The journey to the public cloud for financial services has been a slow and cautious one. Many firms (particularly within traditional financial services such as banking, investment management and insurance) have been wary about migrating their IT to the public cloud. This has now changed, and with COVID acting as a catalyst for further adoption to enable remote working. In fact, the majority of mid-market financial services firms now rely 100% on services such as Microsoft 365 for their critical communication technology.
This has led to some challenging questions being asked to IT and compliance leaders such as, what do we do if Microsoft 365 has a major outage? Financial firms are under a regulatory obligation to manage operational risk at all times, so they must have oversight and contingency measures in place.
This article looks to share some of the main questions asked by our Financial Services clients and provide some answers.
How concerned should I be about Microsoft 365 outages?
Based on its track record alone, it is very evident Microsoft 365 is now a very mature, robust and reliable service, providing a very high level of uptime. Contractually Microsoft 365 offers a Service Level Agreement (SLA) with an update time of 99.9%. In 2021, the uptime for Microsoft 365 was 99.99%, while in 2020 it was 99.97%. Firms should also take comfort that where there are issues, they very rarely impact the entire Microsoft 365 suite and are isolated to specific services (e.g. Exchange Online, SharePoint, OneDrive, Teams etc), a group of customers or specific geographical regions, however, no system is completely immune to major outages or disruptions and firms should have a contingency plan in place in the event failures become more common.
How vulnerable is Microsoft 365 to a cyber-attack?
Like any complex system, Microsoft 365 is not completely immune to cyber-attacks, and it’s possible that successful attacks could occur. However, Microsoft has invested heavily in security measures to help reduce the risk of attacks and protect its customers. To date, the vast majority of security breaches are not a result of the vulnerability of Microsoft’s own security, but by the customer or their outsourced IT provider failing to configure the services correctly and use all the native security controls e.g. enforcing 2-factor authentication, or only allowing access from secure corporate devices.
What is the regulator’s view on using cloud services such as Microsoft 365?
The Financial Conduct Authority (FCA) has stated that it recognises the benefits of cloud computing, including the potential for cost savings and increased efficiency, but it also emphasises the need for firms to properly assess and manage the risks associated with using cloud services. The FCA expects the following:
- Conducting a thorough risk assessment: Firms should assess the risks associated with using cloud services and ensure appropriate controls are in place to manage those risks.
- Ensuring compliance with relevant regulations: Firms should ensure that their use of cloud services complies with relevant regulations, including data protection laws and the FCA’s rules on outsourcing.
- Confirming the cloud service provider is suitable: Firms should ensure the cloud service provider they choose has the necessary capabilities and resources to meet their needs.
What alternatives are there if our Microsoft 365 services experience an outage?
Various third-party services are available which fall into two categories:
1. Back-up services
These services back-up all your data stored in Microsoft 365 (Exchange Online, OneDrive, Teams and SharePoint) to a separate private data centre. These services do not act as an alternative to Microsoft 365. They are designed to protect the data and some configuration. This means, for example, if SharePoint Online was to become unavailable you could restore your data (e.g. office documents) to your local device but not continue to use the functionality of SharePoint until it becomes available again. An example of one such service is KeepIT.
2. Contingency services
These services act as an alternative/secondary service which can “kick in” in the event Microsoft 365 experiences an outage. The most widely used example is “Email Continuity” from providers such as Mimecast which enables businesses to keep using their email operational, even in the event Microsoft Exchange Online becomes unavailable. Currently, the market for contingency service is very small and there are a limited number of mature solutions which act as an alternative for other Microsoft 365 services (e.g. SharePoint, Teams etc) but firms achieve some basic manual workarounds, which they must do for compliance reasons.
What about using different cloud providers to reduce risk and vendor lock-in? e.g. Microsoft and Amazon
Multi-cloud solutions when used for contingency purposes, are not widely used and typically only focus on one use case; to protect virtual machines (e.g. line of business applications) which are hosted on traditional Infrastructure-as-a-Service (IaaS) platforms. For example, a firm might be hosting a business application on a virtual server in Azure, and this could be replicated to another stand-by virtual server hosted in AWS with relative ease and additional cost. The challenge with other styles of cloud hosting services such as PaaS and SaaS which cannot easily be replicated, the reliance is on the vendor to have a robust approach to continuity in the event of platform failure.
How do I perform my due diligence on Microsoft?
A common question from smaller financial firms is “how do I perform any meaningful due diligence on Microsoft”. The answer is you have to rely on what information Microsoft publish as well as your Microsoft Partner.
Microsoft publishes all security, privacy and compliance information within the Microsoft Trust Centre:
This is the main source used by financial firms when performing due diligence on the service provided by Microsoft. The aim is to be transparent about the specific policies, operational practices, and technologies that help clients ensure the security, compliance, and privacy of their data across Microsoft services.
Your Microsoft Partner should also have access to an account manager who can help further, however given the nature of the highly commoditised service, firms generally can’t get specific due diligence questionnaires completed by Microsoft. There is however a special Compliance Programme which clients can join but it is expensive and targeted to very large financial institutions. This works in hand with a specific Financial Service Addendum to their Customer Agreement. This provides key special rights (for a fee) such as oversight of audit results, agreement to work with the regulator and special termination provisions.
How do I know where my data is?
Microsoft allows you to set data residency locations based on different regions. This means that your data is only stored in those specified geographical locations. This is critical for regulated firms that need to have control over the jurisdictions in which their data resides. The data can also be replicated to separate physical locations within the same region.
What to do next to mitigate your risk:
Financial Services organisations should have in place contingency measures to prepare for a potential Microsoft 365 outage. These include conducting a risk assessment, having a backup and contingency services where available, putting in place manual workarounds as well as investigating multi-cloud solutions.
Contact a Lanware Microsoft specialist for Financial Services if you need support with your Microsoft 365 contingency planning.