Moody's Risk Services Corporation Now Offers Vendor Information Risk Ratings

Clare Dever, CIPP, Executive Director of Compliance & Strategic Consulting Services, recently interviewed Edward Leppert, Director of Moody's Risk Services, to learn more about Moody's new Vendor Information Risk (VIR) Ratings.

Clare Dever: Ed, I understand that, in response to the periodic data breaches that have occurred, a number of key financial, investment and insurance companies have been working with Moody's to develop a more streamlined approach to assessing the potential information risk that may be associated with service providers, rather than each organization completing its own due diligence. Could you share more information with the IAPP and its members?

Ed Leppert: Yes, you are correct. A number of major financial services firms contacted Moody's earlier this year to discuss this concept given our independence and strong reputation for helping financial organizations evaluate risk. We subsequently formed an advisory council to ensure the service would meet the needs of a number of leading international financial and insurance institutions and others who helped us determine the areas to evaluate. The primary areas of evaluation include:

  • Information Security Policy
  • Organization
  • Information Classification
  • Physical Security
  • Communications and Operations Management
  • Access Control
  • Application Security
  • Incident Management
  • Business Continuity
  • Data Security
  • Privacy

For each, we assign a risk/quality rating, along with key findings which will help alleviate (or, at least, minimize) the amount of due diligence that each of the companies currently conducts individually and permit the companies to leverage the VIR Rating assigned by Moody's.

Clare Dever:
This certainly appears to be an efficient and cost-effective manner to assess the risk of key service providers. Is it Moody's intention to test-market this first with a particular industry segment, such as financial services?

Ed Leppert: Yes, Moody's would like to determine the success of this new service within the financial services (FSI) and insurance sectors prior to pursuing other industries, though I should point out that firms we have spoken with in other industries see value in the service, as managing risks of service providers is universal really for any firm that uses vendors to support their technology and business processes. In terms of process, the rating report will be distributed to the service provider rated and then to FSI subscribers to the service, with distribution being at the rated firm's discretion.

Clare Dever: There are so many questionnaires, surveys and certification programs that vendors are currently struggling with — is there any incentive for the service provider to proceed with a VIR Rating by Moody's?

Ed Leppert:
Within the areas we evaluate, we have identified approximately 80 areas of analysis. Of course, not all will be applicable to a service provider and which ones we look at depends on the services that the service provider offers to the market. The questionnaire we have developed is an information-gathering tool for us, which we combine with vendor discussion sessions and an onsite visit. If a firm has completed other surveys or questionnaires, we can accept that in lieu of ours, so long as it covers a reasonable number of the areas we need to analyze. Then, we can cover the gaps through our discussion and onsite sessions. For instance, an International Organization for Standardization assessment, the Financial Institution Shared Assessments Program (FISAP) made utilizing the Agreed Upon Procedures (AUP) and the Standardized Information Gathering (SIG) questionnaire, and the Payment Card Industry (PCI) Report on Compliance (ROC) cover most of the areas we evaluate.
In terms of incentives to get rated, we like to use the phrase "rate once, use many," meaning that our rating report can be leveraged by the service providers to respond to their FSI client's (or prospect's) due diligence requests. It is also a good way for service providers to identify if there are any significant risks they need to address before they are in front of their prospects or clients. And lastly, it is an opportunity for service providers to show proactive management of risk and differentiate themselves from their competition.

Clare Dever:
Ed, I understand you are currently conducting some initial evaluations of service vendors under this new program and that you plan to escalate the number of service providers being evaluated in early 2008. Can you tell us about the nature of the rating classifications that Moody's will be using?

Ed Leppert: Each of the primary evaluation areas we discussed earlier will be rated according to the following rating definitions and then a single overall rating for the service provider will be assigned. These include:

VIR1: Excellent
-- The service provider has superior, well-established and thorough security and privacy practices throughout its organization.

VIR2: Strong -- The service provider has well-established security and privacy controls in most of the evaluation areas, but may require supplementary oversight or mitigation in some specific areas.

VIR3: Good -- The service provider is judged to have generally good security and privacy practices in several areas; however, some remediation or oversight may be warranted, depending on the scope of the proposed work to be performed by the service provider.

VIR4: Needs Improvement -- The service provider is judged to have some key areas requiring improvement to meet financial industry security and privacy standards.

VIR5: Poor -- Service provider is judged to have poor quality in most areas of the review.

Clare Dever: Ed, if companies are interested in learning more about this new service offered by Moody's, how might they obtain that information?

Ed Leppert: Service Providers or FSI firms can send us an email to get more information about getting a rating, or call myself or Bryan Johnson. Contact information is as follows:

General Email:

Bryan Johnson: (212.553.3654)

Ed Leppert: (212.553.7992)


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»