Cybersecurity and data privacy

Protecting our customers' data and ensuring robust cybersecurity is a top priority for us. We're constantly testing and enhancing our cyber resilience to safeguard the privacy and security of all our stakeholders' information.

Our actions

01
Training and awareness
02
Monitoring and assessment
03
Data privacy

Employee training and awareness

  • Our InfoSafe program offers security training and education to all employees. The program includes annual certification on Moody’s IT Use Policy, continuing education on phishing awareness, regular communications about cybersecurity best practices, and participation in annual events like Cybersecurity Awareness Month
  • Our CybSafe program offers bite-sized cybersecurity training modules for employees. The training achieved a 95% average completion rate by Moody's employees in 2023
  • We offer Cybersecurity training for contractors who have partnered with Moody’s for more than 30 days
  • We conduct quarterly phishing tests, targeted tests for high-risk individuals, expert-led events, and specialized training for software development teams to improve our threat response

Cybersecurity monitoring and assessment

Our Information Security Incident Response Plan provides governance and guidance in responding to information security incidents and is tested regularly for calibration against existing and emerging threats. In 2023, Moody’s updated this plan in response to changes in the SEC's reporting rules for cybersecurity incidents.

  • We increased our MITRE ATT&CK® detection capability and automated the testing of our cybersecurity controls, which is intended to allow early detection of threats before they become severe
  • Additionally, Moody’s Internal Controls function performs an independent assessment of the design and operating effectiveness of Moody’s network of cybersecurity controls in accordance with the NIST Framework. These reviews include vulnerability assessments, penetration testing, red teaming, tabletop exercises and phishing drills
  • Moody’s works with reputable third parties to conduct annual external assessments of our cybersecurity program and its components. Government agencies and their contracted agents also conduct periodic reviews in certain jurisdictions where we operate. Insurance agents, customers and other market participants routinely assess Moody’s security posture relative to their own standards
  • We conduct monitoring for potential cybersecurity attacks on an ongoing basis via our Fusion Center, which serves as a central hub for gathering and sharing intelligence to improve collective defense against cyber threats

For more information on how we protect data visit our Trust Center.

Maintaining data privacy and protection

We maintain a Global Privacy Program that undergoes regular enhancements to safeguard stakeholder privacy and maintain compliance with applicable privacy laws.

Our Global Privacy Program policies and processes include:

  • Appointment of statutory data protection officers
  • Detailed data mapping of our personal data processing operations
  • Data privacy impact assessments and data transfer risk assessments
  • Executing data processing and data transfer agreements internally and with customers, where applicable
  • Mandatory global privacy training for all employees annually

We implement privacy by design safeguards and continue to enhance our internal training and awareness program to cover global privacy law changes. All employees must protect confidential and personal information they receive while performing their job responsibilities, and employees are expected to complete annual cybersecurity training. For more information on our cybersecurity and data privacy policies, see our Code of Business Conduct and ESG disclosures.

Our aspirations

2024 and beyond

In 2024, our strategic focus is to fortify our infrastructure by incorporating post-quantum technologies, while maintaining an unwavering commitment to vulnerability management. Our aim is to innovate and deploy cutting-edge tools to mitigate risks associated with the complexities introduced by advancements in Generative Artificial Intelligence and Large Language Model contexts.