Due Diligence and Ongoing Monitoring

Good morning.  Question for other financial institutions.  For your due diligence and ongoing monitoring reviews, what are you asking larger companies like Microsoft that run your systems but are potentially processing PII?  Where do you create the line between service providers like Microsoft and your other SaaS service providers, if you do?  

For critical vendors, we have quarterly meetings with the vendor's service/product/account management team to basically inquire of anything that may affect our account, PII, service level agreements, etc.  In these meetings, for instance, we ask about any control failures in their current SSAE 16 testing in progress, changes in APIs or upgrades, security protocol changes, how they were affected, if any, on malware that is currently circulating, etc.  In our case, we would not be meeting with the Microsoft product team but with their cloud services team.

A prior response stating, effectively, that they would be meeting with Microsoft's cloud provider....is textbook perfect. 

Caveat: Your company either: a) has to be really big to get that meeting or b) there's a statutory requirement for MSFT to do so. Otherwise that meeting isn't happening.