At Moody’s, we maintain a robust information security program to address cybersecurity threats and protect the privacy and security of our customers’ data. We update our policies, processes, and technology to strengthen our cyber resilience in response to evolving security threats.
We employ a range of security measures tailored to the sensitivity of the data we handle. These measures are designed to protect data from unauthorized access, disclosure, alteration, and destruction. Our security practices are updated to keep pace with evolving threats and to incorporate advancements in data protection technology.
In addition, we have robust organizational measures in place. These include comprehensive data protection policies, staff training, and strict access controls. These measures are designed to help every member of our team understand their responsibilities when it comes to data protection and equip them to uphold these standards.
Confidentiality is at the heart of our data protection efforts. We understand that our customers trust us with their data, and we take this responsibility very seriously. We have access control measures in place designed to restrict access only to data to authorized personnel for legitimate purposes.
Obtaining third party benchmarking of our cyber risk exposure, such as a Bitsight Security Rating, is crucial to managing our security practices, providing us with objective, comparative insights that help enhance our information security program and meet industry standards. The Bitsight Security Rating is calculated independently by BitSight Technologies, Inc., in which Moody’s owns a minority stake.
Our employee training program, known as InfoSafe, requires all employees to receive comprehensive cybersecurity training and annual certification on our IT Use Policy, phishing awareness, and information security best practices. We also conduct regular phishing tests with employees, targeted tests for high-risk individuals, expert-led events, and specialized training for software development teams to enhance our threat response.
Our Information Security Incident Response Plan provides governance and guidance for handling security incidents and is, regularly tested to stay current with existing and emerging threats. Our cybersecurity program undergoes regular internal and external reviews, including independent assessments of our controls based on the NIST Framework, covering vulnerability assessments, penetration testing, red teaming, and phishing drills. We also work with reputable third parties for annual external assessments and comply with periodic reviews by government agencies and other market participants. Continuous monitoring for potential cyber attacks is conducted through our Fusion Center.
Note: the below does not apply to Moody’s Ratings.
Many of our customers will be impacted by new regulations on digital operational resilience (including Regulation 2022/2554/EU ‘DORA’). We recognize management of information and communication technology risks often means understanding how service providers deliver internet-facing applications or maintain their own IT environments.
To support our customers in their work to comply with digital operational resilience requirements, Moody’s has:
We are strongly committed to compliance with laws and regulations and recognize the interaction with our customers can be an important part of our customers’ own regulatory compliance programs. Accordingly, we monitor the regulatory landscape as DORA and similar regulations develop and update our processes and procedures as necessary to assist our customers in meeting their regulatory obligations. Customers should contact their Moody’s customer service representative if they have any questions.