Keep up to date with the trending topics
from our industry experts

Operational due diligence on the Microsoft Cloud

Written by Henry Duncombe

Friday, 22 March, 2024

Webinar: This is your Microsoft Copilot speaking, we’re ready for financial services take off

On demand

Learn how this powerful AI tool can help you create, analyse and communicate better with your data.

Microsoft Copilot Webinar

The journey to the public cloud for financial services was initially a slow and cautious one. with many firms having been wary about migrating their IT to the public cloud. But this has now changed, with COVID acting as a catalyst for further adoption to enable remote working. In fact, the vast majority of mid-market financial services firms are now relying 100% on services such as Microsoft 365 for all their critical communication and technology infrastructure.

Financial services firms are expected to properly assess and manage the risks associated with using cloud services. The FCA for example expects firms to

  1. Conduct a thorough risk assessment
  2. Ensure compliance with relevant regulations
  3. Confirm the cloud service provider is suitable

So what is the issue?

The challenge is that when using massive “hyper-scale” services like the Microsoft Cloud, trying to exercise any detailed due diligence can be difficult, as it’s a highly commoditised service, and firms generally cannot get specific due diligence questionnaires completed by Microsoft.

As a first step, firms should access all the information which Microsoft publish as standard. In this article, we aim to provide some useful links to online resources which firms can use to answer some typical due diligence questions,

Start at The Trust Center

To perform operational due diligence of Microsoft cloud services, you can start by reviewing the information published in the Microsoft Trust Center. This is the main source used by financial firms when performing due diligence on the service provided by Microsoft. The Trust Center provides transparency about the specific policies, operational practices, and technologies that help ensure the security, compliance, and privacy of data across Microsoft services.

https://www.microsoft.com/en-gb/trust-center

Know What Service You’re Using

Next, make sure you know the terms associated with the service you’re using. You can’t do any meaningful due diligence if you don’t know what service you’re consuming. We have put together a typical list of the most widely used Microsoft Cloud Products.

Start with the general Microsoft Online Product Terms

https://www.microsoft.com/licensing/terms

Commercial Licensing Terms (microsoft.com)

Drill down into  the Microsoft Cloud Products your business uses:

Windows Desktop
Windows Desktop Commercial Licensing Terms (microsoft.com)

Microsoft 365
Microsoft 365 Commercial Licensing Terms (microsoft.com)

Microsoft Azure
Microsoft Azure Commercial Licensing Terms (microsoft.com)

Individual Office 365 Services
Office 365 Services Commercial Licensing Terms (microsoft.com)

Server Subscriptions for Azure
Server Subscriptions for Azure Commercial Licensing Terms (microsoft.com)

Enterprise Mobility + Security
Enterprise Mobility + Security Commercial Licensing Terms (microsoft.com)

Further information can be found within the Microsoft Information Security Terms

https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all

Find the Independently Verified Security Standards (e.g. ISO 27001)

Getting access to and evidence of the various certifications and standards which Microsoft holds is often critical. The following site lists the regulations and standards that Microsoft aligns with.

Compliance offerings for Microsoft 365, Azure, and other Microsoft services. | Microsoft Docs

Understand Data Protection

Use this link to Microsoft’s privacy policy which details how personal data is secured.

https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all

Microsoft Privacy Statement – Microsoft privacy

The Microsoft Products and Services Data Protection Addendum lists how Microsoft deals with subprocessors or Microsoft Affiliates. Below is the link to the latest version.

Licensing Documents (microsoft.com)

So what next?

Given the nature of the highly commoditised service, financial services firms generally cannot get specific due diligence questionnaires completed by Microsoft.

There is a special Compliance Program that clients can join, but this is currently expensive and currently only targeted to very large financial institutions. This works in hand with a specific Financial Service Addendum to their Customer Agreement, which provides key special rights (for a fee) such as oversight of audit results, agreement to work with the regulator, and special termination provisions. There are plans to bring this to smaller firms via partner network in the future.

Would you like like further guidance on achieving operational due diligence?

Our services

Our 4 pillars for a complete choice of managed IT services - all tailored to the needs of financial services firms in London and the UK.

Finance Forward 365 - Microsoft 365 cloud services supported by experts

Finance Forward 365

Microsoft modern workplace & cloud technology for digital transformation.

Compliant Teams -  Microsoft Teams phone system with call recording and archiving

Compliant Teams

Increased productivity & collaboration with call recording whilst reducing costs.
Cyber security solutions for financial services

Cyber Security

Keep your data secured against rapidly changing threats within Financial Services.

Responsive IT managed services for financial services

Power BI

Business Intelligence transformation and support tailored for Financial Services.

Follow us:

Pin It on Pinterest

Share This