logo image

Insurance Solutions

Formerly Moody’s RMS

Cybersecurity at Moody's

Our dedicated cybersecurity, privacy, and compliance teams work in partnership to manage data protection practices at Moody's. Our security controls and risk-management framework are based on multiple standards and frameworks.  Our data privacy protocols are designed to comply with General Data Protection Regulation (GDPR) and other applicable privacy laws.

Security by Design

Moody's insurance solutions integrates Security by Design principles into System Development Lifecycle. Some examples of these principles are Principles of Least Privilege, Secure Defaults, Separation of Duties, and Defense in Depth. This ensures Moody's RMS products are resilient against security attacks.

Well-architected systems
Our Cloud platforms are designed to meet industry standards for Confidentiality, Integrity, and Availability.  Our multi-tier architecture is designed to be scalable, resilient, and secure. The security layers include Web Application Firewalls (WAF), network and software-based firewalls, DDoS protection, monitoring and alerting systems, and network isolation. 

Network security 
Moody's takes a layered approach to overall network security, following industry standards at each layer with isolation and controls.  At the core of our approach to network security is access control.  We control access through virtual private clouds (VPCs), firewall rules, application layer firewalls, and network hardening. Additionally, we leverage threat detection and monitoring capabilities.

External validation
Moody's conducts regular penetration testing executed by independent third-party penetration testing organizations. In addition, we perform vulnerability, container and web applications scans.

Data security

Moody's is committed to protecting the confidentiality, integrity, and availability of your data. Data across our cloud product platforms is encrypted in transit and at rest using modern ciphers and methods recommended by security industry and standards organizations. We utilize multiple network controls, access controls, and container isolation to build security directly into our products.

Tenant isolation
For our SaaS based multi-tenant platforms, customer data is logically segregated based on unique customer identifiers in conjunction with role-based access controls (RBAC) and identity service management (MFA and user authentication).  Service level controls for all data access require customer ID validation and authorization to access and process customer data stored within the platform.

Access control
Moody's insurance solutions has an Access Control Policy in place. Moody's RMS classifies customer data as highly confidential, requiring our highest degree of controls and protections. Segregation of duties and least privilege is identified and enforced which includes review of access control lists. RMS support staff are restricted from accessing data that is not directly related to the service they are providing. 

Encryption
We protect customer data in-transit and at-rest using Industry standard encryption, such as latest safe version of Transport Layer Security (TLS) and Advanced Encryption Standard using 256-bit keys (AES-256). 

Cloud security

Hosting
Moody's insurance solutions leverages AWS and Azure cloud platforms. Each of the vendors for these platforms has committed that its cloud platform meets major compliance standards, including SOC 1, 2, 3, ISO 27001/27017/27701, PCI DSS and Cloud Security Alliance (CSA). They attest to having security programs that cover fundamental aspects of security, including Physical and Environment Security, Business Continuity Management, Network Security, Access Controls, Account Management, Secure Design Principles, Change Management, Logging and Audit Capabilities, and Security Checks.

Layers of security
Our Cloud [application] platform is built on isolated, private networks and uses multiple network controls such as container isolation, inbound/internal traffic restrictions, monitoring of traffic rates, sources and types at multiple network points. Our multi-tier architecture is designed to be scalable, resilient, and secure. The security layers include Web Application Firewall (WAF), network firewalls, DDoS protection, monitoring and alerting systems, and network isolation.

Reliability
We have designed, architected, and built the platform to be resilient with redundancy, scalability, and failover capabilities designed to minimize downtime. Additionally, we host our services with our cloud-hosting partners that offer multiple levels of built-in redundancy and geographical distribution. We also have monitoring and alerting systems in place so our engineers can promptly and proactively respond to issues that could lead to service disruptions.

Product security

In addition to integrating Security by Design principles into the product development, our products are put through security review prior to release and are protected at runtime by a Web Application Firewall (WAF).  Also, we use automated and manual security testing processes throughout the system development lifecycle (SDLC) to identify and patch potential security vulnerabilities. We conduct continuous:

  • Static Application Security Testing (SAST) of application source code and binaries which identify potential security vulnerabilities
  • Dynamic Application Security Testing (DAST) of our applications as they evolve, providing automatic detection and assessment of code changes and alerting for newly discovered vulnerabilities.
  • Open-Source Scanning of its open-source code, map open source in use to known security vulnerabilities, and flag potential licensing issues to ensure open-source license compliance.

Moody's RMS analyses third-party dependencies to identify and remediate vulnerabilities.

Vulnerability management
The Moody's DevSecOps team embraces the concept of “shifting left” when it comes to remediating vulnerabilities. Moody's RMS is using a secure Image factory where images are iteratively built, scanned, and remediated before releasing to production. The factory images are built to satisfy international standards in many control domains, including automated patching for vulnerability management, Infrastructure as Code (IaC) for configuration management, baked in agents for Malware Detection and Response, and multi-region, automated image rotation for Disaster Recovery.

  • Moody's RMS employs independent third parties to perform penetration tests annually.  
  • Issues are resolved in line with the Moody's RMS vulnerability management and patch management processes.

Web application firewall
Moody's insurance solutions uses Web Application Firewalls (WAF) to protect against application layer attacks in our production environment. WAFs analyze http traffic between users and web servers for malicious http requests and acts as an additional layer of defense to traditional network firewalls.

Change management
Moody's insurance solutions has a change management policy in place to record, evaluate, authorize, prioritize, plan, test, implement, document, and review changes to IT services and their associated components in a controlled manner.

Business continuity

The Moody's Business Continuity Plan (BCP) is supported by standards that include requirements for program governance, operational impact assessments, gap analysis, contingency plan/strategy development, plan testing, crisis management training, awareness, and management reporting. 

The Moody's BCP is reviewed annually and updated based on operational risks and strategic business needs. Our review program is multi-dimensional and is designed to validate the effectiveness of the BCP during both short and long-term business disruptions. 

Compliance

We strive to anticipate future sustainability risks and opportunities, new regulations, and market trends to ensure the responsible development of our business.

iso 27001

 

 

ISO 27001:2013

Moody's insurance solutions is ISO 27001:2013 certified. Our latest certificate can be found here by searching for Moody's RMS as the Organization Name.

 

 

Soc certification

 

SOC 2 Type II and SOC 3

Moody's insurance solutions maintains an SSAE18 SOC2 Type II certification for its platforms and products with regular audits conducted by an AICPA-approved audit firm. The SOC 3 public report is available upon request.

C5 compliance

Cloud Computing Compliance Controls Catalogue (C5)

Moody's insurance solutions holds a C5 (ISAE 300) attestation. C5 is the German Federal Office for Information Security BSI Cloud Computing Compliance Controls Catalogue (C5). Additional information can be found here.

close button
Overlay Image
Video Title

Thank You

You’ll be contacted by an Moody's RMS specialist shortly.