HKMAS ガイダンス

Introduction

The Hong Kong Monetary Authority (HKMA) is the central banking institution in Hong Kong. It is responsible for supervising authorised institutions (AIs) with the aim of promoting stability and integrity of the financial system.

HKMA Outsourcing SA-2 outlines the HKMA's supervisory approach to outsourcing and the recommendation for AIs to address when outsourcing to third parties. Outsourcing SA-2 provides specific guidance on outsourcing agreements, customer data confidentiality, contingency planning, access to outsourced data, and concerns in relation to overseas outsourcing.

As per the requirements of HKMA's SA-2, AIs utilising Cloud service providers are expected to conduct due diligence, assess and address potential risks, and establish appropriate outsourcing agreements after conducting a comprehensive analysis.

Although your agreement with Atlassian governs the terms of the engagement, we have provided guidance on how we assist AIs in complying with HKMA's requirements. If you would like to understand how these guidelines apply to your specific agreement, please contact our Enterprise Sales Team at https://www.atlassian.com/enterprise/contact?formType=product-features.

SA-2 Outsourcing Guidelines

Major Supervisory Concerns

Accountability

2.1.1

In any outsourcing arrangement, the Board of Directors and management of AIs should retain ultimate accountability for the outsourced activity. Outsourcing can only allow them to transfer their day-to-day managerial responsibility, but not accountability, for an activity or a function to a service provider. AIs should therefore continue to retain ultimate control of the outsourced activity.

Atlassian's dedicated Shared Responsibilities whitepaper, available at https://www.atlassian.com/whitepapers/Cloud-security-shared-responsibilities, discusses the shared responsibilities that both a Cloud service provider, like Atlassian, and its customers need to keep in mind when ensuring compliance with HKMA.
 
This shared responsibility model does not remove the accountability and risk from customers using Atlassian Cloud products, but it does help relieve our customer’s burdens in a number of ways, including by: managing and controlling system components and physical control of facilities; and shifting a portion of the cost of security and compliance onto Atlassian and away from our customers.

Risk Assessment

2.2.1

The Board of Directors and management of AIs should ensure that the proposed outsourcing arrangement has been subject to a comprehensive risk assessment (in respect of operational, legal and reputation risk) and that all the risks identified have been adequately addressed before launch. Specifically, the risk assessment should cover inter alia the following:

Atlassian provides several resources to assist its customers in conducting the necessary due diligence they require. For more information on Atlassian's security and operational practices, visit Atlassian's Trust Center at https://www.atlassian.com/trust, where you will find details on our security practices, compliance programs, and audit reports/security questionnaires.
 
 In addition, Atlassian makes available the following information:

• Corporate Governance and Financial information at https://investors.atlassian.com/;

• Managerial/Executive team information at https://www.atlassian.com/company/news/press-kit;

• Performance record at https://status.atlassian.com/; and

• Customer information at https://www.atlassian.com/customers.

 
Atlassian also offers customers the right to carry out penetration testing at any time without Atlassian’s prior approval: atlassian.com/trust/security/security-testing.

2.2.1.1

The importance and criticality of the services to be outsourced;

This is a customer consideration. Please also see row 9 (2.2.1), above.

2.2.1.2

Reasons for the outsourcing (e.g. cost and benefit analysis); and

This is a customer consideration. Please also see row 9 (2.2.1), above.

2.2.1.3

The impact on AIs' risk profile (in respect of operational, legal and reputation risks) of the outsourcing.

This is a customer consideration. Please also see row 9 (2.2.1), above.

2.2.2

After AIs implement an outsourcing plan, they should regularly re-perform this assessment.

This is a customer consideration. Please also see row 9 (2.2.1), above.

Ability of Service Providers

2.3.1

Before selecting a service provider AIs should perform appropriate due diligence. In assessing a provider, apart from the cost factor and quality of services AIs should take into account the provider's financial soundness, reputation, managerial skills, technical capabilities, operational capability and capacity, compatibility with the AIs corporate culture and future development strategies, familiarity with the banking industry and capacity to keep pace with innovation in the market.

This is a customer consideration. Please also see row 9 (2.2.1), above.

2.3.2

AIs should have controls in place (e.g. comparison with target service level) to monitor the performance of service providers on a continuous basis.

We publish service availability updates at https://status.atlassian.com, and are committed to notifying customers of events that have a material impact on the availability of the Covered Cloud Products.

Outsourcing Agreement

2.4.1

The type and level of services to be provided and the contractual liabilities and obligations of the service provider should be clearly set out in a service agreement between AIs and their service provider.

All engagements with customers are governed by a formal contract. See the standard customer terms.
 
Contractual commitments around security are included in Atlassian Customer Agreement, which states that Atlassian will implement and maintain physical, technical and administrative security measures designed to protect the AI’s customer data from unauthorized access, destruction, use, modification, or disclosure. We also maintain a compliance program that includes independent third-party audits and certifications. Our Trust Center (https://www.atlassian.com/trust), as updated from time to time, provides further details on our security measures and certifications.
 
During the Subscription Term for which you have purchased an applicable Covered Cloud Product, we will use commercially reasonable efforts to provide a Monthly Uptime Percentage to you as defined below (“Service Level Commitment”):
 

• Premium Cloud Products - 99.9% Monthly uptime percentage; and

• Enterprise Cloud Products - 99.95% Monthly uptime percentage.

 
The corresponding service level terms, as well as the remedies for not meeting service levels, for the Covered Cloud Products are provided for in our Service Level Agreement (https://www.atlassian.com/legal/sla) and the corresponding Product Specific Terms (https://www.atlassian.com/legal/product-specific-terms#trello-specific-terms).

2.4.2

AIs should regularly (e.g. annually) review their outsourcing agreements. They should assess whether the agreements should be renegotiated and renewed to bring them in line with current market standards and to cope with changes in their business strategies.

This is a customer consideration.

2.4.3

Where the service provider is a wholly-owned subsidiary of an AI or the head office or another branch of a foreign AI, a memorandum of understanding may be acceptable.

This is not applicable to Atlassian.

Customer Data Confidentiality

2.5.1

AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements (e.g. the Personal Data (Privacy) Ordinance - PDPO) and common law customer confidentiality. This will generally involve seeking legal advice.

The default governing law of Atlassian’s subscription agreements is California law. Please contact our Enterprise Sales Team (https://www.atlassian.com/enterprise/contact) for more details.
 
Atlassian remains responsible for its overall performance under the Atlassian subscription agreement, including for any functions that are sub-outsourced. In addition, with respect to critical or important sub-outsourcings, Atlassian commits to ensuring that it has appropriate contracts with such sub-outsourcers, which grants Atlassian audit rights as necessary, and requires such sub-outsourcers to comply with all applicable laws.
 
In addition, we offer a Data Processing Addendum that provides detailed commitments regarding the processing and security of customer personal data. Details of this addendum is available at https://www.atlassian.com/legal/data-processing-addendum.

2.5.2

AIs should have controls in place to ensure that the requirements of customer data confidentiality are observed and proper safeguards are established to protect the integrity and confidentiality of customer information. Typical safeguards include, among other things:

Atlassian maintains a robust information security program commensurate with the size and extent of the threats we face. We have made available several resources that provide details regarding the design, implementation, and operation of Atlassian's information security capability.
 
Ultimately, it is up to AIs to use this information to make an assessment of whether Atlassian's product(s) meet their requirements:

• Compliance Resource Center (https://www.atlassian.com/trust/compliance/resources) – a resource that provides detailed information about our security, third-party audits, and certifications, all available to support our customers' compliance needs;

• Atlassian Trust Center (https://www.atlassian.com/trust) – for information about how Atlassian connects you to the latest information on the security, reliability, privacy, and compliance of our products and services; and

• Security Practices page (https://www.atlassian.com/trust/security/security-practices#security-philosophy) – an effective approach to security starts with getting our own house in order. This resource provides details about how we do this by:

• building security into our network architecture;

• securing access to our networks through ZeroTrust which simply stated means "never trust, always verify";

• securing access to our systems and services;

• securing endpoint devices; and

• building secure design and testing processes.

 
Atlassian regularly undergoes independent examination of our security, privacy and compliance controls. During the term of our contract with you, we will comply with at least the standards listed on our Trust Center, which includes ISO/IEC 27001 and ISO/IEC 27018 certifications, and SOC 2 Type II and SOC 3 audit reports. In addition, we commit to complying with the security practices on our Trust Center, and to not materially decrease the overall security of our Covered Cloud Products during your subscription term.
 
Atlassian products and its customer’s data are hosted with the industry-leading Cloud hosting provider Amazon Web Services (AWS) and run on a platform as a service (PaaS) environment. Data drives on servers holding customer data and attachments in Jira Software Cloud, Jira Service Management Cloud, Jira Work Management, Bitbucket Cloud, Confluence Cloud, Statuspage, Opsgenie, and Trello use full disk, industry-standard AES256 encryption at rest. Data in Atlassian Cloud products are encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification.
 
An in-depth description of how we’ve built this can be found on our Atlassian Cloud architecture and the operational practices page at https://www.atlassian.com/trust/reliability/Cloud-architecture-and-operational-practices#data-location. Additionally, as noted in our Atlassian Cloud Security Shared Responsibilities white paper, available at https://www.atlassian.com/whitepapers/Cloud-security-shared-responsibilities, customers may review our Cloud Security Alliance (CSA) STAR questionnaire, which includes answers to more than 300 questions included in the Consensus Assessments Initiative Questionnaire (CAIQ).

2.5.2.1

Undertakings by the service provider that the company and its staff will abide by confidentiality rules, including taking account of the data protection principles set our in PDPO;

See row 22 (2.5.1), above.

2.5.2.2

AIs' contractual rights to take action against service provider in the event of a breach of confidentiality;

See row 22 (2.5.1), above.

2.5.2.3

Segregation or compartmentalisation of AIs' customer data from those of the service provider and its other clients; and

Atlassian is a multi-tenant SaaS application. Multi-tenancy is a key feature of Atlassian Cloud that enables multiple customers to share one instance of the Jira or Confluence application layer, while isolating each customer tenant’s application data. Atlassian Cloud accomplishes this through the Tenant Context Service (TCS). Every user ID is associated with exactly one tenant, which is then used to access the Atlassian Cloud applications. For more information, see : https://www.atlassian.com/trust/security/security-practices#tenant-isolation
 
 We maintain logical and physical separation of production and non-production (development) environments and methods are used to isolate these environments. Our staging environment is logically separated (but not physically separated) but is managed under production-grade change control and access processes.

2.5.2.4

Access rights to AIs' data delegated to authorized employees of the service provider on a need basis.

Atlassian has an established workflow linking our HR management system and our access provisioning system. We use role based access control based on pre-defined user profiles. All user accounts must be approved by management prior to their access to data, applications, infrastructure or network components.
 
Our global support team maintains an account on all hosted systems and applications for the purposes of maintenance and support. This support team accesses hosted applications and data only for purposes of application health monitoring and performing system or application maintenance, and upon customer request via our support system.

2.5.3

AIs should notify their customers in general terms of the possibility that their data may be outsourced. They should also give specific notice to customers of significant outsourcing initiatives, particularly where the outsourcing is to an overseas jurisdiction.

This is a customer consideration.

2.5.4

In the event of a termination of outsourcing agreement, for whatever reason, AIs should ensure that all customer data is either retrieved from the service provider or destroyed.

We provide customers with a broad right to terminate for convenience, which would allow them to terminate in any circumstances.
 
If required, when terminating your agreement with Atlassian, AIs can extend their subscription term for a short period to enable its transition to another service provider.
 
At any time during a customer’s subscription, customers may access, import, and export their Customer Data using Atlassian’s tools. For more information on Atlassian Cloud data export, see our import and export documentation (https://support.atlassian.com/jira-Cloud-administration/docs/export-issues/).
 
Details of the data deletion process on contract termination can be found at https://community.atlassian.com/t5/Trust-Security-discussions/Contract-Termination-amp-Data-Deletion/td-p/1316109.

Control Over Outsourced Activities

2.6.1

In any outsourcing arrangement, AIs should ensure they have effective procedures for monitoring the performance of, and managing the relationship with, the service provider and the risks associated with the outsourced activity.

See row 16 (2.3.2) and rows 23 (2.5.2), above.

2.6.2

Such monitoring should cover, inter alia:

2.6.2.1

Contract performance;

See row 16 (2.3.2), above.

2.6.2.2

Material problems encountered by the service provider;

We have a documented Security Incident Response Policy and Plan, the key principles of which include:

• Anticipate security incidents and prepare for incident response

• Contain, eradicate and recover from incidents

• Invest in our people, processes and technologies to ensure we have the capability to detect and analyze an security incident when it occurs

• Make protection of Personal data and customer data the top priority during security incidents

• Regularly exercise the security incident response process

• Learn from and improve the security incident management function

• Communicate critical security incidents to the Atlassian Leadership Group

 
Atlassian understands how important it is for you to be notified promptly of any data breach. That is why Atlassian has built out an extensive cross-functional team and process to handle security incidents as described at: https://www.atlassian.com/trust/security/security-incident-management.
 
 Please also see row 16 (2.3.2), above.

2.6.2.3

Regular review of the service provider's financial condition and risk profile; and

See row 15 (2.3.1), above.

2.6.2.4

The service provider's contingency plan, the results of testing thereof and the scope for improving it.

See rows 41 (2.7.1), below.

2.6.3

Responsibility for monitoring the service provider and the outsourced activity should be assigned to staff with appropriate expertise.

This is a customer consideration.

2.6.4

AIs should establish reporting procedures which can promptly escalate problems relating to the outsourced activity to the attention of the management of the AI and their service providers.

This is a customer consideration. Please also see row 34 (2.6.2.2), above.

2.6.5

The control procedures over the outsourcing arrangement should be subject to regular reviews by the Internal Audit.

This is a customer consideration. Please also see row 46 (2.8.2), below.

Contingency Planning

2.7.1

Contingency plans should be maintained and regularly tested by AIs and their service providers to ensure business continuity, e.g. in the event of a breakdown in the systems of the service provider or telecommunication problems with the host country.

We maintain business continuity plans and disaster recovery plans, as described on our Trust Center at https://www.atlassian.com/trust/security/security-practices#business-continuity-and-disaster-recovery-management. These plans are reviewed and tested at least annually.

2.7.2

Contingency arrangements in respect of daily operational and systems problems would normally be covered in the service provider's own contingency plan. AIs should ensure that they have an adequate understanding of their service provider's contingency plan and consider the implications for their own contingency planning in the event that an outsourced service is interrupted due to failure of the service provider's system.

See row 41 (2.7.1), above.

2.7.3

In establishing a viable contingency plan, AIs should consider, among other things, the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency, and the costs, time, and resources that would be involved.

This is a customer consideration. Please also see row 29 (2.5.4), above.

Access to Outsourced Data

2.8.1

AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA in accordance with §§55 and 56 of the Banking Ordinance and that data retrieved from the service providers are accurate and available in Hong Kong on a timely basis.

This is a customer consideration. Please also see row 29 (2.5.4), above.

2.8.2

Access to data by the HKMA's examiners and the AI's internal and external auditors should not be impeded by the outsourcing. AIs should ensure that the outsourcing agreement with the service provider contains a clause which allows for supervisory inspection or review of the operations and controls of the service provider as they relate to the outsourced activity.

Atlassian grants certain audit, access and information rights to such regulated entities and their supervisory authorities in compliance with applicable laws. Our audit program is designed to allow qualifying customers and their supervisory authorities to audit the Covered Cloud Products effectively.
 
Atlassian regularly undergoes independent examination of our security, privacy and compliance controls. During the term of our contract with you, we will comply with at least the standards listed on our Trust Center, which includes ISO/IEC 27001 and ISO/IEC 27018 certifications, and SOC 2 Type II and SOC 3 audit reports: https://www.atlassian.com/trust/compliance.

Additional Concerns in Relation to Overseas Outsourcing

2.9.1

In addition to the issues mentioned from subsection 2.1 to 2.8 above, there are further concerns that need to be addressed in relation to overseas outsourcing:

2.9.1.1

Implications of the overseas outsourcing for AIs' risk profile - AIs should understand the risks arising from overseas outsourcing, taking into account relevant aspects of an overseas country (e.g. legal system, regulatory regime, sophistication of technology, infrastructure);

Certain Covered Cloud Products include in-product data residency functionality, as further described at https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency/, which allows our customers’ administrators to pin in-scope product data to a location of their choice. Our Cloud hosting infrastructure is described at https://www.atlassian.com/trust/reliability/Cloud-architecture-and-operational-practices#atlassian-Cloud-hosting-architecture.
 
We contractually commit to (a) not materially degrading product functionality during the applicable subscription term, and (b) notifying customers of any changes to our subprocessors.
 
 See row 22 (2.5.1), above.

2.9.1.2

Right of access to customers' data by overseas authorities such as the police and tax authorities - AIs should generally obtain a legal opinion from an international or other reputable legal firm in the relevant jurisdiction on this matter. This will enable them to be informed of the extend and the authorities to which they are legally bound to provide information. Right of access by such parties may be unavoidable due to compulsion of law. AIs should therefore conduct a risk assessment to evaluate the extent and possibility of such access taking place. AIs should notify the HKMA if overseas authorities seek access to their customers' data. If such access seems unwarranted the HKMA reserves the right to require the AI to take steps to make alternative arrangements for the outsourced activity;

Atlassian only provides customer data to third parties in accordance with our Guideline for Law Enforcement Requests. Details of these guidelines can be found at https://www.atlassian.com/trust/privacy/guidelines-for-law-enforcement.
 
 Atlassian also publishes Transparency Reports on the government requests received for customer data at https://www.atlassian.com/trust/privacy/transparency-report/

2.9.1.3

Notification to customers - AIs should generally notify their customers of the country in which the service provider is located (and of any subsequent changes) and the right of access, if any, available to the overseas authorities;

See row 49 (2.9.1.1), and 50 (2.9.1.2), above.

2.9.1.4

Right of access to customers' data for examination by the HKMA after outsourcing - AIs should not outsource to a jurisdiction which is inadequately regulated or which has secrecy laws that may hamper access to data by the HKMA or AIs' external auditors. They should ensure that the HKMA has right of access to data. Such right o f access should be confirmed in writing by both AIs and their home or host authorities, as the case may be;

See row 46 (2.8.2), above.

2.9.1.5

§33 of the PDPO in respect of transfer of personal data outside Hong Kong - although §33 has not yet come into operation, AIs are advised to take account of the provisions therein and the potential impact on their plans in respect of overseas outsourcing; and

See row 23 (2.5.2), above.

2.9.1.6

Governing law of the outsourcing agreement - the agreement should preferable be governed by Hong Kong law.

See row 22 (2.5.1), above.

2.9.2

In case of a locally incorporated AI, a principal concern is the ability of the HKMA to exercise its legal powers under the Banking Ordinance effectively if there is limited cooperation by the service provider. Accordingly, where a local AI is planning to outsource, for example, a major part of its data processing function to outside Hong Kong, the HKMA will expect the AI to have a robust back-up system and contingency plan in acceptable jurisdiction. The back-up system should be properly documented and regularly tested (see also subsection 2.7 above). It may be appropriate for an independent opinion on its effectiveness to be sought.

See row 46 (2.8.2), above.