MOODYS CORP /DE/ - (MCO)

10-K Filing Date: February 14, 2024
ITEM 1C. CYBERSECURITY AND RISK MANAGEMENT
Governance
Management
The Company maintains a dedicated internal cybersecurity team that interacts with executive management and its business units to identify, assess, manage, and respond to cybersecurity risks and incidents relating to the Company’s information systems and operations. In addition, this internal cybersecurity team is responsible for managing detection, mitigation and remediation of cybersecurity incidents. The internal cybersecurity team is managed by the CISO, who reports to the CAO, who is a member of the executive leadership team. At December 31, 2023, the Company’s internal cybersecurity team consisted of members located in various countries and time zones across the world. The team has members with experience in governance, risk management and compliance, threat monitoring, threat emulation, penetration testing and cyber incident management. Team members have both individual responsibilities and a team focus, covering areas such as network, endpoint device, and e-mail security engineering as well as operations and threat management, monitoring, and response.
The Cyber Committee, chaired by the CISO, and whose members include the CTSO and CAO, as well as other members of senior management and the legal team, is responsible for identifying cybersecurity risks and threats, recommending mitigating actions to strengthen cybersecurity resilience, and meeting risk tolerance thresholds established by senior management. The Cyber
MOODY'S 2023 10-K 35

Table of Contents
Committee also validates that the Company has appropriate people, process and technology capabilities to identify, mitigate and report on cybersecurity risks to the executive leadership team and the Board of Directors. The Cyber Committee meets regularly to allow members of the internal cybersecurity team to present concerns and recommendations for decisions on preventing, identifying, mitigating, and remediating risks and threats. To the extent warranted, the Cyber Committee may additionally be convened on an ad hoc basis. The Cyber Committee makes decisions regarding the reporting of cybersecurity concerns to the executive leadership team, who escalate issues to the Board and/or the Audit Committee as necessary. In the case of incidents that arise, the Cyber Committee, under the direction of the Board and/or executive leadership team when appropriate, works to involve all appropriate personnel with the aim of resolving the incident, performing any required remediation/reporting, and taking appropriate steps to comply with applicable laws and regulations. The process that the Cyber Committee follows upon emergence of incidents is documented in the Company’s Incident Response Plan. Additionally, cybersecurity risks and the adequacy of associated mitigations are analyzed by senior leadership as part of the enterprise risk assessments that are reported to and discussed by the Board.
The CISO has extensive cybersecurity knowledge and skills, gained from over 20 years’ experience working in regulated industries. The CISO holds a number of cybersecurity related certifications, including the Certified Information Systems Security Professional and Certified Information Security Manager. In addition to the CISO, the CTSO has been a close partner and advocate for cybersecurity at the Company, and is consulted or informed on all decisions or risks that affect the Company's technology systems and/or implicate cybersecurity. The CAO is responsible for overseeing the cybersecurity team at the executive leadership level.
Board of Directors and Audit Committee
The Board provides oversight of management’s efforts to assess and manage cybersecurity risks and respond to cybersecurity incidents and threats. In addition, the Audit Committee of the Board of Directors regularly receives reports from management regarding the Company’s financial and compliance risks, including, but not limited to, risks relating to internal controls and cybersecurity risks.
The Board receives regular updates from the CISO, CTSO, and CAO regarding matters related to technology and cybersecurity. The Company has protocols, as discussed below, by which certain cybersecurity concerns, incidents and threats are escalated within the Company and, where appropriate, reported in a timely manner to the Board.
Risk Management and Strategy
The objective of the Company's comprehensive cybersecurity program is to assess, identify, and manage risks from cybersecurity incidents and threats. The Company's cybersecurity program leverages the NIST Framework and it incorporates training and awareness coupled with ongoing monitoring and assessment. The cybersecurity program is an important part of the Company’s enterprise risk management (ERM), with the head of the Company’s ERM program sitting on the Cyber Committee, and sets forth a process for escalating certain incidents to the Company’s ERM group integrated into the Company’s Incident Response Plan.
As part of the cybersecurity program, the Company’s cybersecurity environment is monitored by automated tools on an ongoing basis and an internal cybersecurity team that reviews threats, alerts, and incidents. The Company’s Incident Response Plan provides governance and guidance in responding to information security incidents and is tested regularly for calibration against existing and emerging threats. The Incident Response Plan describes the process to be followed by the Cyber Committee in connection with the oversight of the cybersecurity environment and specific events that occur from time to time. The cybersecurity program undergoes periodic internal and external reviews. In addition, the Company's Internal Controls Department performs an independent assessment of the design and operating effectiveness of the Company’s network of cybersecurity controls in accordance with the NIST Framework. The results of the assessment are periodically shared with the Cyber Committee and the Audit Committee.
The Company’s cybersecurity environment is also subject to routine vulnerability assessment processes. Internal and external teams, including the Cyber Committee, conduct activities such as penetration testing, red teaming, tabletop exercises and phishing drills. Results are measured and assessed for possible improvements. In addition to these ongoing efforts, the Company has a set of third-party risk management tools through which it monitors for cybersecurity risks and threats associated with its third-party service providers. The Incident Response Plan includes processes that define how the Company manages and responds to such risks or threats associated with its third-party service providers.
The Company contracts with reputable third parties to conduct annual external assessments of its cybersecurity program and its components. Government agencies and their contracted agents also conduct periodic reviews in certain jurisdictions where the Company operates. Insurance agents, customers and other market participants routinely assess the Company’s security posture relative to their own standards.
Security Policy and Requirements
The Company has an Information Security Policy and Information Security Standards, which, taken together, describe the standards and minimum requirements that are expected of all business and information security personnel to protect the Company’s information and technology assets. The policy provides a framework guided by security principles designed to address the confidentiality, integrity and availability of the Company’s information assets in the context of internal, external, deliberate and accidental threats, while supporting the Company’s information creation and sharing needs.
The Company is subject to various privacy laws in the jurisdictions where it operates including CCPA and GDPR, as well as U.S. Federal regulation by the FTC, for certain privacy-related aspects of its business, and the Sarbanes-Oxley Act of 2002. The
36 MOODY'S 2023 10-K

Table of Contents
Company is audited in connection with requirements set forth in the Sarbanes-Oxley Act of 2002, and Moody’s Analytics obtains third-party audits in connection with ISO 27001 and SOC 2 certification and attestation reports, respectively, for certain products. As previously mentioned, the Company also aligns with NIST standards in connection with information security, which it uses to evaluate its cybersecurity readiness and resilience, and is required to make various filings and comply with requirements in certain jurisdictions in which it operates.
The Company’s cybersecurity program also includes an information security training and awareness program called InfoSafe for all employees. The program includes annual certification to having read and understood the Company's IT Use Policy, continuing education on phishing awareness, regular communications about cybersecurity best practices, and participation in annual events like Cybersecurity Awareness Month. Employees are expected to complete annual cybersecurity training, and compliance is monitored. The Company uses general and targeted phishing simulations to help employees better recognize and respond to potential threats. The training program is further enhanced by cybersecurity experts speaking at educational events. The Company also offers specialized training modules on emerging cybersecurity threats for its software development teams. The Company’s IT Use Policy outlines a detailed escalation process under which employees are to immediately report any suspected cybersecurity incident.
The cybersecurity threat landscape is dynamic and volatile, and requires significant investment on the part of the Company in terms of talent recruitment and retention, as well as procuring and deploying the correct tools to address threats. Additional information on cybersecurity risks is discussed in Item 1A of Part I, “Risk Factors,” under the heading “Technology Risks,” which should be read in conjunction with the foregoing information.