Moody's Risk Services Corporation Now Offers Vendor Information Risk Ratings

Clare Dever, CIPP, Executive Director of Compliance & Strategic Consulting Services, recently interviewed Edward Leppert, Director of Moody's Risk Services, to learn more about Moody's new Vendor Information Risk (VIR) Ratings.

Clare Dever: Ed, I understand that, in response to the periodic data breaches that have occurred, a number of key financial, investment and insurance companies have been working with Moody's to develop a more streamlined approach to assessing the potential information risk that may be associated with service providers, rather than each organization completing its own due diligence. Could you share more information with the IAPP and its members?

Ed Leppert: Yes, you are correct. A number of major financial services firms contacted Moody's earlier this year to discuss this concept given our independence and strong reputation for helping financial organizations evaluate risk. We subsequently formed an advisory council to ensure the service would meet the needs of a number of leading international financial and insurance institutions and others who helped us determine the areas to evaluate. The primary areas of evaluation include:

  • Information Security Policy
  • Organization
  • Information Classification
  • Physical Security
  • Communications and Operations Management
  • Access Control
  • Application Security
  • Incident Management
  • Business Continuity
  • Data Security
  • Privacy

For each, we assign a risk/quality rating, along with key findings which will help alleviate (or, at least, minimize) the amount of due diligence that each of the companies currently conducts individually and permit the companies to leverage the VIR Rating assigned by Moody's.

Clare Dever:
This certainly appears to be an efficient and cost-effective manner to assess the risk of key service providers. Is it Moody's intention to test-market this first with a particular industry segment, such as financial services?

Ed Leppert: Yes, Moody's would like to determine the success of this new service within the financial services (FSI) and insurance sectors prior to pursuing other industries, though I should point out that firms we have spoken with in other industries see value in the service, as managing risks of service providers is universal really for any firm that uses vendors to support their technology and business processes. In terms of process, the rating report will be distributed to the service provider rated and then to FSI subscribers to the service, with distribution being at the rated firm's discretion.

Clare Dever: There are so many questionnaires, surveys and certification programs that vendors are currently struggling with — is there any incentive for the service provider to proceed with a VIR Rating by Moody's?

Ed Leppert:
Within the areas we evaluate, we have identified approximately 80 areas of analysis. Of course, not all will be applicable to a service provider and which ones we look at depends on the services that the service provider offers to the market. The questionnaire we have developed is an information-gathering tool for us, which we combine with vendor discussion sessions and an onsite visit. If a firm has completed other surveys or questionnaires, we can accept that in lieu of ours, so long as it covers a reasonable number of the areas we need to analyze. Then, we can cover the gaps through our discussion and onsite sessions. For instance, an International Organization for Standardization assessment, the Financial Institution Shared Assessments Program (FISAP) made utilizing the Agreed Upon Procedures (AUP) and the Standardized Information Gathering (SIG) questionnaire, and the Payment Card Industry (PCI) Report on Compliance (ROC) cover most of the areas we evaluate.
In terms of incentives to get rated, we like to use the phrase "rate once, use many," meaning that our rating report can be leveraged by the service providers to respond to their FSI client's (or prospect's) due diligence requests. It is also a good way for service providers to identify if there are any significant risks they need to address before they are in front of their prospects or clients. And lastly, it is an opportunity for service providers to show proactive management of risk and differentiate themselves from their competition.

Clare Dever:
Ed, I understand you are currently conducting some initial evaluations of service vendors under this new program and that you plan to escalate the number of service providers being evaluated in early 2008. Can you tell us about the nature of the rating classifications that Moody's will be using?

Ed Leppert: Each of the primary evaluation areas we discussed earlier will be rated according to the following rating definitions and then a single overall rating for the service provider will be assigned. These include:

VIR1: Excellent
-- The service provider has superior, well-established and thorough security and privacy practices throughout its organization.

VIR2: Strong -- The service provider has well-established security and privacy controls in most of the evaluation areas, but may require supplementary oversight or mitigation in some specific areas.

VIR3: Good -- The service provider is judged to have generally good security and privacy practices in several areas; however, some remediation or oversight may be warranted, depending on the scope of the proposed work to be performed by the service provider.

VIR4: Needs Improvement -- The service provider is judged to have some key areas requiring improvement to meet financial industry security and privacy standards.

VIR5: Poor -- Service provider is judged to have poor quality in most areas of the review.

Clare Dever: Ed, if companies are interested in learning more about this new service offered by Moody's, how might they obtain that information?

Ed Leppert: Service Providers or FSI firms can send us an email to get more information about getting a rating, or call myself or Bryan Johnson. Contact information is as follows:

General Email: VendorRatings@moodys.com

Bryan Johnson:
Bryan.Johnson@moodys.com (212.553.3654)

Ed Leppert:
Edward.Leppert@moodys.com (212.553.7992)


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The GDPR requires 75,000 DPOs

What’s the formula for DPO success? IAPP CIPP/E and CIPM training, certifications and our global privacy conferences.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

72% say privacy is now a board-level concern

Find out more about privacy governance in the IAPP-EY Annual Privacy Governance Report 2016.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Time to Get to Work at the Congress

It's almost here! Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register now!

Plan for the Summit

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Registration opens December 19!

Intensive Education at the Practical Privacy Series

This year's Series spotlights Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need NOW. Early bird ends Nov. 4!

Speak at the Symposium

The call for speakers is open! The Symposium returns to Toronto this Spring and programming is now underway. Looking to share your privacy prowess? Submit by November 20!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»