Outsourcing.
Yes.
There are provisions in the contract that enable the HKMA to carry out inspection or examination of
Microsoft’s facilities, systems, processes and data relating to the services. This is a key advantage of
the Microsoft product over competitor products, which often provide only very limited (or no) audit and
inspection rights.
J. ADDITIONAL CONCERNS IN RELATION TO OVERSEAS OUTSOURCING
Confidential
Page 28 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
33. Implications of the overseas outsourcing for
FSIs' risk profile - FSIs should understand
the risks arising from overseas outsourcing,
taking into account relevant aspects of an
overseas country (e.g. legal system,
regulatory regime, sophistication of
technology, infrastructure).
Paragraph 2.9.1 (Additional Concerns in Relation to Overseas Outsourcing), Guidelines on Outsourcing.
The answer to this question will depend on the region you are in. You may discuss this with your
Microsoft contact. Microsoft enables customers to select the region that it is provisioned from.
Office 365 is hosted out of […..]. This/These location(s) has/have been vetted for
geopolitical/socioeconomic risks as set out in this checklist requirement. As part of our usual
processes, we constantly monitor the countries in which we operate.
a. Political (i.e. cross-broader conflict, political unrest etc). Office 365 offers data-location
transparency so that the organizations and regulators are informed of the jurisdiction(s) in which
data is hosted. We are confident that Microsoft’s data center locations offer extremely stable
political environments.
b. Country/socioeconomic. Office 365 offers data-location transparency so that the organizations
and regulators are informed of the jurisdiction(s) in which data is hosted. The centers are
strategically located around the world taking into account country and socioeconomic factors. We
are confident that Microsoft’s data center locations offer extremely stable socioeconomic
environments.
c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting standards,
designed to protect customer data from harm and unauthorized access. Data center access is
restricted 24 hours per day by job function so that only essential personnel have access. Physical
access control uses multiple authentication and security processes, including badges and smart
cards, biometric scanners, on-premises security officers, continuous video surveillance and two-
factor authentication. The data centers are monitored using motion sensors, video surveillance and
security breach alarms.
Confidential
Page 29 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
d. Environmental (i.e. earthquakes, typhoons, floods). Environmental controls have been
implemented to protect the data centers including temperature control, heating, ventilation and air-
conditioning, fire detection and suppression systems and power management systems, 24-hour
monitored physical hardware and seismically-braced racks. Microsoft Data centers are built in
seismically safe zones. These requirements are covered by Microsoft’s ISO/IEC 27001
accreditation for Office 365.
34. Right of access to customers’ data by
overseas authorities such as the police and
tax authorities. FSIs should generally obtain
a legal opinion from an international or other
reputable legal firm in the relevant
jurisdiction on this matter. This will enable
them to be informed of the extent and the
authorities to which they are legally bound
to provide information. Right of access by
such parties may be unavoidable due to
compulsion of law. FSIs should therefore
conduct a risk assessment to evaluate the
extent and possibility of such access taking
place. FSIs should notify the HKMA if
overseas authorities seek access to their
customers’ data. If such access seems
unwarranted the HKMA reserves the right to
require the FSI to take steps to make
alternative arrangements for the outsourced
Paragraph 2.9.2 (Additional Concerns in Relation to Overseas Outsourcing), Guidelines on Outsourcing.
The answer to this question will depend on the region you are in. You may discuss this with your
Microsoft contact. Microsoft enables customers to select the region that it is provisioned from. Microsoft
recommends that you obtain a legal opinion from an international or other reputable legal firm in the
country where your data will be hosted on this matter.
Microsoft is transparent in relation to the location of our data. Azure is hosted out of […..]. This/These
location(s) has/have been thoroughly vetted and the circumstances in which the authorities may have
rights to access customer information are not considered unwarranted. Microsoft data center locations
are made public on the Microsoft Trust Center
Confidential
Page 30 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
activity.
35. Notification to customers - FSIs should
generally notify their customers of the
country in which the service provider is
located (and of any subsequent changes)
and the right of access, if any, available to
the overseas authorities.
Paragraph 2.9.1 (Additional Concerns in Relation to Overseas Outsourcing), Guidelines on Outsourcing.
Microsoft recommends that you confirm in this section that you have informed customers where
services will be provided from (according to the specification of your final solution with Microsoft).
Microsoft also recommends that you confirm in this section that you have informed customers of the
right of access available to overseas authorities (for example in Singapore, for the purpose of the Office
365 service, depending on the specification of your final solution with Microsoft).
36. Right of access to customers’ data for
examination by the HKMA after outsourcing
- FSIs should not outsource to a jurisdiction
which is inadequately regulated or which
has secrecy laws that may hamper access
to data by the HKMA or FSIs' external
auditors. They should ensure that the
HKMA has right of access to data. Such
right of access should be confirmed in
writing by both FSIs and their home or host
authorities, as the case may be.
Paragraph 2.9.1 (Additional Concerns in Relation to Overseas Outsourcing), Guidelines on Outsourcing.
Azure is hosted out of […..]. This/These location(s) has/have been thoroughly vetted and as far as we
are aware, there are no secrecy laws which would hamper access to data by HKMA or our external
auditors in the appropriate circumstances.
There are provisions in the contract that enable the HKMA to carry out inspection or examination of
Microsoft’s facilities, systems, processes and data relating to the services. This is set out in the FSA.
Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework
Program, you may add this additional information about its key features: the regulator audit/inspection
right, access to Microsoft’s security policy, the right to participate at events to discuss Microsoft’s
compliance program, the right to receive audit reports and updates on significant events, including
security incidents, risk-threat evaluations and significant changes to the business resumption and
contingency plans.
Confidential
Page 31 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
37. §33 of the PDPO in respect of transfer of
personal data outside Hong Kong –
although §33 has not yet come into
operation, FSIs are advised to take account
of the provisions therein and the potential
impact on their plans in respect of overseas
outsourcing.
Paragraph 2.9.1 (Additional Concerns in Relation to Overseas Outsourcing), Guidelines on Outsourcing.
We recommend that you use option (a) OR (b) below, depending on the specification of your final
solution with Microsoft:
(a) [Office 365 complies with §33 of the PDPO because data is transferred to […] which has laws in
place which are substantially similar to the PDPO and Microsoft has taken precautions to
ensure that the data will not be dealt with in a manner which would breach the PDPO (see the
answer to question 20 above for more details about the measures Microsoft has taken to
comply with the PDPO.). In addition Microsoft commits to comply with ISO/IEC 27018. In
February 2015, Microsoft became the first major cloud provider to adopt the world’s first
international standard for cloud privacy, ISO/IEC 27018. The standard was developed by the
International Organization for Standardization (ISO) to establish a uniform, international
approach to protecting privacy for personal data stored in the cloud. The British Standards
Institute (BSI) has now independently verified that Microsoft is aligned with the standard’s code
of practice for the protection of Personally Identifiable Information (PII) in the public cloud. The
controls set out in ISO/IEC 27018 match the protections required by the PDPO. For more
information on this, follow this link.]
(b) [Microsoft will not transfer our personal data outside of Hong Kong.]
38. Governing law of the outsourcing
agreement – the agreement should
preferably be governed by Hong Kong law.
Paragraph 2.9.1 (Additional Concerns in Relation to Overseas Outsourcing), Guidelines on Outsourcing.
Our contract with Microsoft is subject to Washington State law [upon which we have obtained separate
legal advice to ensure that we are comfortable with the protection and control afforded to us].
Confidential
Page 32 of 39
10004325-2
Ref. Question/requirement Templates response and guidance
39. In case of a locally incorporated AI, a
principal concern is the ability of the HKMA
to exercise its legal powers under the
Banking Ordinance effectively if there is
limited cooperation by the service provider.
Accordingly, where a local FSI is planning to
outsource, for example, a major part of its
data processing function to outside Hong
Kong, the HKMA will expect the FSI to have
a robust back-up system and contingency
plan in an acceptable jurisdiction. The back-
up system should be properly documented
and regularly tested. It may be appropriate
for an independent opinion on its
effectiveness to be sought.
Paragraph 2.9.2 (Additional Concerns in Relation to Overseas Outsourcing), Guidelines on Outsourcing.
The HKMA should have no concerns about limited cooperation by Microsoft as service provider.
Microsoft understands the role that the HKMA needs to play as regulator. There are provisions in the
contract that enable the HKMA to carry out inspection or examination of Microsoft’s facilities, systems,
processes and data relating to the services.
Microsoft does have robust back-up system and contingency plan in place – please see the response to
question 28 above.
Microsoft carries out disaster recovery testing at least once per year.
An independent opinion on Microsoft’s effectiveness already exists by virtue of the fact that Office 365
has an ISO 27001 accreditation. It was the first major business productivity public cloud service to have
implemented this rigorous set of global standards covering physical, logical, process and management
controls.
Confidential
Page 33 of 39
10004325-2
APPENDIX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
This table sets out the specific items that must be covered in the FSI’s agreement with the Service Provider.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
SLA = Online Services Service Level Agreement
Confidential
Page 34 of 39
10004325-2
Ref. Requirement Microsoft agreement reference
1. The service agreement between FSIs and their service
provider should clearly set out:
The type and level of services to be provided; and
The contractual liabilities and obligations of the
service provider.
Paragraph 2.4.1, Guidelines on Outsourcing
The contract pack comprehensively sets out the scope of the arrangement and the
respective commitments of the parties.
The services are broadly described, along with the applicable usage rights, in the Product
List and OST. The services are described in more detail in OST, which includes a list of
service functionality at OST, page 10 and core features of the Office 365 Services at
pages 15-25. MBSA section 6 deals with liability and rights of action.
2. FSIs should have in place undertakings by the service
provider that the company and its staff will abide by
confidentiality rules, including taking into account the data
protection principles set out in the PDPO.
Paragraph 2.5.2, Guidelines on Outsourcing
MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to
disclose our confidential information (which includes our data) to third parties and to only
use our confidential information for the purposes of Microsoft’s business relationship with
us.
MBSA section 11m states that Microsoft and the customer each commit to comply with all
applicable privacy and data protection laws and regulations.
The customer retains the ability to access its Customer Data at all times (OST, page 10),
and Microsoft will deal with Customer Data in accordance with Enrollment section 6c(iv)
and the OST. In summary: following termination Microsoft will (unless otherwise directed
by the customer) delete the Customer Data after a 90 day retention period. Finally, from a
technical perspective the wide availability and usage of Microsoft’s products means that
Customer Data can generally be extracted in a format compatible with commonly available
Confidential
Page 35 of 39
10004325-2
Ref. Requirement Microsoft agreement reference
alternative products.
The Microsoft also makes specific commitments with respect to Customer Data in the
OST. In summary Microsoft commits that:
1. Ownership of Customer Data remains at all times with the customer (see OST,
page 8).
2. Customer Data will only be used to provide the online services to the customer.
Customer Data will not be used for any other purposes, including for advertising or
other commercial purposes (see OST, page 8).
3. Microsoft will not disclose Customer Data to law enforcement unless it is legally
obliged to do so, and only after not being able to redirect the request to the
customer (see OST, page 8).
4. Microsoft will implement and maintain appropriate technical and organizational
measures, internal controls, and information security routines intended to protect
Customer Data against accidental, unauthorized or unlawful access, disclosure,
alteration, loss, or destruction (see OST, page 8 and pages 11-13 for more
details).
5. Microsoft will notify the customer if it becomes aware of any security incident, and
will take reasonable steps to mitigate the effects and minimize the damage
resulting from the security incident (see OST, page 9).
3. FSIs should have contractual rights to take action against the Paragraph 2.5.2, Guidelines on Outsourcing
Confidential
Page 36 of 39
10004325-2
Ref. Requirement Microsoft agreement reference
service provider in the event of a breach of confidentiality. Yes.
MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to
disclose our confidential information (which includes our data) to third parties and to only
use our confidential information for the purposes of Microsoft’s business relationship with
us. If there is a breach of confidentiality by Microsoft, we are able to bring a claim for
breach of contract against Microsoft.
In addition, MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity
against third party infringement and breach of confidence claims. Microsoft’s liability under
section 5 is unlimited.
4. FSIs should ensure that the outsourcing agreement with the
service provider contains a clause which allows for
supervisory inspection or review of the operations and
controls of the service provider as they relate to the
outsourced activity.
Paragraph 2.8.2, Guidelines on Outsourcing
Yes.
The OST specifies the audit mechanisms that Microsoft puts in place in order to verify that
the online services meet appropriate security and compliance standards. This commitment
is reiterated in the FSA.
In addition, clauses 1e and 1f of the FSA detail the examination and influence rights that
are granted to the customer and HKMA. Clause 1e sets out a process which can culminate
in the regulator’s examination of Microsoft’s premises. Clause 1f gives the customer the
opportunity to participate in the Microsoft Online Services Customer Compliance Program,
which is a for-fee program that facilitates the customer’s ability to (a) assess the services’
controls and effectiveness, (b) access data related to service operations, (c) maintain
insight into operational risks of the services, (d) be provided with additional notification of
Confidential
Page 37 of 39
10004325-2
Ref. Requirement Microsoft agreement reference
changes that may materially impact Microsoft’s ability to provide the services, and (e)
provide feedback on areas for improvement in the services.
5. The outsourcing agreement should preferably be governed
by Hong Kong law.
Paragraph 2.9.1, Guidelines on Outsourcing
MBSA section 11h deals with what countries laws apply if there is a legal dispute.
The governing law is that of Washington, however the parties have the ability to bring
proceedings in the locations as follows:
If Microsoft brings the action, the jurisdiction will be where we are located (i.e. Hong
Kong);
If we bring the action, the jurisdiction will be the state of Washington; and
Both parties can seek injunctive relief with respect to a violation of intellectual property
rights or confidentiality obligations in any appropriate jurisdiction.
6. The outsourcing agreement should specify clearly, among
other things, the performance standards and other
obligations of the technology service provider and the issue
of software and hardware ownership.
Paragraph 7.1.1, Technology Risk Principles
Yes.
The SLA contains Microsoft’s service level commitment, as well as the remedies for the
customer in the event that Microsoft does not meet the commitment.
The software and hardware are owned by Microsoft but licensed for use by the customer
as a service, as is standard in any cloud services solution.
Confidential
Page 38 of 39
10004325-2
Ref. Requirement Microsoft agreement reference
7. FSIs should consider including a notification or an approval
requirement for significant sub-contracting of services and a
provision that the original technology service provider is still
responsible for its sub-contracted services.
Paragraph 7.1.1, Technology Risk Principles
Yes.
See page 9 of the OST, under which Microsoft is permitted to hire subcontractors.
Microsoft maintains a list of authorized subcontractors for the online services that have
access to our data and provides us with a mechanism to obtain notice of any updates to
that list (OST, page 10). The actual list is published on the applicable Trust Center. If we
do not approve of a subcontractor that is added to the list, then we are entitled to terminate
the affected online services.
The confidentiality of our data is protected when Microsoft uses subcontractors because
Microsoft commits that its subcontractors “will be permitted to obtain Customer Data only
to deliver the services Microsoft has retained them to provide and will be prohibited from
using Customer Data for any other purpose” (OST, page 9).
Microsoft commits that any subcontractors to whom Microsoft transfers our data will have
entered into written agreements with Microsoft that are no less protective than the data
processing terms in the OST (OST, page 11).
Under the terms of the OST, Microsoft remains contractually responsible (and therefore
liable) for its subcontractors’ compliance with Microsoft’s obligations in the OST (OST,
page 9). In addition, Microsoft’s commitment to ISO/IEC 27018, requires Microsoft to
ensure that its subcontractors are subject to the same security controls as Microsoft is
subject to. Finally, the EU Model Clauses, which are included in the OST, require Microsoft
to ensure that its subcontractors outside of Europe comply with the same requirements as
Confidential
Page 39 of 39
10004325-2
Ref. Requirement Microsoft agreement reference
Microsoft and set out in detail how Microsoft must achieve this.