Privacy Advisor

Moody's Risk Services Corporation Now Offers Vendor Information Risk Ratings

December 1, 2007

Moody's Risk Services Corporation Now Offers Vendor Information Risk Ratings


Clare Dever, CIPP, Executive Director of Compliance & Strategic Consulting Services, recently interviewed Edward Leppert, Director of Moody's Risk Services, to learn more about Moody's new Vendor Information Risk (VIR) Ratings.

Clare Dever: Ed, I understand that, in response to the periodic data breaches that have occurred, a number of key financial, investment and insurance companies have been working with Moody's to develop a more streamlined approach to assessing the potential information risk that may be associated with service providers, rather than each organization completing its own due diligence. Could you share more information with the IAPP and its members?

Ed Leppert: Yes, you are correct. A number of major financial services firms contacted Moody's earlier this year to discuss this concept given our independence and strong reputation for helping financial organizations evaluate risk. We subsequently formed an advisory council to ensure the service would meet the needs of a number of leading international financial and insurance institutions and others who helped us determine the areas to evaluate. The primary areas of evaluation include:

  • Information Security Policy
  • Organization
  • Information Classification
  • Physical Security
  • Communications and Operations Management
  • Access Control
  • Application Security
  • Incident Management
  • Business Continuity
  • Data Security
  • Privacy


For each, we assign a risk/quality rating, along with key findings which will help alleviate (or, at least, minimize) the amount of due diligence that each of the companies currently conducts individually and permit the companies to leverage the VIR Rating assigned by Moody's.

Clare Dever:
This certainly appears to be an efficient and cost-effective manner to assess the risk of key service providers. Is it Moody's intention to test-market this first with a particular industry segment, such as financial services?

Ed Leppert: Yes, Moody's would like to determine the success of this new service within the financial services (FSI) and insurance sectors prior to pursuing other industries, though I should point out that firms we have spoken with in other industries see value in the service, as managing risks of service providers is universal really for any firm that uses vendors to support their technology and business processes. In terms of process, the rating report will be distributed to the service provider rated and then to FSI subscribers to the service, with distribution being at the rated firm's discretion.

Clare Dever: There are so many questionnaires, surveys and certification programs that vendors are currently struggling with — is there any incentive for the service provider to proceed with a VIR Rating by Moody's?

Ed Leppert:
Within the areas we evaluate, we have identified approximately 80 areas of analysis. Of course, not all will be applicable to a service provider and which ones we look at depends on the services that the service provider offers to the market. The questionnaire we have developed is an information-gathering tool for us, which we combine with vendor discussion sessions and an onsite visit. If a firm has completed other surveys or questionnaires, we can accept that in lieu of ours, so long as it covers a reasonable number of the areas we need to analyze. Then, we can cover the gaps through our discussion and onsite sessions. For instance, an International Organization for Standardization assessment, the Financial Institution Shared Assessments Program (FISAP) made utilizing the Agreed Upon Procedures (AUP) and the Standardized Information Gathering (SIG) questionnaire, and the Payment Card Industry (PCI) Report on Compliance (ROC) cover most of the areas we evaluate.
In terms of incentives to get rated, we like to use the phrase "rate once, use many," meaning that our rating report can be leveraged by the service providers to respond to their FSI client's (or prospect's) due diligence requests. It is also a good way for service providers to identify if there are any significant risks they need to address before they are in front of their prospects or clients. And lastly, it is an opportunity for service providers to show proactive management of risk and differentiate themselves from their competition.

Clare Dever:
Ed, I understand you are currently conducting some initial evaluations of service vendors under this new program and that you plan to escalate the number of service providers being evaluated in early 2008. Can you tell us about the nature of the rating classifications that Moody's will be using?

Ed Leppert: Each of the primary evaluation areas we discussed earlier will be rated according to the following rating definitions and then a single overall rating for the service provider will be assigned. These include:

VIR1: Excellent
-- The service provider has superior, well-established and thorough security and privacy practices throughout its organization.

VIR2: Strong -- The service provider has well-established security and privacy controls in most of the evaluation areas, but may require supplementary oversight or mitigation in some specific areas.

VIR3: Good -- The service provider is judged to have generally good security and privacy practices in several areas; however, some remediation or oversight may be warranted, depending on the scope of the proposed work to be performed by the service provider.

VIR4: Needs Improvement -- The service provider is judged to have some key areas requiring improvement to meet financial industry security and privacy standards.

VIR5: Poor -- Service provider is judged to have poor quality in most areas of the review.

Clare Dever: Ed, if companies are interested in learning more about this new service offered by Moody's, how might they obtain that information?

Ed Leppert: Service Providers or FSI firms can send us an email to get more information about getting a rating, or call myself or Bryan Johnson. Contact information is as follows:

General Email: VendorRatings@moodys.com

Bryan Johnson:
Bryan.Johnson@moodys.com (212.553.3654)

Ed Leppert:
Edward.Leppert@moodys.com (212.553.7992)