Back to citizenship

Cybersecurity and data privacy

Protecting our customers' data and maintaining a robust cybersecurity is a top priority for us. We're constantly testing and enhancing our cyber resilience to promote the privacy and security of all our stakeholders' information.

Our actions

01 Training and awareness
Employee training and awareness

Employee training and awareness

  • Our InfoSafe program offers security training and education to all employees. The program includes annual certification on Moody’s IT Use Policy, continuing education on phishing awareness, regular communications about cybersecurity best practices, and participation in annual events like Cybersecurity Awareness Month.

  • Our CybSafe program offers bite-sized cybersecurity training modules for employees.

  • We offer Cybersecurity training for contractors who have partnered with Moody’s for more than 30 days.

  • We conduct quarterly phishing tests, targeted tests for high-risk individuals, expert-led events, and specialized training for software development teams to improve our threat response.
02 Monitoring and assessment
Cybersecurity monitoring and assessment

Cybersecurity monitoring and assessment

  • Our MITRE ATT&CK® detection and cybersecurity control automation are crucial for early threat detection. Additionally, Moody’s Internal Controls function performs an independent assessment of the design and operating effectiveness of Moody’s network of cybersecurity controls in accordance with the NIST Framework. These reviews include vulnerability assessments, penetration testing, red teaming, tabletop exercises and phishing drills.

  • Moody’s works with reputable third parties to conduct annual external assessments of our cybersecurity program and its components. Government agencies and their contracted agents also conduct periodic reviews in certain jurisdictions where we operate. Insurance agents, customers and other market participants routinely assess Moody’s security posture relative to their own standards.

  • We conduct monitoring for potential cybersecurity attacks on an ongoing basis via our Fusion Center, which serves as a central hub for gathering and sharing intelligence to improve collective defense against cyber threats.
     
  • We maintain a committee of senior leaders focused on AI governance which improves risk management and ethical and transparent AI practices across all operations.

 

For more information on how we protect data visit our Trust Center.

03 Data privacy and protection
Maintaining data privacy and protection

Maintaining data privacy and protection

We maintain a Global Privacy Program that undergoes regular enhancements aimed to safeguard stakeholder privacy and maintain compliance with applicable privacy laws.
 

Our Global Privacy Program policies and processes include:
  • Detailed data mapping of our personal data processing operations

  • Data privacy impact assessments and data transfer risk assessments

  • Executing data processing and data transfer agreements internally, with vendors and with customers, where applicable

  • Mandatory global privacy training for all employees annually

 

We implement privacy by design safeguards and continue to enhance our internal training and awareness programs to cover global privacy law changes. All employees must protect confidential and personal information they receive while performing their job responsibilities, and employees are required to complete annual cybersecurity training. For more information on our cybersecurity and data privacy policies, see our Code of Business Conduct and Sustainability related disclosures.

For more information regarding our Global Privacy Program visit our Trust Center.

Our aspirations

2025 and beyond

Our strategic focus is to fortify our infrastructure by incorporating post-quantum technologies, while maintaining an unwavering commitment to vulnerability management. Our aim is to innovate and deploy cutting-edge tools to mitigate risks associated with the complexities introduced by advancements in Generative Artificial Intelligence and Large Language Model contexts. Future plans include enhancing mobile device security and significantly investing in the management of non-human and service accounts.