Moody's Risk Services Corporation Now Offers Vendor Information Risk Ratings

Clare Dever, CIPP, Executive Director of Compliance & Strategic Consulting Services, recently interviewed Edward Leppert, Director of Moody's Risk Services, to learn more about Moody's new Vendor Information Risk (VIR) Ratings.

Clare Dever: Ed, I understand that, in response to the periodic data breaches that have occurred, a number of key financial, investment and insurance companies have been working with Moody's to develop a more streamlined approach to assessing the potential information risk that may be associated with service providers, rather than each organization completing its own due diligence. Could you share more information with the IAPP and its members?

Ed Leppert: Yes, you are correct. A number of major financial services firms contacted Moody's earlier this year to discuss this concept given our independence and strong reputation for helping financial organizations evaluate risk. We subsequently formed an advisory council to ensure the service would meet the needs of a number of leading international financial and insurance institutions and others who helped us determine the areas to evaluate. The primary areas of evaluation include:

  • Information Security Policy
  • Organization
  • Information Classification
  • Physical Security
  • Communications and Operations Management
  • Access Control
  • Application Security
  • Incident Management
  • Business Continuity
  • Data Security
  • Privacy

For each, we assign a risk/quality rating, along with key findings which will help alleviate (or, at least, minimize) the amount of due diligence that each of the companies currently conducts individually and permit the companies to leverage the VIR Rating assigned by Moody's.

Clare Dever:
This certainly appears to be an efficient and cost-effective manner to assess the risk of key service providers. Is it Moody's intention to test-market this first with a particular industry segment, such as financial services?

Ed Leppert: Yes, Moody's would like to determine the success of this new service within the financial services (FSI) and insurance sectors prior to pursuing other industries, though I should point out that firms we have spoken with in other industries see value in the service, as managing risks of service providers is universal really for any firm that uses vendors to support their technology and business processes. In terms of process, the rating report will be distributed to the service provider rated and then to FSI subscribers to the service, with distribution being at the rated firm's discretion.

Clare Dever: There are so many questionnaires, surveys and certification programs that vendors are currently struggling with — is there any incentive for the service provider to proceed with a VIR Rating by Moody's?

Ed Leppert:
Within the areas we evaluate, we have identified approximately 80 areas of analysis. Of course, not all will be applicable to a service provider and which ones we look at depends on the services that the service provider offers to the market. The questionnaire we have developed is an information-gathering tool for us, which we combine with vendor discussion sessions and an onsite visit. If a firm has completed other surveys or questionnaires, we can accept that in lieu of ours, so long as it covers a reasonable number of the areas we need to analyze. Then, we can cover the gaps through our discussion and onsite sessions. For instance, an International Organization for Standardization assessment, the Financial Institution Shared Assessments Program (FISAP) made utilizing the Agreed Upon Procedures (AUP) and the Standardized Information Gathering (SIG) questionnaire, and the Payment Card Industry (PCI) Report on Compliance (ROC) cover most of the areas we evaluate.
In terms of incentives to get rated, we like to use the phrase "rate once, use many," meaning that our rating report can be leveraged by the service providers to respond to their FSI client's (or prospect's) due diligence requests. It is also a good way for service providers to identify if there are any significant risks they need to address before they are in front of their prospects or clients. And lastly, it is an opportunity for service providers to show proactive management of risk and differentiate themselves from their competition.

Clare Dever:
Ed, I understand you are currently conducting some initial evaluations of service vendors under this new program and that you plan to escalate the number of service providers being evaluated in early 2008. Can you tell us about the nature of the rating classifications that Moody's will be using?

Ed Leppert: Each of the primary evaluation areas we discussed earlier will be rated according to the following rating definitions and then a single overall rating for the service provider will be assigned. These include:

VIR1: Excellent
-- The service provider has superior, well-established and thorough security and privacy practices throughout its organization.

VIR2: Strong -- The service provider has well-established security and privacy controls in most of the evaluation areas, but may require supplementary oversight or mitigation in some specific areas.

VIR3: Good -- The service provider is judged to have generally good security and privacy practices in several areas; however, some remediation or oversight may be warranted, depending on the scope of the proposed work to be performed by the service provider.

VIR4: Needs Improvement -- The service provider is judged to have some key areas requiring improvement to meet financial industry security and privacy standards.

VIR5: Poor -- Service provider is judged to have poor quality in most areas of the review.

Clare Dever: Ed, if companies are interested in learning more about this new service offered by Moody's, how might they obtain that information?

Ed Leppert: Service Providers or FSI firms can send us an email to get more information about getting a rating, or call myself or Bryan Johnson. Contact information is as follows:

General Email: VendorRatings@moodys.com

Bryan Johnson:
Bryan.Johnson@moodys.com (212.553.3654)

Ed Leppert:
Edward.Leppert@moodys.com (212.553.7992)


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»