Microsoft’s Customers Must Monitor Its Security Shortcomings

• Insurance companies are tightening policy coverage requirements and examining whether organizations are implementing good security hygiene.
• Regulators are starting to hold officers and board members responsible for security incidents and breaches.
• Most organizations depend on Microsoft but may not understand the risk Microsoft’s practices and infrastructure pose to their own security, compliance, and legal obligations.
• Customers must monitor Microsoft’s progress on improving overall security and AI safety to ensure they are managing the risk Microsoft’s proven poor security record is creating.

Organizations may not fully appreciate the risks Microsoft’s security shortcomings and poor security record poses. For example, although insurance policies may not dictate which products an organization uses, insurers are increasingly concerned that software and services are securely designed, deployed, managed, and audited. This includes software and services provided and managed by third parties, including Microsoft. Organizations should understand the potential risks of cloud services and software, and to what extent they may need to prove the security of their infrastructure to insurers, regulators, and auditors.