MALAYSIA INSURANCE GUIDANCE ON COMPLYING...

Confidential

of 65

10004330-2

MALAYSIA – INSURANCE

GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES INSTITUTIONS

USING CLOUD COMPUTING

Last updated: November 2014

1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?

This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using

cloud computing. In this guidance financial services institutions means insurance companies (“ICs”). Microsoft has prepared a guidance document for

other financial service institutions which is available on request.

Sections 2 to 6 of this guidance sets out some high level information about the applicable legal frameworks governing banks’ and insurance companies’

use of cloud computing services and the regulatory process that applies.

Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to the

use of cloud services. Although there is no requirement to complete a checklist like this one, we have received feedback from ICs that a checklist

approach like this is very helpful. The checklist can be used:

(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and

(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to

compliance with their requirements.

Appendix One also contains a list of key contractual requirements based on the laws, regulations and guidance that are relevant to an IC’s use of cloud

services.

Confidential

of 65

10004330-2

Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment. Instead, it is

intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal

and regulatory obligations. Please note that the scope of this document specifically does not include potentially applicable state laws, rules and

regulations.

2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?

BNM has developed several relevant documents which ICs should bear in mind. As with banks, there are effectively different “layers” of rules that apply

depending on whether the use of Office 365 constitutes an “outsourcing” and, if so, whether it is significant enough to constitute a “material outsourcing”.

Even if it does not constitute an “outsourcing” or “material outsourcing”, more other general technology guidelines apply, specifically: IT Guidelines, E-

Banking Guidelines, Business Continuity Management Guidelines and Guidelines on Data Management and Management Information System as listed

below.

The relevant documents are as follows (although most of them are not available on the BNM website but we have included a hyperlink where they are):

BNM’s Guidelines on Outsourcing for Insurers.

BNM’s Guidelines on Internet Insurance.

BNM’s Guidelines on Data Management and MIS Framework for Financial Institutions.

BNM’s Guidance on Business Continuity Management (“BNM’s BCM Guidelines”).

BNM’s Guidelines on Management of IT environment.

In addition, the Financial Services Act 2013 (“FSA”) contains some relevant provisions.

3. WHO IS/ARE THE RELEVANT REGULATOR(S)?

The Bank Negara Malaysia (“BNM”)

http://www.bnm.gov.my/guidelines/01_banking/04_prudential_stds/30_gl_018_1_20110905.pdf

http://www.bnm.gov.my/documents/act/en_fsa.pdf

Confidential

of 65

10004330-2

4. IS REGULATORY APPROVAL REQUIRED IN MALAYSIA?

Yes.

The prior consent of BNM is only required if an IC wishes to undertake an outsourcing which is deemed to be “material” or which results in services being

provided in a location outside Malaysia whether material or not. It is prudent to assume that the use of Office 365 would, as a minimum, constitute an

“outsourcing”. Whether it would then constitute a “material outsourcing” would be determined on a case-by-case basis, based on an analysis of whether

the disruption of the Microsoft Cloud Services would have the potential to significantly impact the financial institution’s business operations, reputation or

profitability1. Depending on the solution you decide on, the service will likely involve data centers based outside of Malaysia.

5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?

No.

Unlike in certain jurisdictions, such as Singapore, there are no specific forms or questionnaires that an IC must complete when considering cloud

computing solutions.

6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?

Yes.

BNM does specifically mandate contractual requirements that must be agreed by ICs with their service providers. These are not set out in one list in any

one place unfortunately but scattered across the different documents referred to above. Microsoft has included these points in the document which

follows in relation to the relevant issues and Appendix One contains a comprehensive list and details of where in the Microsoft contractual documents

these points are covered.

1 Relevant considerations in terms of what is constituted to be ‘material’ can be found in the BNM Guidelines on Outsourcing for Insurers, Part VIII.

Confidential

of 65

10004330-2

7. CHECKLIST

Key:

In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point

raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as well.

In red italics, Microsoft has provided guidance to assist you with the points in the checklist.

Ref. Question/requirement Template response and guidance

A. GENERAL

1. Who is the Service Provider? Please

provide company profile/background.

In case requested, details of the Microsoft corporate entity providing the services are provided below.

The Service Provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft Corporation,

a global provider of information technology devices and services, which is publicly-listed in the USA

(NASDAQ: MSFT). Microsoft’s full company profile is available here: https://www.microsoft.com/en-

us/news/inside_ms.aspx.

2. List all proposed activities and operations

to be outsourced to the Service Provider.

Confirm that the outsourcing will not

include ‘core activities’.

Paragraph 3.2 of the BNM’s Guidelines on Outsourcing for Insurers which provides that ICs should not

outsource core activities except in very limited circumstances. “Core activities” are defined in Part V of those

guidelines as activities constituting insurance business; board and senior management; internal audit and

compliance functions; risk management; strategic planning and decision making; and financial analysis.

We can confirm that the outsourced services will not involve any core activities or any inherent banking

functions such as services associated with placement of deposits and withdrawals.

The arrangement will involve the outsourcing of certain IT functions through the use of Microsoft’s “Office

https://www.microsoft.com/en-us/news/inside_ms.aspx

https://www.microsoft.com/en-us/news/inside_ms.aspx

Confidential

of 65

10004330-2


365” service, which is described in more detail here: Microsoft Office 365. Amongst other things, the Office

365 service includes:

Microsoft Office applications hosted in the “cloud”;

Hosted email;

Web conferencing, presence and instant messaging;

Data and application hosting;

Spam and malware protection; and

IT support services.

B. OUTSOURCING POLICY AND RISK MANAGEMENT

3. Is senior management confident that there

are effective oversight, review and

reporting arrangements in place to ensure

that service level agreements regarding

standards on data quality, integrity and

accessibility are observed at all times?

Paragraph 4.12 of the BNM’s Guidelines on Data Management and MIS Framework for Development

Financial Institutions (“DFI Guidelines”). You may want to add to the following any specific details of

communications with and involvement of senior management.

Yes.

It is essential to us is that, despite the outsourcing, we retain control over our own business operations,

including control of who can access data and how they can use it. At a contractual level, we have dealt with

this via our contract with Microsoft, which provides us with legal mechanisms to manage the relationship

including appropriate allocation of responsibilities, oversight and remedies and the relevant regulatory

requirements. At a practical level, we have selected the Office 365 product since it provides us with

http://office.microsoft.com/en-us/business/what-is-office-365-for-business-FX102997580.aspx

Confidential

of 65

10004330-2


transparency in relation to data location, access/audit and authentication and advanced encryption controls.

We have access rights (at any time) to the online dashboards, which provide live information in relation to

Microsoft’s services’ performance against performance measures. Finally, we (not Microsoft) will continue

to own and retain all rights to our data and our data will not be used for any purpose other than to provide us

with the Office 365 services.

4. Does your organization have a written,

board-approved outsourcing risk

philosophy showing that management have

considered the overall business and

strategic objectives and assessed the

materiality of the outsourcing arrangements

and has approved the outsourcing?

Paragraphs 9.2, 9.4 and 9.5 of the BNM’s Guidelines on Outsourcing for Insurers which provide that the

board should approve a framework for assessing the materiality of all existing and prospective outsourcing

arrangements. It refers to this as an ‘outsourcing risk philosophy’.

Paragraph 26.1 of the BNM’s Guidelines on Internet Insurance. BNM expects that you will have sought

Board approval in relation to the outsourcing so you will need to confirm this here.

Yes/No

[See attached board approval.]

More details of our outsourcing risk philosophy and analysis are set out below.

5. Does the outsourcing risk philosophy and

your business case address the following?

(i) Identification of the activities

that will not be outsourced for

strategic or internal control

reasons.

Paragraphs 9.5 and 9.7 of the BNM’s Guidelines on Outsourcing for Insurers and paragraph 26.1 of the

BNM’s Guidelines on Internet Insurance. BNM expects you to be able to demonstrate that your outsourcing

risk philosophy and business case each of these points. Items (i) to (viii) are largely internal matters that you

will need to outline and show you have considered. Items (ix) and (x) directly relate to Microsoft’s offering so

you may find the following helpful:

(ix) Reporting and Monitoring.

Confidential

of 65

10004330-2


(ii) Expectations of the

outsourcing arrangements in

terms of contribution to your

overall strategic and business

objectives.

(iii) Limits on the acceptable

overall level of outsourced

activities.

(iv) The potential impact of the

outsourced activity to the

economic or commercial value

of the insurer.

(v) An assessment of whether an

independent enterprise in

comparable circumstances

would be likely to outsource

the activity.

(vi) Costs implication of the

outsourcing arrangement

(including costs associated

with internal resources

required to oversee and

manage the outsourcing

Yes.

Microsoft’s Service Level Agreement (“SLA”) applies to the Office 365 product. Our IT administrators also

have access to the Office 365 Service Health Dashboard, which provides real-time and continuous

monitoring of the Office 365 service. The Service Health Dashboard provides our IT administrators with

information about the current availability of each service or tool (and history of availability status) details

about service disruption or outage, scheduled maintenance times. The information is provided via an RSS

feed.

Amongst other things, it provides a contractual 99.9% uptime guarantee for the Office 365 product and

covers performance monitoring and reporting requirements which enable us to monitor Microsoft’s

performance on a continuous basis against service levels.

As part of the support we receive from Microsoft, we also have access to a technical account manager who

is responsible for understanding our challenges and providing expertise, accelerated support and strategic

advice tailored to our organization. This includes both continuous hands-on assistance and immediate

escalation of urgent issues to speed resolution and keep mission-critical systems functioning. We are

confident that such arrangements provide us with the appropriate mechanisms for managing performance

and problems.

We also have extensive audit rights as detailed in section E below.

(x) An assessment of your ability to retain control of the outsourced activity.

The handing over of certain day to day responsibility to an outsourcing provider does present some

challenges in relation to control. It is essential to us is that, despite the outsourcing, we retain control over

our own business operations. At a contractual level, we have dealt with this via our contract with Microsoft,

Confidential

of 65

10004330-2


arrangement) relative to

anticipated benefits.

(vii) The cumulative impact,

including risk concentrations,

of all outsourcing

arrangements on the overall

safety and soundness of your

business.

(viii) An assessment of key

outsourcing risks, including but

not limited to the impact of the

outsourcing arrangement on

the quality of your service.

(ix) Proper reporting and

monitoring of the integrity and

quality of work conducted by

the Service Provider.

(x) An assessment of your ability

to retain control of the

outsourced activity.

which provides us with legal mechanisms to manage the relationship including appropriate allocation of

responsibilities, oversight and remedies and the mandatory provisions required by BNM. At a practical level,

we have selected the Office 365 product since it provides us with transparency in relation to data location,

authentication and advanced encryption controls. We (not Microsoft) will continue to maintain control and

will own and retain all rights to our data and our data will not be used for any purpose other than to provide

us with the Office 365 services.

6. Does your organization have an

outsourcing risk management program and

Paragraphs 9.6 and 10.1 of the BNM’s Guidelines on Outsourcing for Insurers which provides that insurers

are expected to have in place a comprehensive ‘risk management program’ that is applied to all material

Confidential

of 65

10004330-2


policies that apply to material outsourcing

arrangements?

outsourcing arrangements and that all decisions to outsource a material activity should be supported by a

sound business case. The business case should take into account the potential benefits of outsourcing

against risks that may arise, having regard to all relevant prudential matters as well as short-term and long-

term implications.

There would appear to be some overlap between the risk management program and the outsourcing risk

philosophy. You will need to be able to confirm that you have one and provide details. Specific areas that

should be covered are set out below.

7. Does your risk management program

explicitly cover the management of country

risks including the following areas:

(i) Strategic risks (activities carried on

by the Service Provider on its own

behalf that are inconsistent with the

overall strategic goals of the

insurer; failure to implement

appropriate oversight of the

Service Provider; inadequate

expertise to oversee the Service

Provider);

(ii) Reputational risks (poor service by

the Service Provider; customer

interaction that is inconsistent with

IC’s standards; unethical practices

Paragraph 10.2 of the BNM’s Guidelines on Outsourcing for Insurers. Many of these areas will require detail

regarding internal policies but we have included some information in relation to Microsoft’s specific offerings

where relevant to assist where possible.

Yes.

Office 365 is hosted out of […..]. This/These location(s) has/have been vetted for

geopolitical/socioeconomic risks as set out in this checklist requirement. As part of our usual processes, we

constantly monitor the countries in which we operate.

(i) Strategic risks. We have no reason to believe that any activities carried out by the Service

Provider on its own behalf would be inconsistent with our overall strategic goals. To the

contrary, we have selected a Service Provider with a very strong track record and experience of

understanding the requirements of financial institutions. We are also very confident that the

contractual protections and nature of the service offering enable us to have appropriate

oversight of the Service Provider and tools which are very easy to use to ensure this oversight

as opposed to demanding the development of new skillsets and high levels of expertise in order

to manage it on our side. Microsoft will not have interactions with customers. The strategic risks

Confidential

of 65

10004330-2


of the Service Provider);

(iii) Compliance risks (prudential and

market conduct regulations not

complied with; breach of obligation

to preserve customer data

confidentiality; changes in

regulations not communicated to

the service provider in a timely

manner);

(iv) Operational risks (technology

failure, inadequate financial

capacity of Service Provider to

fulfill obligations or provide

remedies/restitution; fraud or error;

failure of IC to undertake

inspections of Service Provider);

(v) Exit strategy risks (over reliance on

one firm to provide service; loss of

relevant skills or resources in the

IC preventing it from bringing an

outsourced activity back in-house;

contracts which make a speedy

exit prohibitively expensive);

in our view are therefore low.

(ii) Reputational risks. Again, we see the risks as very low since we have undertaken a very

thorough due diligence process and chosen a world-class and highly experienced Service

Provider who is able to provide contractually backed up assurances of quality of service. We

also have numerous protections in the contract itself in order to monitor the service performance

and take action in the event that any issues arise.

(iii) Compliance risks. We are not outsourcing core business activities. In that respect the risks of

market conduct regulations not being complied with purely as a result of these outsourced

services are very low. As detailed in section F, there are very strong security arrangements and

safeguards in place to prevent any damage to customer data confidentiality.

(iv) Operational risks. The service provides high SLA (as defined above) commitments but also

ensures that a raft of different safeguards and arrangements are in place to prevent and

minimize the impact of any technology failure. Microsoft is subject to very high international

auditing standards in this regard which provide us with a great deal of comfort. The size and

resources that Microsoft has in place also mean that we do not foresee risks in relation to the

adequacy of Microsoft to fulfill obligations or provide remedies and restitution. The nature of the

services that are being outsourced also mean that there are low risks of fraud or error. In

relation to risks in respect of our failure to undertake inspections (for practical or cost

considerations) we have assurance in the fact that Microsoft is also subject to its own regular

reviews as well as independent auditing by a third party – the reports of which are made

available to us.

(v) Exit strategy risks. Our contract with Microsoft provides various opportunities to terminate the

service even at short notice as well as contractual obligations on the part of Microsoft to enable

Confidential

of 65

10004330-2


(vi) Counter party risks (inappropriate

credit assessments leading to

diminished quality of receivables);

(vii) Country risks (political, social and

legal climates may create added

risk and business continuity

planning can be more complex);

(viii) Contractual risks (inability to

enforce the contract);

(ix) Information risks (reliance on

information by Service Provider

that may be materially inaccurate;

delay in providing timely data and

information to IC or regulator;

confidentiality of commercially

sensitive/customer information may

be compromised);

(x) Concentration risks (reliance on

one Service Provider for multiple

activities);

(xi) Due diligence of the Service

Provider;

the transfer of services to another service provider or back in-house. These are not services

which would commonly be provided by any IC in-house in any event however.

(vi) Counter party risks. We do not see any risks in relation to inappropriate credit assessments

given the nature of the services being outsourced.

(vii) Country risks Office 365 offers data-location transparency so that the organizations and

regulators are informed of the jurisdiction(s) in which data is hosted. The centers are

strategically located around the world taking into account country and socioeconomic factors.

We are confident that Microsoft’s data center locations offer extremely stable socioeconomic

environments. Microsoft data center locations are made public on the Microsoft Trust Center.

Contractual risks. We are not concerned regarding any inability to enforce the contract. The

contract contains various remedies including service credits and also the ability for us to

terminate the services quickly and easily.

(viii) Information risks. We do not foresee risks connected with inaccurate information provided by

the Service Provider given the nature of the services that are being provided. Further, in

relation to any information that is provided to us by Microsoft, we have assurances in the fact

that they are subject to independent audit and international standards and also that BNM has

audit rights. Microsoft’s service ensures the provision of real-time information via their

dashboard and various protections detailed elsewhere in this document to ensure the protection

of commercially sensitive and customer information.

(ix) Concentration risks. We are not placing undue reliance on one service provider for multiple

activities in making this outsourcing. The arrangement is for the provision of certain IT services

only and not of the nature that would usually be split between different service providers.

https://products.office.com/en/business/office-365-trust-center-cloud-computing-security?tab=d1f6ec18-0f9b-0fef-3203-3d7d52bc1437

Confidential

of 65

10004330-2


(xii) Service Agreements;

(xiii) Contingency Plans; and

(xiv) Monitoring and control.

(x) Due diligence of the Service Provider. See section C below.

(xi) Service Agreements. See section D below.

(xii) Contingency plans. See section G below.

(xiii) Monitoring and control of outsourcing. See section B5 above.

C. SERVICE PROVIDER SELECTION CRITERIA & DUE DILIGENCE

8. Is the selection process of the Service

Provider and its sub-contractors, if any,

formally defined and documented?

Paragraph 10.4 of the BNM’s Guidelines on Outsourcing for Insurers which provides that appropriate due

diligence is expected to be conducted by insurers prior to the selection of service providers. Paragraph

15(a), Part II of the BNM’s Guidelines on Management of IT Environment states that due diligence should be

adequately carried out to review and assess outsourcing viabilities, capabilities, reliabilities, expertise and

track records before being approved by the board of directors.

Yes.

The selection process was formally defined and documented. It covered the service provider’s:

financial soundness;

reputation;

managerial skills

technical capabilities; and

Confidential

of 65

10004330-2


operational capability and capacity in relation to the services to be performed.

[Please see the attached documentation for further information.]

9. Did your selection criteria consider the

following? Are there any other objective

criteria that you considered?

(a) Capabilities, expertise, track

records, experience, technical

competence and adequacy of

human resource capabilities of the

Service Provider to perform the

specified activity to be outsourced.

(b) Service Provider’s understanding

of your organization’s strategic and

business objectives in relation to

the specific activity outsourced.

(c) Financial strength and resources of

the Service Provider (based on

recent audited financial statements

and other relevant information),

including the consideration of the

extent of the Service Provider’s

liabilities and financial ability (i.e.,

This is covered in several places: paragraph 10.5 of the BNM’s Guidelines on Outsourcing for Insurers;

paragraphs 10.4 and 15(a); Part II of the BNM’s Guidelines on Management of IT Environment; paragraph

1(d), Part IV of the BNM’s Guidelines on Management of IT Environment; paragraph 1(d), Part IV of the

BNM’s Guidelines on Management of IT Environment; and paragraph 15(b), Part II of the BNM’s Guidelines

on Management of IT Environment.

Yes.

We followed a rigorous review and selection process. Set out below are the specific areas we considered

and why we decided on Microsoft:

a. Capabilities, experience and track record. Microsoft is an industry leader in cloud computing. Office

365 was built based on ISO/IEC 27001 standards and was the first major business productivity public

cloud service to have implemented the rigorous set of global standards covering physical, logical,

process and management controls. 40% of the world’s top brands use Office 365. We consulted various

case studies relating to Office 365, which are available on the Microsoft website and also considered the

fact that Microsoft has amongst its customers some of the world’s largest organizations and financial

institutions.

b. Service Provider’s understanding of our objectives. We have conducted detailed discussions with

Microsoft and are confident that they understand our business and objectives. As set out above and

below, their extensive experience and reputation in helping other financial institutions also helps us to

http://office.microsoft.com/en-us/business/office-365-customer-stories-office-testimonials-FX103045622.aspx

Confidential

of 65

10004330-2


professional indemnity insurance

coverage) to compensate your

organization for errors, negligence

and other operational failures.

(d) Business reputation, complaints,

regulatory infringements and

pending or potential litigation of the

Service Provider.

(e) Compatibility with your organization

in terms of business objectives,

human resource policies, service

philosophies and business culture.

(f) Security and internal controls,

standards, policies and

procedures.

(g) Business resumption and

contingency plans including

disaster recovery capabilities.

(h) Ability of the Service Provider to

comply with the relevant regulatory

requirements applicable to your

organization (factors that could be

be confident in this decision.

c. Financial strength and resources. Microsoft Corporation is publicly-listed in the United States and is

amongst the world’s largest companies by market capitalization. Microsoft’s audited financial statements

indicate that it has been profitable for each of the past three years. Its market capitalization is in the

region of USD 280 billion. Accordingly, we have no concerns regarding its financial strength and ability

to compensate us for failures.

d. Business reputation, complaints, regulatory infringements. As set out above, Microsoft has a very

strong international reputation and experience. There are no complaints or regulatory infringements. In

fact, the European Union’s data protection authorities have found that Microsoft’s enterprise cloud

contracts meet the high standards of EU privacy law. Microsoft is the first – and so far the only –

company to receive this approval.

e. Compatibility with our organization. We have conducted detailed discussions with Microsoft and are

confident that they understand our business and that we will be able to work well with them.

f. Security and internal controls. Microsoft is an industry leader in cloud security and implements

policies and controls on par with or better than on-premises data centers of even the most sophisticated

organizations. We have confidence in the security of the solution and the systems and controls offered

by Microsoft. In addition to the ISO/IEC 27001 certification, Office 365 is designed for security with

BitLocker Advanced Encryption Standard (“AES”) encryption of email at rest and security sockets layer

(“SSL”)/transport layer security (“TLS”) encryption of data in transit. The Microsoft service is subject to

the SSAE16 SOC1 Type II audit, an independent, third party audit. In particular, all personnel with

access to customer data are subject to background screening, security training and access approvals.

In addition, the access levels are reviewed on a periodic basis to ensure that only users who have

appropriate business justification have access to the systems. User access to data is also limited by

Confidential

of 65

10004330-2


considered include the Service

Provider’s experience in regulated

financial service industries).

(i) Reliance on and previous

experience in dealing with sub-

contractors.

user role. For example, system administrators are not provided with database administrative access.

Microsoft offers contractually-guaranteed 99.9% uptime, hosted out of world class data centers with

physical redundancy at disk, NIC, power supply and server levels, constant content replication, robust

backup, restoration and failover capabilities, real-time issue detection and automated response such

that workloads can be moved off any failing infrastructure components with no perceptible impact on the

service, with 24/7 on-call engineering teams.

g. Business resumption and contingency plans. Microsoft offers contractually-guaranteed 99.9%

uptime, hosted out of world class data centers with physical redundancy at disk, NIC, power supply and

server levels, constant content replication, robust backup, restoration and failover capabilities, real-time

issue detection and automated response such that workloads can be moved off any failing infrastructure

components with no perceptible impact on the service, with 24/7 on-call engineering teams. More details

regarding business resumption and contingency plans are set out in section G below.

h. Specific financial services credentials and our business. Financial Institution customers in leading

markets, including in the UK, France, Germany, Australia, Singapore, Canada, the United States and

many other countries have performed their due diligence and, working with their regulators, are satisfied

that Office 365 meets their respective regulatory requirements. This gives us confidence that Microsoft

is able to help meet the high burden of financial services regulation and is experienced in meeting these

requirements. We have had detailed discussions with Microsoft regarding our business objectives and

are confident that they understand them.

i. Reliance on and previous experience in dealing with sub-contractors. Microsoft does use sub-

contractors to provide certain ancillary assistance, but not for any critical roles. An up-to-date list of all

subcontractors used to provide the ancillary services (including exact services) is available at

http://trustoffice365.com. Microsoft ensures that all sub-contractors that it deals with are subject to

stringent requirements and Microsoft is experienced at managing such relationships. If we do not

http://trustoffice365.com/

Confidential

of 65

10004330-2


approve of a subcontractor that is added to the list, then we are entitled to terminate the affected online

services.

10. Do you have processes in place to ensure

ongoing periodic due diligence?

Paragraph 10.6 of the BNM’s Guidelines on Outsourcing for Insurers which states that due diligence

processes should continue to be conducted periodically after the initial selection of a service provider,

having regard to the level of materiality of the outsourcing arrangement and risks associated with the use of

a particular service provider, as well as the experience with the quality of the service performed. Generally,

due diligence should be carried out whenever there are significant changes in the circumstances of the

service provider (e.g. changes in key personnel, work procedures or systems of the service provider) which

materially affect the factors used as the basis for selection.

Suggested wording below. You will likely want to add to this in order to provide details of any internal

processes you have.

Yes.

We have various monitoring tools in relation to the service that enable us to carry out continuous due

diligence in relation to the service and Service Provider. We may trigger specific reviews where there are

significant changes in the circumstances of the Service Provider and services.

In our contract with Microsoft, under the FSA, Microsoft offers us the right to participate in the Microsoft

Online Services Customer Compliance Program. Under this Compliance Program, we are offered the

following key features: access to the controls that apply to each online service and the effectiveness of

those controls; access to data related to service operations; receipt of notifications of changes that may

materially impact Microsoft’s ability to provide the online services; engagement with Microsoft’s subject

matter experts and external auditors; and the ability to provide suggestions to improve the online services.

Under the FSA we are also provided with access to Microsoft’s independent third party audit reports and we

Confidential

of 65

10004330-2


have the right to review Microsoft’s Information Security Policies, along with other information we may

reasonably request regarding Microsoft’s security practices and policies. Finally, our regulator is also

provided with a contractual right under the FSA to examine Microsoft’s online services. We are confident

that such arrangements provide us with the appropriate level of assessment of Microsoft’s ability to meet our

policy, procedural, security control and regulatory requirements.

D. SERVICE AGREEMENT

See also Appendix One to this document which includes a comprehensive list of the different provisions in the various regulations in Malaysia which

require ICs to insert specific contractual provisions into their agreements with outsourcing vendors. The appendix then maps these against the

clauses of Microsoft’s agreement where these are covered.

11. Has a service agreement (“SA”) for each

of the items, activities, operations,

transactions or areas to be outsourced to

the Service Provider been established?

Paragraph 10.9 of the BNM’s Guidelines on Outsourcing for Insurers.

Yes.

The written contract we have with Microsoft is in the form of an SLA which is available at:

http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37

12. Has the SA been reviewed by legal

counsel?

Paragraph 10.9 of the BNM’s Guidelines on Outsourcing for Insurers.

Microsoft recommends that you do seek legal advice on the use of cloud computing services in relation to

statutory/regulatory/common law requirements. You will need to be able to confirm this review has been

undertaken.

Yes.

http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37

Confidential

of 65

10004330-2


13. Does the SA cover the following?

(a) Nature and scope of the service

provided (i.e., scope of the

relationship, frequency, content,

agreed roles, responsibilities and

duties of Service Provider and

location of service to be provided)

(b) Performance monitoring (i.e.,

includes service levels and

performance measures; liability of

the service provider for

unsatisfactory performance or

other breach of agreement of the

outsourced functions)

(c) Clear identification of ownership

and access (i.e., ownership of

assets generated, purchased or

acquired during the outsourcing

arrangements and your access to

those assets)

(d) Protection of confidentiality and

security of your organization and

your clients’ information (i.e. roles

Paragraphs 10.6 and 10.10 of the BNM Guidelines on Outsourcing for Insurers provides for the provisions

that should be incorporated into the service agreements, depending on the materiality of the outsourced

activity. Specific obligations can also be found in different places including: (i) paragraph 1(c), Part V of the

BNM’s Guidelines on Management of IT Environment; (iii) paragraph 110 of the BNM’s BCM Guidelines;

and (viii) paragraph 111 of the BNM’s BCM Guidelines.

Yes.

Taking each of the points in turn:

(a) Nature and scope of services: The contract includes this. See section 2 for an overview of the

services which are being provided.

(b) Performance monitoring: We have a detailed SLA with Microsoft. Microsoft provides a contractual

financially-backed 99.9% uptime guarantee for the Office 365 product and covers performance

monitoring and reporting requirements which enable us to monitor Microsoft’s performance on a

continuous basis against service levels. Under the service credits mechanism in the SLA, we may

be entitled to a service credit of up to 100% of the service charges. If a failure by Microsoft also

constitutes a breach of contract to which the service credits regime does not apply, we would of

course have ordinary contractual claims available to us too under the contract.

(c) Ownership and access: We retain ownership of data at all times. There are no specific hardware

or other assets that are purchased on our behalf by Microsoft as part of these services to which we

would expect or need to have ownership or access.

(d) Protection of confidentiality and security: Microsoft as an outsourcing partner is an industry

leader in cloud security and implements policies and controls on par with or better than on-premises

Confidential

of 65

10004330-2


and responsibility, liability for

losses in the event of breach of

security/confidentiality; and

requirement for immediate

notification if there is a breach)

(e) Basis for compensation and fees

and circumstances under which

additional charges may be

imposed.

(f) Business resumption and

contingency arrangements

(g) Reporting requirements (i.e., type,

content and frequency of reporting;

whether the performance is met;

and reporting of incidents or events

that may affect the service; testing

and review of work done by the

Service Provider; progress of work

conducted)

(h) Dispute resolution (including

jurisdiction under which disputes

will be resolved).

data centers of even the most sophisticated organizations. Office 365 was built based on ISO/IEC

27001 standards, a rigorous set of global standards covering physical, logical, process and

management controls. This makes us confident that there are very robust security controls in place

to protect the transmission and storage of information/data within Microsoft’s infrastructure. The

following security features are also relevant to protecting the transmission and storage of

information/data within the Microsoft infrastructure:

1. The Microsoft Office 365 security features consist of three parts: (a) built-in security features; (b)

security controls; and (c) scalable security. These include 24-hour monitored physical hardware,

isolated customer data, automated operations and lock-box processes, secure networks and

encrypted data.

2. Microsoft implements the Microsoft Security Development Lifecycle (SDL) which is a comprehensive

security process that informs every stage of design, development and deployment of Microsoft

software and services, including Office 365. Through design requirements, analysis of attack

surface and threat modeling, the SDL helps Microsoft predict, identify and mitigate vulnerabilities

and threats from before a service is launched through its entire production lifecycle.

3. Networks within the Office 365 data centers are segmented to provide physical separation of critical

back-end servers and storage devices from the public-facing interfaces. Edge router security allows

the ability to detect intrusions and signs of vulnerability. Client connections to Office 365 use SSL

(as defined above) for securing Outlook, Outlook Web App, Exchange ActiveSync, POP3, and

IMAP. Customer access to services provided over the Internet originates from users’ Internet-

enabled locations and ends at a Microsoft data center. These connections are encrypted using

industry-standard TLS (as defined above)/SSL. The use of TLS/SSL establishes a highly secure

client-to-server connection to help provide data confidentiality and integrity between the desktop and

the data center. Customers can configure TLS between Office 365 and external servers for both

Confidential

of 65

10004330-2


(i) Default termination.

(j) Sub-contracting.

(k) Service Provider is subject to all

applicable regulations and

guidelines including BNM’s BCM

Guidelines.

(l) Requirements for ensuring the

continuity of the outsourced

business function in the event of a

major disruption affecting the

Service Provider’s services

(including recovery time objectives

(“RTO”) and provisions for legal

liability if the RTO is not achieved).

(m) Audit rights.

(n) Prompt notification by the Service

Provider of any breach of

confidentiality and liability for

losses that might result from such

breach.

inbound and outbound email. This feature is enabled by default. Microsoft also implements traffic

throttling to prevent denial-of-service attacks.

4. From a people and process standpoint, preventing breach involves auditing all

operator/administrator access and actions, zero standing permission for administrators in the

service, “Just-In-Time (JIT) access and elevation” (that is, elevation is granted on an as-needed and

only-at-the-time-of-need basis) of engineer privileges to troubleshoot the service, and segregation of

the employee email environment from the production access environment. Employees who have not

passed background checks are automatically rejected from high privilege access, and checking

employee backgrounds is a highly scrutinized, manual-approval process. Data is also encrypted.

Further details are included in section F below.

(e) Basis for compensation and fees. This is clearly set out in our contracts with Microsoft.

(f) Business resumption and contingency arrangements: There are detailed business contingency

provisions. See section G below for more details.

(g) Reporting requirements: Our IT administrators have access to the Office 365 Service Health

Dashboard, which provides real-time and continuous monitoring of the Office 365 service. The

Service Health Dashboard provides our IT administrators with information about the current

availability of each service or tool (and history of availability status) details about service disruption

or outage, scheduled maintenance times. The information is provided via an RSS feed. Amongst

other things, it provides a contractual 99.9% uptime guarantee for the Office 365 product and covers

performance monitoring and reporting requirements which enable us to monitor Microsoft’s

performance on a continuous basis against service levels. As part of the support we receive from

Microsoft, we also have access to a technical account manager who is responsible for

Confidential

of 65

10004330-2


understanding our challenges and providing expertise, accelerated support and strategic advice

tailored to our organization. This includes both continuous hands-on assistance and immediate

escalation of urgent issues to speed resolution and keep mission-critical systems functioning. We

are confident that such arrangements provide us with the appropriate mechanisms for managing

performance and problems.

(h) Dispute resolution. Our contract is subject to Washington state law and jurisdiction. We have

sought advice on this and are comfortable with this position. The contract also includes dispute

escalation procedures.

(i) Default termination: The Microsoft Business and Services Agreement (“MBSA”) contains usual

termination provisions. The SLA is contained with the MBSA is terminable by us for convenience at

any time by providing not less than 60 days’ notice. Any sub-agreements to the MBSA are

terminable by us for convenience at any time by providing not less than 30 days’ notice. In addition,

we have standard rights of termination for material breach. This gives us the flexibility and control

we need to manage the relationship with Microsoft because it means that we can terminate the

arrangements whether with or without cause.

(j) Sub-contracting. As set out above, Microsoft does use sub-contractors to provide certain ancillary

assistance, but not for any critical path roles. An up-to-date list of all subcontractors used to provide

the ancillary services (including exact services) is available at http://trustoffice365.com. Microsoft

ensures that all sub-contractors that it deals with are subject to stringent requirements and is

experienced at managing such relationships.

(k) Regulations and guidelines on Business Continuity: As set out in section F below, we have

ensured that Microsoft is required to provide robust and comprehensive business continuity

http://trustoffice365.com/

Confidential

of 65

10004330-2


management and processes.

(l) Continuity in the event of disruption: As set out in section F below, we have ensured that

Microsoft is required to provide robust and comprehensive disaster recovery management and

processes. Microsoft provides a contractual financially-backed 99.9% uptime guarantee for the

Office 365 product and covers performance monitoring and reporting requirements which enable us

to monitor Microsoft’s performance on a continuous basis against service levels. Under the service

credits mechanism in the SLA, we may be entitled to a service credit of up to 100% of the service

charges. If a failure by Microsoft also constitutes a breach of contract to which the service credits

regime does not apply, we would of course have ordinary contractual claims available to us too

under the contract.

(m) Audit rights. The extensive audit rights that Microsoft offers was a key reason for our decision to

choose Microsoft. Details of the different audit rights are set out in section E below.

(n) Notification of breach. Microsoft implements “prevent, detect, and mitigate breach”, which is a

defensive strategy aimed at predicting and preventing any security breach before it happens. This

involves continuous improvements to built-in security features, including port scanning and

remediation, perimeter vulnerability scanning, OS patching to the latest updated security software,

network-level DDOS (distributed denial-of-service) detection and prevention, and multi-factor

authentication for service access. Wherever possible, human intervention is replaced by an

automated, tool-based process, including routine functions such as deployment, debugging,

diagnostic collection, and restarting services. Office 365 continues to invest in systems automation

that helps identify abnormal and suspicious behavior and respond quickly to mitigate security risk.

Microsoft is continuously developing a highly effective system of automated patch deployment that

generates and deploys solutions to problems identified by the monitoring systems—all without

Confidential

of 65

10004330-2


human intervention. This greatly enhances the security and agility of the service.

In the event that a security incident or violation is detected, Microsoft Customer Service and Support

notifies Office 365 subscribers by updating the Service Health Dashboard that is available on the

Office 365 portal. We would have access to Microsoft’s dedicated support staff, who have a deep

knowledge of the service. Microsoft provides a RTO (as defined above) of 1 hour or less for

Microsoft Exchange Online and 6 hours of less for SharePoint Online, and a Recovery Point

Objective (“RPO”) of 45 minutes or less for Microsoft Exchange Online and 2 hours or less for

SharePoint Online.

Finally, after the incident, Microsoft provides a thorough post-incident review report (“PIR”). The

PIR includes: (i) an incident summary and event timeline; (ii) broad customer impact and root cause

analysis; (iii) actions being taken for continuous improvement. Microsoft will provide the PIR within

five business days following resolution of the service incident. Administrators can also request a PIR

using a standard online service request submission through the Office 365 portal or a phone call to

Microsoft Customer Service and Support.

E. AUDIT

14. Has your organization made explicit

provisions in the outsourcing contracts or

obtained letters of undertaking from

Service Providers to enable regulatory

bodies and appointed personnel such as

external and internal auditors to carry out

inspection or examination of the Service

Provider’s books, internal controls,

There are various provisions under Malaysia law that require this. In particular see: (i) Section 148(1)(b) of

the FSA; (ii) paragraphs 10.10 and 12.1 of the BNM’s Guidelines on Outsourcing for Insurers provides that

insurers shall, in all cases, obtain an undertaking from their outsourcing service providers (or sub-

contractors as applicable), or include a provision within the SA, giving authorized examiners of BNM the

right to: (a) examine the books, records, information, systems and the internal control environment in the

service provider (or sub-contractor as applicable), to the extent that they relate to the service being

performed for the insurer; and (b) access any internal audit or external audit findings of the service provider

(or sub-contractor as applicable) that concern the service being performed for the insurer; (iii) paragraph

Confidential

of 65

10004330-2


facilities, systems, processes and data

relating to the services provided to your

organization?

15(c), Part II of the BNM’s Guidelines on Management of IT Environment; (iv) paragraph 113 of the BNM’s

BCM Guidelines; and (v) paragraph 1(c), Part V of the BNM’s Guidelines on Management of IT

Environment.

Yes.

We are confident that in our choice of Microsoft as Service Provider we have far more extensive audit rights

than most if not all other Service Provider’s offer. This was an important factor in our decision to choose this

Service Provider.

In particular, the following audit protections are made available by Microsoft:

1. As part of Microsoft’s certification requirements, they are required to undergo regular independent

third party auditing (via the SSAE16 SOC1 Type II audit, a globally-recognized standard), and

Microsoft shares with us the independent third party audit reports. Microsoft also agrees as part of

the compliance program to customer right to monitor and supervise. We are confident that such

arrangements provide us with the appropriate level of assessment of Microsoft’s ability to meet our

policy, procedural, security control and regulatory requirements.

2. BNM is given a contractual right of audit/inspection over Microsoft’s facilities, so that it can assess

and examine systems, processes and security and regulatory compliance.

Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework

Program, you may add this additional information about its key features: the regulator audit/inspection right,

access to Microsoft’s security policy, the right to participate at events to discuss Microsoft’s compliance

program, the right to receive audit reports and updates on significant events, including security incidents,

Confidential

of 65

10004330-2


risk-threat evaluations and significant changes to the business resumption and contingency plans.

F. CONFIDENTIALITY AND SECURITY

14. Have you obtained from the Service

Provider a written undertaking to protect

and maintain the confidentiality of your

customer data in compliance with the

secrecy provision pursuant to section 133

of the FSA and the protection of your own

confidential information?

Section 133(1) of the FSA which provides that no person who has access to any document or information

relating to the affairs or account of any customer of a financial institution, including: (a) the financial

institution; or (b) any person who is or has been a director, officer or agent of the financial institution, shall

disclose to another person any document or information relating to the affairs or account of any customer of

the financial institution.

Paragraph 26.1 of the BNM’s Guidelines on Internet Insurance which provides that any outsourcing of

information technology services that relates to internet insurance require that the service provider or

software vendor to provide the insurer with a written undertaking on its compliance with secrecy of

customers’ and the insurer’s information.

Yes.

Our contract with Microsoft contains robust confidentiality provisions to prevent disclosure of confidential

information whether of our customers or of our own. Information will only be provided to Microsoft’s sub-

contractors on a need to know basis for the purposes of providing the services and subject to similar

restrictions on confidentiality. If anything further is required we would work with Microsoft to provide

whatever further clarity the regulator may require in this regard.

It is also relevant to note that the European Union’s data protection authorities have found that Microsoft’s

enterprise cloud contracts meet the high standards of EU privacy law. Microsoft is the first – and so far the

only – company to receive this approval.

Confidential

of 65

10004330-2


15. Has senior management determined that

there are adequate controls for identifying,

reporting and responding to suspected

security incidents and violations?

Paragraph 6(b), Part II of the BNM’s Guidelines on Management of IT Environment. Paragraph 27,

Guidelines on Internet Insurance. This contains more specific requirements including that staff of the IC and

any outsourcing vendor are required to report all security breaches promptly to management. Material

security breaches, system downtime and degradation in system performance that critically affects the IC

should be reported to BNM: (i) an initial report to BNM via telephone immediately upon detection by

providing ‘initial information/observation’; and (ii) a formal report should be made within 2 days from the date

of detection. These reporting obligations have to be stated explicitly in the IC’s security policy and the IC

should also establish procedures for proper recording of occurrence of such incidents.

Yes.

Senior management is confident that there are adequate internal controls, prevention measures and

processes for early detection of errors, omissions and security incidents. Our extensive due diligence and

risk profiling at the outset and processes in place for monitoring, auditing and security protections assure us

of this. We have set out details of this elsewhere in this document.

Microsoft’s systems including its real-time monitoring facilities enable us to fulfill our reporting obligations to

BNM in the event of a security breach occurring.

16. Are the following security practices

implemented by the Service Provider?

(a) Firewalls have been installed on all

connection points between the

internal computer network and the

Internet.

There are specific security practice requirements contained in Part III of the BNM’s Guidelines on

Management of IT Environment (although note that these are considerations and not specific requirements

that are considered necessary in all circumstances) and in paragraph 21.5 of the BNM Guidelines on

Internet Insurance.

Yes.

This is an issue that we take very seriously. We have therefore checked these procedures in detail with

Confidential

of 65

10004330-2


(b) Intrusion detection-prevention

devices have been installed

(including denial-of-service security

appliances where appropriate).

(c) Virtual private networks (VPN)

have been developed within a

public switch network to protect all

transmissions from unauthorized

parties, while allowing the use of

the public network infrastructure.

(d) Public key infrastructure (PKI) is

used to perform authentication on

the internet through a combination

of digital certificates and public key

cryptography (PKC).

(e) Internationally accepted well-

defined industry standards of

payment protocol are used to

provide a secure environment for

online credit card payments.

(f) Penetration testing is conducted at

least once a year or whenever

substantial changes are made to

Microsoft and are confident that they provide excellent means to enable us to identify, report and respond

properly and promptly in the event of any security incident or violation. We are assured that Microsoft is

committed to protecting the privacy of our and Microsoft makes this statement in its Office 365 Privacy

Statement.

Taking each of the points in turn:

(a) Firewalls. Microsoft uses multiple layers of network devices in order to segregate network security

zones and block access to resources placed in high security zones from external parties.

(b) Intrusion detection-prevention devices. There are robust procedures offered by Microsoft that

enable the prevention of security incidents and violations in the first place. Specifically:

1. Microsoft implements 24 hour monitored physical hardware. Data center access is restricted 24

hours per day by job function so that only essential personnel have access to customer applications

and services. Physical access control uses multiple authentication and security processes, including

badges and smart cards, biometric scanners, on-premises security officers, continuous video

surveillance, and two-factor authentication.

2. Microsoft implements “prevent, detect, and mitigate breach”, which is a defensive strategy aimed at

predicting and preventing a security breach before it happens. This involves continuous

improvements to built-in security features, including port scanning and remediation, perimeter

vulnerability scanning, OS patching to the latest updated security software, network-level DDOS

(distributed denial-of-service) detection and prevention, and multi-factor authentication for service

access.

3. Wherever possible, human intervention is replaced by an automated, tool-based process, including

http://www.microsoft.com/online/legal/v2/?docid=22&langid=en%2Dus

http://www.microsoft.com/online/legal/v2/?docid=22&langid=en%2Dus

Confidential

of 65

10004330-2


the internet-related systems.

(g) Implement anti-virus software and

apply updates regularly.

(h) Access to security logs and audit

trails.

(i) Analysis of security logs for

suspicious traffic and intrusion

attempts.

(j) Conducting security awareness

education and programs.

(k) Providing separate physical/logical

environments for systems

development, testing and

production.

(l) Encrypting critical or sensitive

information which is stored or

transmitted over communication

networks.

routine functions such as deployment, debugging, diagnostic collection, and restarting services.

Office 365 continues to invest in systems automation that helps identify abnormal and suspicious

behavior and respond quickly to mitigate security risk. Microsoft is continuously developing a highly

effective system of automated patch deployment that generates and deploys solutions to problems

identified by the monitoring systems—all without human intervention. This greatly enhances the

security and agility of the service.

(c) VPNs. In multi-tenancy services Microsoft does not use VPN for customer to access Office 365

services. For a dedicated hosted offering, the customer may choose to use IP-VPN as a private

connection. Therefore, the response should be either: [Not applicable.] or [We will use an IP-VPN

as a private connection.]

(d) PKI. Office 365 provides us with the option to use PKI based user-authentication.

(e) Payment protocols. Not applicable to the services being outsourced by us.

(f) Penetration testing. Microsoft conducts penetration tests to enable continuous improvement of

incident response procedures. These internal tests help Office 365 security experts create a

methodical, repeatable, and optimized stepwise response process and automation.

(g) Anti-virus software. All services in Office 365 are virus-scanned every day with the latest virus

definitions.

(h) Access to security logs and audit trails. In the event that a security incident or violation is

detected, Microsoft Customer Service and Support notifies Office 365 subscribers by updating the

Service Health Dashboard that is available on the Office 365 portal. In addition, we have extensive

audit rights as described in Section E.

Confidential

of 65

10004330-2


(i) Analysis of security logs for suspicious traffic and intrusion attempts. Microsoft has robust

automated processes which are constantly monitoring in this regard. See response at (b) above for

more details.

(j) Conducting security awareness education and programs. All personnel with access to customer

data are subject to background screening, security training and access approvals. In addition, the

access levels are reviewed on a periodic basis to ensure that only users who have appropriate

business justification have access to the systems. User access to data is also limited by user role.

For example, system administrators are not provided with database administrative access. All

appropriate Microsoft Staff take part in a Microsoft Online Services sponsored security training

program, and are recipients of periodic security awareness updates when applicable. Security

education is an on-going process and is conducted regularly in order to minimize risks.

(k) Providing separate physical/logical environments for systems development, testing and

production. Microsoft has an operational change control procedure in place. The operational

change control procedure includes an assessment process of possible change impact change

testing in an approved non-production environment.

(l) Encrypting critical or sensitive information which is stored or transmitted over

communication networks: Networks within the Office 365 data centers are segmented to provide

physical separation of critical back-end servers and storage devices from the public-facing

interfaces. Edge router security allows the ability to detect intrusions and signs of vulnerability.

Client connections to Office 365 use SSL for securing Outlook, Outlook Web App, Exchange

ActiveSync, POP3, and IMAP. Customer access to services provided over the Internet originates

from users’ Internet-enabled locations and ends at a Microsoft data center. These connections are

encrypted using industry-standard TLS/SSL. The use of TLS/SSL establishes a highly secure client-

to-server connection to help provide data confidentiality and integrity between the desktop and the

Confidential

of 65

10004330-2


data center. Customers can configure TLS between Office 365 and external servers for both

inbound and outbound email. This feature is enabled by default. Microsoft also implements traffic

throttling to prevent denial-of-service attacks. Customer data in Office 365 exists in two states: (i) at

rest on storage media; and (ii) in transit from a data center over a network to a customer device.

All email content is encrypted on disk using BitLocker AES encryption. Protection covers all disks on

mailbox servers and includes mailbox database files, mailbox transaction log files, search content

index files, transport database files, transport transaction log files, and page file OS system disk

tracing/message tracking logs.

Office 365 also transports and stores secure/multipurpose Internet mail extensions (“S/MIME”)

messages. Office 365 will transport and store messages that are encrypted using client-side, third-

party encryption solutions such as Pretty Good Privacy (“PGP”).

17. How are customers authenticated? For

internal systems, how are staff in your

organization authenticated?

Paragraph 2(a), Part III of the BNM’s Guidelines on Management of IT Environment. You will need to

supplement this with details of your own internal authentication processes for internal systems.

Yes.

Office 365 uses two-factor authentication to enhance security. Typical authentication practices that require

only a password to access resources may not provide the appropriate level of protection for information that

is sensitive or vulnerable. Two-factor authentication is an authentication method that applies a stronger

means of identifying the user. The Microsoft phone-based two-factor authentication solution allows users to

receive their PINs sent as messages to their phones, and then they enter their PINs as a second password

to log on to their services.

Confidential

of 65

10004330-2


18. Is the Service Provider able to isolate and

clearly identify your customer data,

documents, records and assets to protect

their confidentiality?

Paragraph 6(b), Part II of the BNM’s Guidelines on Management of IT Environment and FSA as above.

Yes.

Microsoft’s transparency as to data location was a key consideration as part of the service provider selection

process. Active Directory isolates customers using security boundaries (also known as silos). This

safeguards a customer’s data so that the data cannot be accessed or compromised by co-tenants.

19. Are your data / applications stored in the

vendor systems commingled with those of

other subscribers? Is the Service Provider

able to isolate and clearly identify your

customer data, documents, records and

assets to protect their confidentiality?

Paragraph 10.10(c) of BNM’s Guidelines on Outsourcing for Insurers which states that the SA entered into

between the insurer and the service provider should provide for clear identification and establishment of

ownership of all assets relating to the outsourcing arrangement. The SA should specify the terms governing

the use of the insurer’s premises, personnel and equipment, where relevant.

Data and applications are not commingled with those of other customers and yes the Service Provider is

able to clearly identify our customer data, documents, records and assets to protect their confidentiality.

Networks within the Office 365 data centers are segmented to provide physical separation of critical back-

end servers and storage devices from the public-facing interfaces.

20. Are there documented system for

monitoring and managing the computer

center’s resources (i.e. utilization of the

central processing unit (CPU), hard disk

and memory, problem reporting and

prioritization, equipment malfunctions,

frequency and duration of system down

time and network activities to detect

Paragraph 3(g), Part V of the BNM’s Guidelines on Management of IT Environment.

Yes. The security procedures for safeguarding hardware, software and security are documented in detail by

Microsoft in its Standard Response to Request for Information – Security and Privacy. This confirms how the

following aspects of Microsoft’s operations safeguard hardware, software and data:

Compliance;

http://www.microsoft.com/en-sg/download/details.aspx?id=26647

Confidential

of 65

10004330-2


suspicious trends and attempts to gain

access to the system)?

Data Governance;

Facility;

Human Resources;

Information Security;

Legal;

Operations;

Risk Management;

Release Management;

Resiliency; and

Security Architecture.

21. Are the following physical and

environmental controls available at the data

center?

(a) All computer and

telecommunications peripherals

adequately labeled for proper

identification

Part V of the BNM’s Guidelines on Management of IT Environment.

Taking each one in turn:

(a) All computer and telecommunications peripherals adequately labeled for proper

identification. Yes.

(b) Uninterruptible power supply (“UPS”). Microsoft’s data centers have dedicated 24x7 UPS and

emergency power support, i.e. generators. Regular maintenance and testing is conducted for both

Confidential

of 65

10004330-2


(b) Uninterruptible power supply

(c) Air conditioning system

(d) Temperature sensor

(e) Fire detector

(f) Smoke detector

(g) Fire suppression system

(h) Raised floor

(i) Water leakage detection system

the UPS and generators. Data centers have made arrangements for emergency fuel delivery. The

data centers have dedicated Facility Operations Centers to monitor the power systems, including all

critical electrical components – generators, transfer switch, main switchgear, power management

module and UPS equipment.

(c) Air conditioning system. Microsoft has implemented environmental controls to protect the data

centers including ventilation and air conditioning.

(d) Temperature sensor. Microsoft has implemented environmental controls to protect the data

centers including temperature control and heating. The data centers’ Facility Operations Centers

monitor the heating, ventilation and air conditioning system, which controls and monitors space

temperature and humidity within the data centers, space pressurization and outside air intake.

(e) Fire detector. Fire Detection and Suppression systems exist at all Microsoft’s data centers.

Additionally, portable fire extinguishers are available at various locations in the data center. Routine

maintenance is performed on facility and environmental protection equipment.

(f) Smoke detector. See above. In addition, Microsoft’s equipment is placed in environments which

have been engineered to be protective from environmental risks such as smoke.

(g) Fire suppression system. Fire Detection and Suppression systems exist at all Microsoft’s data

centers. Additionally, portable fire extinguishers are available at various locations in the data center.

Routine maintenance is performed on facility and environmental protection equipment.

(h) Raised floor. Microsoft’s equipment is placed in environments which have been engineered to be

protective from environmental risks such as water.

(i) Water leakage detection system. Microsoft has water leakage detection systems for water-cooling

Confidential

of 65

10004330-2


data centers.

22. Who is primarily in charge of security

administration and systems access

functions?

Paragraph 1(e), Part III of the BNM’s Guidelines on Management of IT Environment which provides that a

security administrator and/ or a system administrator who are responsible for the system security and/ or

administration functions and to implement policies as well as adopted standards, should be formally

appointed.

Overall responsibility for these matters remains with our organization and we have procedures in place to

monitor overall performance. Our [security administrator/system administrator is insert name].

Microsoft will perform the technical monitoring and management functions on our behalf. System level data

such as configuration data/file and commands are managed as part of the configuration management

system. Any changes or updates to or deletion of those data/files/commands will be automatically deleted

by the configuration management system as anomalies.

We will receive information about system integrity, security monitoring and network performance through the

Office 365 Service Health Dashboard, as described above.

23. Does the Service Provider adhere to the

provisions of the Personal Data Protection

Act 2010 (“PDPA”)?

Paragraph 26.1 of the BNM’s Guidelines on Internet Insurance which provides that any outsourcing of

information technology services that relates to internet insurance require that the vendor abide by any data

protection legislation that is in effect. The PDPA can be found here.

Yes.

Our use of Microsoft Office 365 would not cause us to fail to meet any obligation we may have under the

PDPA. In fact, we think that Microsoft Office 365 has features that will help us comply with certain provisions

(including security obligations). We will continue to maintain overall responsibility and accountability for

Confidential

of 65

10004330-2


compliance with the PDPA.

In relation to the specific requirements of the PDPA that apply to the use of cloud services:

1. We have an obligation to implement reasonable and appropriate organizational, physical and

technical measures to protect personal information. We are satisfied with Microsoft’s security

procedures, as described in its Standard Response to Request for Information – Security and

Privacy (and further described in other parts of this document).

2. We have an obligation to use contractual or other reasonable means to provide a comparable

level of protection while the information is being processed by Microsoft. We are satisfied that our

legally-binding agreement with Microsoft, and the operational procedures we have in place to

monitor compliance, together with our choice of service provider, will provide at least a comparable

level of protection for personal information. Our contract with Microsoft ensures that all data (but in

particular any customer data) is treated with the highest level of security enabling us to continue to

comply with our legal and regulatory obligations and our commitments to customers.

3. In addition Microsoft commits to comply with ISO/IEC 27018. In February 2015, Microsoft became

the first major cloud provider to adopt the world’s first international standard for cloud privacy,

ISO/IEC 27018. The standard was developed by the International Organization for Standardization

(ISO) to establish a uniform, international approach to protecting privacy for personal data stored in

the cloud. The British Standards Institute (BSI) has now independently verified that Microsoft is

aligned with the standard’s code of practice for the protection of Personally Identifiable Information

(PII) in the public cloud. The controls set out in ISO/IEC 27018 match the protections required by

the PDPA. For more information on this, follow this link.



http://blogs.microsoft.com/on-the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard/

Confidential

of 65

10004330-2


G. DATA BACKUP AND DISASTER RECOVERY

24. Does the Service Provider have a fully

documented and adequately resourced

business continuity plan (“BCP”) and

disaster recovery plan (“DRP”)? If yes,

provide documentation or details.

Paragraph 112 of the BNM’s BCM Guidelines.

Yes.

Microsoft offers contractually-guaranteed 99.9% uptime, globally available data centers for primary and

backup storage, physical redundancy at disk, NIC, power supply and server levels, constant content

replication, robust backup, restoration and failover capabilities, real-time issue detection and automated

response such that workloads can be moved off any failing infrastructure components with no perceptible

impact on the service, 24/7 on-call engineering teams.

Microsoft’s arrangements are as follows:

Redundancy

Physical redundancy at server, data center, and service levels;

Data redundancy with robust failover capabilities; and

Functional redundancy with offline functionality.

Resiliency

Active load balancing;

Automated failover with human backup; and

Confidential

of 65

10004330-2


Recovery testing across failure domains.

Distributed Services

Distributed component services like Exchange Online, SharePoint Online, and Lync Online limit

scope and impact of any failures in a component;

Directory data replicated across component services insulates one service from another in any

failure events; and

Simplified operations and deployment.

Monitoring

Internal monitoring built to drive automatic recovery;

Outside-in monitoring raises alerts about incidents; and

Extensive diagnostics provide logging, auditing, and granular tracing.

Simplification

Standardized hardware reduces issue isolation complexities;

Fully automated deployment models; and

Standard built-in management mechanism.

http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

Confidential

of 65

10004330-2


Human backup

Automated recovery actions with 24/7 on-call support;

Team with diverse skills on the call provides rapid response and resolution; and

Continuous improvement by learning from the on-call teams.

Continuous learning

If an incident occurs, Microsoft does a thorough post-incident review every time; and

Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and

Microsoft’s plan to prevent it in the future.

For the avoidance of doubt, the nature of the services provided as part of Office 365 does not give rise to a

risk that the Bank itself could become “offline” (i.e. there would be no implication for core banking functions

such as transaction processing).

25. What are the data backup and recovery

arrangements for your organization’s data

that reside with the Service Provider?

Paragraph 71 of the BNM’s BCM Guidelines, which states that an institution should make available a

functional alternate and recovery site for their business functions and technology in the event the business

premises, key infrastructure and systems supporting critical business functions become unavailable.

Pursuant to paragraph 110 of the BNM’s BCM Guidelines, the institution should ensure that the service

provider is subjected to the BCM Guidelines, where appropriate. Therefore, the service provider should

ensure that it has a functional alternate and recovery site.

See response directly above for details.

http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

Confidential

of 65

10004330-2


26. Has a testing of the BCP and DRP of the

Service Provider been conducted?

Paragraph 112 of the BNM’s BCM Guidelines which provides that the institution should ensure that periodic

testing is conducted by the outsourcing vendor on its BCP and DRP at least annually and twice a year,

respectively.

Yes.

As part of Microsoft’s certification requirements, it is required to undergo regular independent third party

auditing and Microsoft shares with us the independent third party audit reports.

27. How frequently does the Service Provider

conduct tests on its BCP and DRP?

Paragraph 112 of the BNM’s BCM Guidelines which provides that periodic testing should be conducted by

the outsourcing vendor at least twice a year on its BCP and DRP, respectively.

Microsoft carries out disaster recovery testing at least once per year.

28. Does your organization’s BCP address the

reasonably foreseeable situations in the

event that the Service Provider fails to

provide the required services, causing

disruptions to your organization’s

operations?

Paragraph 115 of BNM’s BCM Guidelines which provides that the institution’s own BCP should address

reasonably foreseeable situations where the outsourcing vendor fails to provide the required services,

causing disruptions to the institution’s operations.

Note, this question, primarily concerns your own internal BCP. If you have any questions or we can help in

any way, just let us know.

29. Have you tailored and tested your disaster

recovery or business continuity plan?

Part B.2.9 of the BNM’s BCM Guidelines which provides for the testing of the BCP and DRP by the

institution. BCP should be tested at least once a year for all critical business functions, while the DRP for all

critical application systems should be tested at least twice a year, of which one of the tests should be a “live

run”.

This question concerns your own testing as opposed to that which Microsoft carries out. You will need to be

Confidential

of 65

10004330-2


able to demonstrate that you comply with the requirements set out above in terms of frequency of testing.

30. Is the Service Provider required to notify

you in the event that it makes significant

changes to its BCP and DRP, or

encounters other circumstances that might

have a serious impact on its services?

Paragraph 114 of the BNM’s BCM Guidelines.

Yes.

Microsoft will inform us if there are any important changes to the service with respect to security, privacy,

and compliance. Microsoft will also promptly notify us if your data has been accessed improperly.

In the event that a security incident or violation is detected, Microsoft Customer Service and Support notifies

Office 365 subscribers by updating the Service Health Dashboard that is available on the Office 365 portal.

We would have access to Microsoft’s dedicated support staff, who have a deep knowledge of the service.

Microsoft provides a RTO (as defined above) of 1 hour or less for Microsoft Exchange Online and 6 hours of

less for SharePoint Online, and a Recovery Point Objective (“RPO”) of 45 minutes or less for Microsoft

Exchange Online and 2 hours or less for SharePoint Online.

After the incident, Microsoft provides a thorough PIR. See our response above for more information.

31. What are the RTO of systems or

applications outsourced to the Service

Provider?

Part G of the BNM’s BCM Guidelines, ‘Recovery Time Objective’.

RTO: 1 hour or less for Microsoft Exchange Online, 6 hours or less for SharePoint Online.

H. EXIT STRATEGY

32. Do you have the right to terminate the SA

in the event of default, ownership change,

change of security or serious deterioration

Paragraph 10.10(i) of BNM’s Guidelines on Outsourcing for Insurers which states that the SA between the

insurer and the service provider should provide for default events and remedies, which should include a

termination clause. In particular, the insurer should have the right to terminate the agreement if the agreed

Confidential

of 65

10004330-2


of service quality? service levels are consistently not met or when the service provider undergoes a material change in

ownership or encounters other circumstances that might seriously impair its ability to provide the agreed

services.

Yes.

Our main agreement with Microsoft contains usual termination provisions. The SLA is contained with the

MBSA is terminable by us for convenience at any time by providing not less than 60 days’ notice. Any sub-

agreements to the MBSA are terminable by us for convenience at any time by providing not less than 30

days’ notice. In addition, we have standard rights of termination for material breach. This gives us the

flexibility and control we need to manage the relationship with Microsoft because it means that we can

terminate the arrangements whether with or without cause.

33. In the event of contract termination with the

Service Provider, either on expiry or

prematurely, are you able to have all IT

information and assets promptly removed

or destroyed?

Paragraph 10.10(i) of the BNM’s Guidelines on Outsourcing for Insurers which states that the SA should

also lay down clear procedures for the return of the insurer’s intellectual or physical property in a timely

manner, in the event of default or termination.

Yes.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard

drives that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the

recovery of information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate

means of disposal is determined by the asset type. Records of the destruction are retained.

All Microsoft Online Services utilize approved media storage and disposal management services. Paper

documents are destroyed by approved means at the pre-determined end-of-life cycle.

Confidential

of 65

10004330-2


“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001

standards against which Microsoft is certified.

I. INFORMATION TO BE SUBMITTED FOR APPLICATIONS TO OUTSOURCE ABROAD

BNM’s prior approval is required for ICs to enter into any outsourcing arrangement (material or not) which results in services being provided in a

location outside Malaysia. Applications to outsource abroad should include the information set out below (see Appendix III of the BNM Guidelines on

Outsourcing for Insurers).

34. Full description of services to be

outsourced.

You can find the details in the contract which comprehensively sets out the scope of the arrangement and

the respective commitments of the parties. The online services are ordered under the Enrollment, and the

order will set out the online services and relevant prices.

The services are broadly described, along with the applicable usage rights, in the Product List and the PUR.

The services are described in detail in the Service Description, which is not part of the contract. However,

Microsoft makes a functionality commitment in the Core Features Amendment, and as a minimum the online

services will meet that commitment during the term of the contract.

35. Business case. You will need to provide a business case. You can draw upon some of the information contained in section

B above.

36. Materiality assessment. For ICs, see the relevant considerations regarding what is ‘material’ in Part VIII of the BNM Guidelines on

Outsourcing for Insurers.

37. Due diligence of Service Provider. You can draw upon the information provided in section C above.

38. Confirmation that the relevant laws of the You will likely want to undertake your own legal review in this regard. Microsoft is not aware of any laws in

Confidential

of 65

10004330-2


foreign jurisdiction and terms and

conditions of the SA allow for BNM to have

reasonable and timely access to

information/data belonging to the IC.

the countries in which it would be providing the services that would impact BNM having such access.

39. Description of the manner in which the IC

will ensure effective control and oversight

over the service outsourced (should include

a description of identified risks involved in

the arrangement and the strategies put in

place to address the risks).

You can draw upon the information contained in section B above which contains detailed information

regarding risk assessment and management and control and oversight.

40. Confirmation that the services are not

available locally at comparable costs and

service levels or, if available, the

justification for the use of the foreign

Service Provider.

You will need to confirm this point from your own analysis.

41. Description of any reciprocal services

provided out of Malaysia.

Not applicable.

Confidential

of 65

10004330-2

APPENDIX ONE

MANDATORY CONTRACTUAL REQUIREMENTS

This table sets out the specific items that must be covered in the IC’s agreement with the Service Provider.

Key:

Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.

In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.

Terms used below as follows:

OST = Online Services Terms

EA = Enterprise Agreement

Enrolment = Enterprise Enrolment

FSA = Financial Services Amendment

MBSA = Microsoft Business and Services Agreement

PUR = Product Use Rights

SLA = Online Services Service Level Agreement

Confidential

of 65

10004330-2

Ref. Requirement Microsoft agreement reference

1. General obligations:

- All material outsourcings should be documented by clearly written

service agreements that address, as far as possible within the

contract, all issues relevant to managing the risks associated with

the outsourcing arrangement.

- The agreement should be reviewed by the IC’s legal counsel to

ensure that the IC’s interests are safeguarded.

- Agreements should be signed by the relevant parties prior to the

commencement of the services. Thereafter, material modifications to

the service agreement should not be permitted without the prior

consent of the IC.

Paragraph 10.9, BNM Guidelines on outsourcing for Insurers

Documented:

Yes.

The contractual documents are all written and clear.

Reviewed by legal counsel:

Yes.

Microsoft recommends that you do seek legal advice on the use of cloud

computing services in relation to statutory / regulatory / common law

requirements. You will need to be able to confirm this review has been

undertaken.

Signed by relevant parties prior to commencement of the services

and material modifications not permitted without the consent of the

IC:

Yes.

The document is signed by the parties. Section 11k of the MBSA states

that the contract may be amended only by a formal written agreement

signed by both parties.

Confidential

of 65

10004330-2


2. The description of the services to be provided including the frequency,

content and format of the services.

Paragraph 10.10(a), BNM Guidelines on outsourcing for Insurers

Yes.

The contract pack comprehensively sets out the scope of the arrangement

and the respective commitments of the parties. The services are broadly

described, along with the applicable usage rights, in the Product List and

the OST. The services are described in more detail in the OST, which

includes a list of service functionality at OST, page 10 and core features of

the Office 365 Services at pages 15-25.

3. Service levels and performance measures which should be consistent with

the IC’s outsourcing objectives and strategies.

Paragraph 10.10(b), BNM Guidelines on outsourcing for Insurers

Yes.

The SLA contains Microsoft’s service level commitment, as well as the

remedies for the customer in the event that Microsoft does not meet the

commitment. The terms of the SLA current at the start of the applicable

initial or renewal term of the Enrollment are fixed for the duration of that

term.

4. Clear identification and establishment of ownership of all assets (intellectual

and physical) relating to the outsourcing arrangement. Where relevant, the

service agreement should specify the terms governing the use of the IC’s

premises, personnel and equipment.

Paragraph 10.10(c), BNM Guidelines on outsourcing for Insurers

Yes.

Ownership of Customer Data remains at all times with the customer (see

Confidential

of 65

10004330-2


OST, page 8).

Terms governing the use of our premises, personnel and equipment are

not relevant.

5. Agreed responsibilities and duties of the Service Provider including:

- Compliance with relevant regulatory requirements and internal

policies of the IC;

- Provisions dealing with the protection and maintenance of the IC’s

data and assets which should be capable of logical separation at all

times from those handled by the Service Provider for other clients;

- Obligation of the Service Provider to maintain adequate insurance

coverage;

- Reporting requirements necessary to enable tie IC to effectively

monitor the performance of the Service Provider in a timely manner

as well as reporting of events that may materially affect the delivery

of service.

Paragraph 10.10(d), BNM Guidelines on outsourcing for Insurers

Compliance with relevant regulatory requirements and internal

policies of the IC:

Yes.

MBSA section 11m states that Microsoft and the customer each commit to

comply with all applicable privacy and data protection laws and

regulations.

Provisions dealing with the protection and maintenance of the IC’s

data and assets which should be capable of logical separation at all

times from those handled by the Service Provider for other clients:

Yes.

The customer retains the ability to access its Customer Data at all times

(OST, page 10), and Microsoft will deal with Customer Data in accordance

with Enrollment clause 6c(iv) and the OST. In summary: following

termination Microsoft will (unless otherwise directed by the customer)

delete the Customer Data after a 90 day retention period. Finally, from a

Confidential

of 65

10004330-2


technical perspective the wide availability and usage of Microsoft’s

products means that Customer Data can generally be extracted in a format

compatible with commonly available alternative products

Microsoft also makes specific commitments with respect to Customer Data

in the OST. In summary Microsoft commits that:

1. Ownership of Customer Data remains at all times with the customer

(see OST, page 8).

2. Customer Data will only be used to provide the online services to the

customer. Customer Data will not be used for any other purposes,

including for advertising or other commercial purposes (see OST,

page 8).

3. Microsoft will not disclose Customer Data to law enforcement unless it

is legally obliged to do so, and only after not being able to redirect the

request to the customer (see OST, page 8).

4. Microsoft will implement and maintain appropriate technical and

organizational measures, internal controls, and information security

routines intended to protect Customer Data against accidental,

unauthorized or unlawful access, disclosure, alteration, loss, or

destruction (see OST, page 8 and pages 11-13 for more details).

5. Microsoft will notify the customer if it becomes aware of any security

incident, and will take reasonable steps to mitigate the effects and

Confidential

of 65

10004330-2


minimize the damage resulting from the security incident (see OST,

page 9).

Obligation of the Service Provider to maintain adequate insurance

coverage:

Yes.

MBSA section 10 deals with insurance. In practice, Microsoft maintains

self-insurance arrangements for much of the areas where third party

insurance is typically obtained. Microsoft has taken the commercial

decision to take this approach, and does not believe that this detrimentally

impacts upon its customers given that Microsoft is an extremely

substantial entity.

Reporting requirements necessary to enable tie IC to effectively

monitor the performance of the Service Provider in a timely manner

as well as reporting of events that may materially affect the delivery

of service:

Yes.

The OST specifies the audit and monitoring mechanisms that Microsoft

puts in place in order to verify that the online services meet appropriate

security and compliance standards. This commitment is reiterated in the

FSA.

Confidential

of 65

10004330-2


Clause 1f of the FSA gives the customer the opportunity to participate in

the Microsoft Online Services Customer Compliance Program, which is a

for-fee program that facilitates the customer’s ability to (a) assess the

services’ controls and effectiveness, (b) access data related to service

operations, (c) maintain insight into operational risks of the services, (d) be

provided with additional notification of changes that may materially impact

Microsoft’s ability to provide the services, and (e) provide feedback on

areas for improvement in the services.

6. Obligations of the Service Provider to protect confidential information. This

should include a provision prohibiting the Service Provider and its agent from

using or disclosing the IC’s proprietary information or that of its customers,

except as necessary to provide the contracted services and to meet

regulatory and statutory provisions. The agreements should provide for the

IC to be promptly notified of any breach of confidentiality and address liability

for losses that might result from such a breach.

Paragraph 10.10(e), BNM Guidelines on outsourcing for Insurers

Yes.

MBSA section 3 deals with confidentiality. Under this section Microsoft

commits not to disclose our confidential information (which includes our

data) to third parties and to only use our confidential information for the

purposes of Microsoft’s business relationship with us. If there is a breach

of confidentiality by Microsoft, we are able to bring a claim for breach of

contract against Microsoft.

MBSA section 11m states that Microsoft and the customer each commit to


regulations.

Microsoft will notify the customer if it becomes aware of any security

incident, and will take reasonable steps to mitigate the effects and

minimize the damage resulting from the security incident (see OST, page

Confidential

of 65

10004330-2


9).

MBSA section 6 deals with liability. MBSA section 5 sets out Microsoft’s

obligation to defend the regulated entity against third party infringement

and breach of confidence claims. Microsoft’s liability under section 5 is

unlimited.

7. The basis for compensation and fees for the services provided as well as

circumstances under which additional charges may be imposed. Conditions

under which the payment structure may be changed should also be

addressed.

Paragraph 10.10(f), BNM Guidelines on outsourcing for Insurers

Yes.

Sales of Microsoft product to enterprise customers are made via a

Microsoft reseller, who sets the end price with the customer. The basis for

the pricing will therefore be set out in a separate agreement with

Microsoft’s reseller.

Microsoft has a variety of flexible licensing models. Please refer to the

arrangements with your Microsoft reseller for more information. In general,

the customer is required to commit to annual payments (payable in

advance) based upon the customer’s number of users.

8. Contingency arrangements outlining the Service Provider’s measures for

ensuring the continuation of the outsourced activity in the event of problems

affecting the Service Provider’s operation. The agreement should place an

obligation on the Service Provider to regularly test its business resumption

and contingency systems and to notify the IC of the test results. In addition,

the IC should be notified in the event that the Service Provider makes

Paragraph 10.10(g), BNM Guidelines on outsourcing for Insurers

Yes.

Business Continuity Management forms part of the scope of the

accreditation that Microsoft remains in relation to the online services, and

Confidential

of 65

10004330-2


significant changes to its contingency plans. Microsoft commits to maintain a data security policy that complies with

these accreditations (see OST page 13). Business Continuity

Management also forms part of the scope of Microsoft’s annual third party

compliance audit.

Under the Compliance Framework Program (if taken up by the customer),

Microsoft will provide communications to the customer regarding

significant changes to the business resumption and contingency plans.

9. Mechanisms for resolving disputes. This should include recourse of the

respective parties, procedures and period for resolution, indemnities,

obligations of the respective parties in the event of a dispute (such as

whether the Service Provider must continue to provide the service during the

dispute) as well as applicable laws and jurisdiction under which disputes will

be settled.

Paragraph 10.10(h), BNM Guidelines on outsourcing for Insurers

Yes.

MBSA section 11 contains provisions that describe how a dispute under

the contract is to be conducted.

MBSA section 11e sets out the jurisdictions in which parties should bring

their actions. Microsoft must bring actions against the customer in the

countries where the customer’s contracting party is headquartered. The

customer must bring actions against: (a) in Ireland if the action is against a

Microsoft affiliates in Europe; (b) in the State of Washington, if the action is

against a Microsoft affiliate outside of Europe; or (c) in the country where

the Microsoft affiliate delivering the services has its headquarters if the

action is to enforce a Statement of Services.

MBSA section 11h sets out the choice of law provision. Either, the

contract is governed by the laws of the State of Washington if the contract

Confidential

of 65

10004330-2


is with a Microsoft affiliate located outside of Europe; or the contract is

governed by the laws of Ireland if the contract is with a European Microsoft

affiliate.

MBSA section 6 deals with liability and rights of action. MBSA section 5

sets out Microsoft’s obligation to defend the regulated entity against third

party infringement and breach of confidence claims. Subject to the terms

of the MBSA, Microsoft’s liability under section 5 is unlimited.

10. Default events and remedies which should include a termination clause. In

particular, an IC should have the right to terminate the agreement if agreed

service levels are consistently not met, or when the Service Provider

undergoes a material change in ownership or encounters other

circumstances that might seriously impair its ability to provide the agreed

services. Appropriate notice should be required for termination which should

allow the IC to make alternative arrangements without significantly disrupting

operations. Clear procedures should also be specified for the return of the

IC’s intellectual or physical property in a timely manner.

Paragraph 10.10(i), BNM Guidelines on outsourcing for Insurers

Yes.

Termination rights for the Enrollment are set out in the Enrollment itself,

and in section 6 of the EA. If the Enrollment is terminated, this will

terminate all products and services ordered under the Enrollment (except

to the extent that the customer has perpetual rights).

Online services may also be terminated or suspended in the

circumstances described in section 6d of the EA, and as specified in the

OST, pages 5, 11 and 30.

In the event of default, the provisions of the SLA will apply to service level

failures and page 9 of the OST sets out arrangements in the event of

security incidents. Other defaults are addressed in the MBSA and EA. A

termination right for cause is set out at section 6c of the EA.

Confidential

of 65

10004330-2


The contract also allows the customer to terminate the arrangement with

Microsoft for convenience (MBSA section 8) which means the customer

has the right to terminate in the event of default including change of

ownership, insolvency or where there is a breach of security or

confidentiality or demonstrable deterioration in the ability of the Service

Provider to perform the service as contracted.

Note also that customers have control over the use they make of, and data

they load into, the online service.Yes.

Microsoft contractually commits to retain our data stored in the Online

Service in a limited function account for 90 days after expiration or

termination of our subscription so that we may extract the data. After the

90 day retention period ends, Microsoft will disable our account and delete

our data (OST, page 5).

In addition, the customer retains the ability to access its Customer Data at

all times (OST, page 10), and Microsoft will deal with Customer Data in

accordance with Enrollment clause 6c(iv) and the OST. Finally, MBSA

section 11m states that Microsoft and the customer each commit to


regulations.

11. Audit and inspection rights for the insurer to evaluate or alternatively cause

an independent auditor to evaluate on its behalf the service provided. This

should include the ability of the IC to review all books, records, information,

systems and the internal control environment (including access to relevant

Paragraph 10.10(j), BNM Guidelines on outsourcing for Insurers

Yes.

Confidential

of 65

10004330-2


audit reports) in the Service Provider that are relevant to the outsourced

activity.




FSA.

In addition, clauses 1e and 1f of the FSA detail the examination and

influence rights that are granted to the customer and BNM.

Clause 1e sets out a process which can culminate in the regulator’s

examination of Microsoft’s premises.

Clause 1f gives the customer the opportunity to participate in the Microsoft

Online Services Customer Compliance Program, which is a for-fee

program that facilitates the customer’s ability to (a) assess the services’

controls and effectiveness, (b) access data related to service operations,

(c) maintain insight into operational risks of the services, (d) be provided

with additional notification of changes that may materially impact



12. Appropriate limitations concerning the ability of the Service Provider to

subcontract any part of the outsourced activity to a third party. The approval

of the IC should be required for the use of subcontractors and the IC is

expected to ensure that the conditions for subcontracting allow the IC to

maintain similar control over the outsourcing relationship and outsourcing

risks as if the service were not subcontracted.

Paragraph 10.10(k), BNM Guidelines on outsourcing for Insurers

Yes.

See page 9 of the OST, under which Microsoft is permitted to hire

subcontractors.

Confidential

of 65

10004330-2


The confidentiality of our data is protected when Microsoft uses

subcontractors because Microsoft commits that its subcontractors “will be

permitted to obtain Customer Data only to deliver the services Microsoft

has retained them to provide and will be prohibited from using Customer

Data for any other purpose” (OST, page 9).

Microsoft commits that any subcontractors to whom Microsoft transfers our

data will have entered into written agreements with Microsoft that are no

less protective than the data processing terms in the OST (OST, page 11).

Under the terms of the OST, Microsoft remains contractually responsible

(and therefore liable) for its subcontractors’ compliance with Microsoft’s

obligations in the OST (OST, page 9). In addition, Microsoft’s commitment

to ISO/IEC 27018, requires Microsoft to ensure that its subcontractors are

subject to the same security controls as Microsoft is subject to. Finally, the

EU Model Clauses, which are included in the OST, require Microsoft to

ensure that its subcontractors outside of Europe comply with the same

requirements as Microsoft and set out in detail how Microsoft must achieve

this.

Microsoft maintains a list of authorized subcontractors for the online

services that have access to our data and provides us with a mechanism

to obtain notice of any updates to that list (OST, page 10). The actual list is

published on the applicable Trust Center. If we do not approve of a

subcontractor that is added to the list, then we are entitled to terminate the

affected online services.

https://products.office.com/en/business/office-365-trust-center-cloud-computing-security

Confidential

of 65

10004330-2


13. The service agreement should stipulate a defined time frame for the

provision of services which may include an option for the IC to renew the

terms of the service if desired. ICs are expected to regularly review the

service agreement to assess whether the agreement needs to be

renegotiated to bring it in line with current market standards and to cope with

changes in business strategies. For this purpose, a clause should be

included in the service agreement to allow for such interim reviews under

reasonable circumstances.


Enrollments have a three year term, and may be renewed for a further

three year term. A review would therefore take place at least every three

years, although amendments can be made more regularly. Section 11k of

the MBSA states that the contract may be amended only by a formal

written agreement signed by both parties.

14. The service agreement must not contain any clause that would:

- Prevent an IC from modifying or terminating an outsourcing

arrangement pursuant to a directive of the bank;

- Affect the right of a customer against the IC, including the right to

obtain redress;

- Impede the IC from meeting its regulatory obligations, or the BNM

from exercising its supervisory powers; or

- Preclude the service from being continued in situations where the

BNM or a person appointed by the BNM takes control of the IC or

where the IC is in liquidation.


Microsoft does not believe that any of these provisions are included in the

contractual documents. You should confirm that this is the case. If you

have any questions, please do not hesitate to get in touch with your

Microsoft contact.

We confirm that our agreement with Microsoft does not contain any such

clauses.

15. The service agreement should specify the requirements for ensuring the

continuity of the outsourcing vendor’s services. Recovery time objectives

(RTO) should be built into the outsourcing contract with provisions for legal

Paragraph 111, BCM Guidelines

Yes.

Confidential

of 65

10004330-2


liability should the RTO not be achieved. Business Continuity Management forms part of the scope of the


Microsoft commits to maintain a data security policy that complies with



compliance audit.

RTO requirements are set out in the SLA and this also includes the

provision for service credits if Microsoft fails to meet the commitments in

the SLA. If a failure by Microsoft also constitutes a breach of contract to

which the service credits regime does not apply, we would of course have

ordinary contractual claims available to us too under the contract.

16. Service agreements for contracted services should clearly prohibit the

unauthorized disclosure of confidential data by the external party and provide

for adequate remedies.

Paragraph 4.25, Guidelines on Data Management and MIS Framework

Yes.







17. The written, enforceable agreement should set out the governing roles,

relationships, obligations and responsibilities of all contracting parties. It

should also cover: performance expectations, service levels, availability,

Section II, paragraph 15(c), Guidelines on Management of IT Environment

Confidential

of 65

10004330-2


reliability, scalability, compliance, security and confidentiality, back processes

facility, contingency planning, right to audit contractual responsibilities and

discontinuation of services and returning all information.

Yes.

All of these points are covered, taking each in turn:

1. The contract pack comprehensively sets out the scope of the

arrangement and the respective commitments of the parties. The

services are broadly described, along with the applicable usage

rights, in the Product List and the OST. The services are

described in more detail in the OST, which includes a list of

service functionality at OST, page 10 and core features of the

Office 365 Services at pages 15-25.

2. The SLA contains Microsoft’s service level commitment, as well as

the remedies for the customer in the event that Microsoft does not

meet the commitment.

3. MBSA section 11m states that Microsoft and the customer each

commit to comply with all applicable privacy and data protection

laws and regulations.

4. Microsoft also makes specific commitments with respect to

Customer Data in the OST, including that Microsoft will implement

and maintain appropriate technical and organizational measures,

internal controls, and information security routines intended to

protect Customer Data against accidental, unauthorized or

unlawful access, disclosure, alteration, loss, or destruction (see

OST, page 8 and pages 11-13 for more details).

5. MBSA section 3 deals with confidentiality. Under this section

Microsoft commits not to disclose our confidential information

Confidential

of 65

10004330-2


(which includes our data) to third parties and to only use our

confidential information for the purposes of Microsoft’s business

relationship with us. If there is a breach of confidentiality by

Microsoft, we are able to bring a claim for breach of contract

against Microsoft.

6. Business Continuity Management forms part of the scope of the

accreditation that Microsoft remains in relation to the online

services, and Microsoft commits to maintain a data security policy

that complies with these accreditations (see OST page 13).

7. The OST specifies the audit and monitoring mechanisms that

Microsoft puts in place in order to verify that the online services

meet appropriate security and compliance standards. This

commitment is reiterated in the FSA.

8. Online services may also be terminated or suspended in the

circumstances described in section 6d of the EA, and as specified

in the OST, pages 5, 11 and 30. The contract also allows the

customer to terminate the arrangement with Microsoft for

convenience (MBSA section 8).

9. Microsoft contractually commits to retain our data stored in the

Online Service in a limited function account for 90 days after

expiration or termination of our subscription so that we may extract

the data. After the 90 day retention period ends, Microsoft will

disable our account and delete our data (OST, page 5).

18. The agreement should explicitly mention BNM’s right to independently

assess, when necessary and regardless of the location, the competence and

Section II, paragraph 15(c), Guidelines on Management of IT Environment

Confidential

of 65

10004330-2


the operational and financial performance of the service provider. Yes.




FSA.

In addition, clauses 1e and 1f of the FSA detail the examination and

influence rights that are granted to the customer and BNM.

Clause 1e sets out a process which can culminate in the regulator’s

examination of Microsoft’s premises.

Clause 1f gives the customer the opportunity to participate in the Microsoft

Online Services Customer Compliance Program, which is a for-fee

program that facilitates the customer’s ability to (a) assess the services’

controls and effectiveness, (b) access data related to service operations,

(c) maintain insight into operational risks of the services, (d) be provided

with additional notification of changes that may materially impact



19. The agreement should be legally binding. It should outline all expected

service levels and the agreement is properly executed to protect the

institution’s interests.

Part IV, paragraph 1(e), Guidelines on Management of IT Environment

Yes.

Confidential

of 65

10004330-2


The contractual documents are all written and clear and legally binding.

The SLA contains Microsoft’s service level commitment, as well as the

remedies for the customer in the event that Microsoft does not meet the

commitment. The terms of the SLA current at the start of the applicable

initial or renewal term of the Enrollment are fixed for the duration of that

term.

20. The agreement should be legally binding and properly executed. The

agreement should oblige vendors to comply with good business practices

that maintain the confidentiality and integrity of information and permit their

activities to be audited.

Part V, paragraph 1(c), Guidelines on Management of IT Environment

Yes.


The agreement is signed.

MBSA section 4(a)(i) deals with professional conduct. Microsoft warrants

that its services will be performed with professional care and skill.









Confidential

of 65

10004330-2



FSA.

21. If communications services are obtained from external service providers, the

institution should ensure that the roles and responsibilities and expected

service levels are defined in formal and enforceable agreements. The

agreement should specific arrangements for ensuring continuity of service

(i.e. detection and recovery from service interruptions).

Part VI, paragraph 3(c), Guidelines on Management of IT Environment

Yes.

The contract pack comprehensively sets out the scope of the arrangement

and the respective commitments of the parties. The SLA contains

Microsoft’s service level commitment, as well as the remedies for the

customer in the event that Microsoft does not meet the commitment.

Business Continuity Management forms part of the scope of the


Microsoft commits to maintain a data security policy that complies with



compliance audit.

22. The agreement should be legally binding and properly executed to protect

the institution’s interests. The agreement should oblige vendors to comply

with good business practices that maintain the confidentiality and integrity of

information, provide regular reports on network performance, maintain

continuity of services in the event of a disaster and permit the vendor’s

activities to be audited.

Part VI, paragraph 3(e), Guidelines on Management of IT Environment

Yes.


All of these points are covered, taking each in turn:

Confidential

of 65

10004330-2


1. MBSA section 4(a)(i) deals with professional conduct. Microsoft

warrants that its services will be performed with professional care

and skill.

2. MBSA section 3 deals with confidentiality. Under this section

Microsoft commits not to disclose our confidential information

(which includes our data) to third parties and to only use our

confidential information for the purposes of Microsoft’s business

relationship with us. If there is a breach of confidentiality by

Microsoft, we are able to bring a claim for breach of contract

against Microsoft.

3. The customer may monitor the performance of the online services

via the administrative dashboard, which includes real time

information as to Microsoft compliance with its SLA commitments.

4. Business Continuity Management forms part of the scope of the

accreditation that Microsoft remains in relation to the online

services, and Microsoft commits to maintain a data security policy

that complies with these accreditations (see OST page 13).

5. The OST specifies the audit and monitoring mechanisms that

Microsoft puts in place in order to verify that the online services

meet appropriate security and compliance standards. This

commitment is reiterated in the FSA. Clause 1f of the FSA gives

the customer the opportunity to participate in the Microsoft Online

Services Customer Compliance Program, which is a for-fee

program that facilitates the customer’s ability to (a) assess the

services’ controls and effectiveness, (b) access data related to

service operations, (c) maintain insight into operational risks of the

Confidential

of 65

10004330-2


services, (d) be provided with additional notification of changes

that may materially impact Microsoft’s ability to provide the

services, and (e) provide feedback on areas for improvement in

the services.

MALAYSIA INSURANCE GUIDANCE ON COMPLYING...

Documents

Transcript of MALAYSIA INSURANCE GUIDANCE ON COMPLYING...