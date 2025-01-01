Moody's logo
Information security & cybersecurity programs

At Moody’s, we maintain a robust information security program to address cybersecurity threats and protect the privacy and security of our customers’ data. We update our policies, processes, and technology to strengthen our cyber resilience in response to evolving security threats.

We employ a range of security measures tailored to the sensitivity of the data we handle. These measures are designed to protect data from unauthorized access, disclosure, alteration, and destruction. Our security practices are updated to keep pace with evolving threats and to incorporate advancements in data protection technology.

In addition, we have robust organizational measures in place. These include comprehensive data protection policies, staff training, and strict access controls. These measures are designed to help every member of our team understand their responsibilities when it comes to data protection and equip them to uphold these standards.  

Confidentiality is at the heart of our data protection efforts. We understand that our customers trust us with their data, and we take this responsibility very seriously. We have access control measures in place designed to restrict access only to data to authorized personnel for legitimate purposes

Existing Moody’s Analytics customers can download product-specific information security documentation, such as SOC2 reports, on Moody’s Analytics customer portal Informationweb, or by contacting their usual Moody’s Analytics representative, who will be happy to provide you with copies for the contracted Moody’s Analytics products and services.

Obtaining third party benchmarking of our cyber risk exposure, such as a Bitsight Security Rating, is crucial to managing our security practices, providing us with objective, comparative insights that help enhance our information security program and meet industry standards. The Bitsight Security Rating is calculated independently by BitSight Technologies, Inc., in which Moody’s owns a minority stake.

Employee training & awareness

Our employee training program, known as InfoSafe, requires all employees to receive comprehensive cybersecurity training and annual certification on our IT Use Policy, phishing awareness, and information security best practices. We also conduct regular phishing tests with employees, targeted tests for high-risk individuals, expert-led events, and specialized training for software development teams to enhance our threat response.

Cybersecurity monitoring & assessment

Our Information Security Incident Response Plan provides governance and guidance for handling security incidents and is, regularly tested to stay current with existing and emerging threats. Our cybersecurity program undergoes regular internal and external reviews, including independent assessments of our controls based on the NIST Framework, covering vulnerability assessments, penetration testing, red teaming, and phishing drills. We also work with reputable third parties for annual external assessments and comply with periodic reviews by government agencies and other market participants. Continuous monitoring for potential cyber attacks is conducted through our Fusion Center.

Supporting our customers with digital operational resilience regulation

Note: the below does not apply to Moody’s Ratings. 

Many of our customers will be impacted by regulations on digital and broader operational resilience (including Regulation 2022/2554/EU ‘DORA’, APRA CPS234 and CPS230). We recognize management of information, communication technology and business continuity risks often means understanding how service providers deliver and maintain their products, especially internet-facing applications.

To support our customers in their work to comply with operational resilience requirements, Moody’s has:

  • Conducted a review of its ICT risk management practices, grouped into categories commonly identified in digital operational resilience regulations.
  • Mapped a number of operational resilience requirements against Moody’s standard contract terms to demonstrate how our contracts are compatible with some of the key provisions. 

 

We are strongly committed to compliance with laws and regulations and recognize the interaction with our customers can be an important part of our customers’ own regulatory compliance programs. Accordingly, we monitor the regulatory landscape as DORA and similar regulations develop and update our processes and procedures as necessary to assist our customers in meeting their regulatory obligations.

Customers should contact their Moody’s customer service representative if they have any questions.

