Third-party risk management
At Munich Re Service GmbH, third-party risk management (TPRM) is integral to the overall risk management framework. TPRM encompasses identification, assessment, remediation, and ongoing monitoring of potential risks our company may be exposed to during its third-party engagements.
TPRM framework aims to mitigate and manage our company's risk exposure from third-party engagements and guarantee transparency in TPRM relationships.
New vendors and subcontractors are required to complete the information security due diligence process. For any risks identified, necessary controls are designed and implemented before completion of the vendor's onboarding process.
Our contractual agreements clearly define terms, conditions, and responsibilities for third parties and subcontractors and non-disclosure provisions. Contractual agreements that cover standard requirements are in place with all Software-as-a-Service (SaaS) based suppliers. Regular reviews of the suppliers are conducted.
Third-party security
To minimize risks associated with third-party vendors, we perform security reviews on all vendors with any level of access to our systems or service data. To view the list all our vendors (service providers), follow this link: List of subcontractors for Location Risk Intelligence - Online Services (munichre.com).
Shared responsibility model
Microsoft cloud services are used, adopting the model of shared responsibility. According to this model, some areas of responsibility are handled by our company, and others by the cloud provider.
The following responsibilities are retained by us:
- Information and data
- Devices (mobile and PCs)
- Accounts and identities
Besides, we share with the cloud provider responsibility over:
- Identity and directory infrastructure
At the same time, Microsoft is responsible for:
- Application level controls
- Network controls
- Host infrastructure
- Physical datacenter
For a detailed information, refer to Shared Responsibilities for Cloud Computing, Business continuity management program in Azure, and Shared responsibility in the cloud - Azure.
Our SaaS services are hosted in the Azure West Europe region (the Netherlands). Backups are stored in the Azure North Europe region (Ireland). Microsoft O365 email servers are located in Germany. For more information, see Where your Microsoft 365 customer data is stored and Data locations for the European Union.