These terms and conditions (“Product T&Cs”) contain the terms and conditions that govern your access to the Mastercard Cyber Quant Platform ("Platform”) (collectively, the “Service”), and is an agreement between Mastercard Asia/ Pacific Pte Ltd (“Mastercard”) and the institution (“Client”) on whose behalf you will access and use these Services, Platform and Deliverables (as defined below). These Product T&Cs are further subject to the Terms and Conditions (including the Platform Terms) set out in the section titled “Additional Terms” in AN4928 (Network Level Services Acquiring for Australia). Capitalized terms used but not defined herein shall have the meanings assigned to such terms in the Terms and Conditions. These Product T&Cs take effect when you click the “submit” button presented with these Product T&Cs or, if earlier, when you use any of the Services, Platform and Deliverables (“Effective Date”). You represent to us that you are lawfully able to enter into these Product T&Cs. If you are entering into these Product T&Cs for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity. If you do not agree to the Product T&Cs or the Terms and Conditions, please do not access the Service.

1. BACKGROUND AND INTRODUCTION

Client wishes to engage Mastercard’s consulting team and leverage the Platform in order to perform a risk exposure evaluation of Client’s cyber security processes, technology infrastructure and workforce security practices to assist a deeper understanding of the risk exposure of the Client and help Client prioritize improvement of these response measures in accordance with the contextual threat landscape.

2. PROJECT OBJECTIVES

The project objectives are to: (a) Assess maturity of Client’s existing cyber security tools and strategies and prioritize them in order of importance based on the relevant threat landscape; (b) Quantify cyber security risks, taking into account organization-specific factors such as size, revenue, number of employees, operating region, and industry. Calculate potential financial impact of cyber security risks for different business information assets such as personal data, financial data, business secrets, intellectual property and reputation; and (c) Perform simulations to understand the change in financial risk impact when the top cyber security gaps are mitigated, to understand the impact of the potential investments.

3. SCOPE AND DELIVERABLES

Over a period of four to six weeks and subject to Mastercard receiving all relevant information from Client, Mastercard will utilize surveys, automated scripts (where available) and its cyber security subject matter experts to perform maturity assessment of Client’s existing cyber security measures and calculate the risk impact. Based on the project objectives, Mastercard proposes to provide the Services as set out below. The project scope, activities and deliverables consist of three phases: Survey, Assessment, and Scoring.

Phase 1: Kick-Off and Data Collection

Mastercard will carry out the following activities:

• Remote kickoff: 2-3-hour session to cover ("information sharing meetings”) Engagement overview; Survey review and explanation; Walk through risk assessment model; Walkthrough deliverable descriptions; and Initial interviews on cyber practices.
• Complete survey for the engagement.
• Collect technical data for validation

Phase 2: Assessment & Analysis

Mastercard will use the Phase 1 results to assess the maturity levels of 50 cyber security measures divided into three areas (infrastructural, preventive, and detective) to carry out the following activities:

• Prioritize security measures in accordance with the Client’s contextual threat landscape.
• Execute simulations to understand Client’s return on cyber investment in terms of reduction of financial risk exposure.

Phase 3: Results & Deliverables

Mastercard will use the Phase 2 assessment results to conduct scoring and reporting in the following areas: Identify overall risk score, financial risk exposure, security measures’ maturity and their importance to overall risk; Identify Client’s prominent threat actors and threat types; and Identify potential financial risk reduction in the case that the top risks are mitigated. As final deliverables, Mastercard will present to Client a Cyber Quant risk assessment report (“Report”).

4. TIMING AND CLIENT RESPONSIBILITIES 

Mastercard and Client acknowledge that the time frame for Service delivery is dependent upon Client’s timely sharing of data and availability of relevant Client employees for information sharing meetings. Client shall advise Mastercard of such data and employee availability requirements for the information sharing meetings.

Mastercard and Client acknowledge that the time frame for Service delivery is dependent upon Client’s timely sharing of data and availability of relevant Client employees for information sharing meetings. Client shall advise Mastercard of such data and employee availability requirements for the information sharing meetings.

• Making available key stakeholders, nominated personnel and documentation for information gathering meetings, interviews and presentation reviews; and

• Providing Mastercard with all necessary data, insights and information in a timely manner.

5. TERM

Client shall have access to the Service for such time as the Service remains a Value-Added Service, and Client remains eligible to receive such Value-Added Service, pursuant to AN4928 (Network Level Services Acquiring for Australia). Upon the cessation of any of the foregoing conditions, Client access to the Service shall cease.

6. OTHER TERMS AND CONDITIONS

(a) Mastercard and Client will each use reasonable commercially reasonable efforts to achieve the goals and objectives of the program(s) or project(s) to which the Services and/or Deliverables relate to the extent agreed, provided, however, that Client acknowledges that Mastercard does not guarantee the achievement of such goals and objectives and will not be liable if such goals and objectives are not achieved. (b) Mastercard may provide certain proposed materials and make certain recommendations in connection with the Service. Client is responsible for reviewing and evaluating the appropriateness of these same materials and recommendations, as well as any decisions made or actions taken by Client in response to such proposed materials and recommendations to Client, against Client’s risk-tolerances and/or other criteria. (c) Mastercard and Client acknowledge and agree that the analyses and data included in the Deliverables shall be subject to all relevant laws and regulations for each applicable country, as well as Mastercard’s contractual obligations and internal confidentiality, privacy, and data analytics guidelines and policies (“Applicable Standards”). In no event will Mastercard be obligated to supply or share any information or data which Mastercard determines, in its sole discretion, would cause Mastercard to be in violation of any such Applicable Standards. Mastercard reserves the right, in its sole discretion, to apply adjustments in order to achieve conformance with such Applicable Standards. The Client agrees that it will not take any adverse decision against individuals based on the metrics which Mastercard provides to the Client. Client shall not use the data, data analytics or insights in the Deliverables in a manner so as to reverse engineer or aid any other party to reverse engineer the data contained in the Deliverables. (d) Where applicable, Client agrees that provision of any data or information to Mastercard is permitted under (i) all applicable laws and regulations, and privacy policies or other statement or disclosure to which such data is subject, and (ii) the terms of Client’s contracts with its customers, contractors or other third parties. Client, in its role as a data controller, instructs Mastercard, in its role as a data processor, to process the personal data necessary to provide the Services and/or Deliverables, to the extent that any personal data is processed. (e) Mastercard will not provide counsel to Client regarding the implications of the laws and/or regulations from a legal and/or compliance standpoint. In performing the Services hereunder, Mastercard may summarize and report legal and regulatory developments but shall not provide any legal advice, recommendations, evaluation or analysis about such developments. (f) Client acknowledges that any that any material change in Mastercard’s scope of work set forth in these Product T&Cs, whether as a result of revised Client goals or objectives, other Client requests, changes in law, schedule delays or any other events outside Mastercard’s reasonable control, may require fees, and changes to the performance schedule and/or other terms set forth herein, as determined by Mastercard in its reasonable discretion. Mastercard will notify Client of any such revisions and may not undertake work relating to the revised Services until Client has executed a Statement of Work setting forth such terms, including any fees or other costs which may be the responsibility of Client.

(g) Client acknowledges and agrees that:

• (i) Mastercard may utilize third parties for hosting and support of the cyber security analysis tools required to create the Report;
• (ii)Mastercard may process Client-provisioned company information such as answers to the questions related to Client’s cyber security measures, as well as outputs from the technical assessment in order to prepare and furnish aggregated/grouped reports with insights enabling, e.g., client(s) to benchmark their existing cyber security posture in the market. For the avoidance of doubt, no personal data is needed or processed in order to produce such reports, and no client shall ever be identified in any such report;
• (iii)Quality of Reports depends on correctness and fullness of responses, data and other information provided by Client, and Mastercard assumes no liability for incomplete or inaccurate information provided by the Client; and
• (iv) Mastercard may provide certain proposed materials and make certain recommendations in connection with these Product T&Cs. Client acknowledges and agrees that the Deliverables, including the recommendations suggested by Mastercard in connection with these Product T&Cs, do not constitute legal or investment advice and Mastercard does not otherwise warrant that execution of any recommendations or guidelines contained in the Deliverables will result in compliance with applicable laws or will be up to date, complete or accurate at the time of any such execution. Furthermore, any reliance upon any forecasts, revenue projections or indications of financial opportunities provided or identified by Mastercard hereunder, shall be made or undertaken entirely at Client’s own discretion and determination, after Client’s own, thorough review and consideration of all risks involved.

(h) Mastercard and Client acknowledge that the descriptions under the headings “Background and Introduction” and “Project Objectives” above does not form any part of the Services.

(i) The information contained in these Product T&Cs is confidential to Mastercard and its disclosure is subject to the confidentiality provisions as set out in the Terms and Conditions.