Moody’s and Bitsight partner to create integrated cybersecurity risk platform

As cyber losses mount, landmark partnership creates a unique ability for customers to identify and quantify cyber risk and financial exposure

New York, September 13, 2021 — Moody’s Corporation (NYSE:MCO) and Bitsight today announced a significant investment by Moody’s, further enhancing Bitsight’s offerings and capabilities, to create a comprehensive, integrated, industry-leading cybersecurity risk platform. This transaction reflects the increasing strategic, financial, and operational impact of cyber risk to organizations and markets.

Over the past 18 months, the exponential rise of cyberattacks and ransomware has cost organizations hundreds of billions of dollars, threatened the stability and reputation of businesses across the globe, and created an imperative for business leaders and boards to assess and quantify their cyber risk. A Moody’s Investors Service review of cyber vulnerability and impact identified 13 sectors with high or medium-high risk with total rated debt exceeding $20 trillion.

Through the transaction announced today, Moody’s will invest $250 million in Bitsight, a pioneer in cybersecurity ratings, and Bitsight will acquire VisibleRisk, a cyber risk ratings joint venture created by Moody’s and Team8, a global venture group.

Bitsight helps global market participants understand cyber risk through ratings, analytics, and performance management tools, delivering unique insights for over 2,300 global customers, including many Fortune 500 companies, government agencies, insurers, and asset managers. Moody’s will leverage Bitsight’s extensive cyber risk data and research across its growing suite of integrated risk assessment product offerings. Bitsight’s acquisition of VisibleRisk adds a unique in-depth cyber risk assessment capability and advances its ability to analyze and calculate an organization’s financial exposure to cyber risk. The transaction values Bitsight at $2.4 billion, reflecting the company’s leadership in a rapidly growing data and analytics market.

“As organizations invest in cyber defense and resilience, another critical need has emerged: the ability to accurately measure and quantify cyber risk and exposure,” said Rob Fauber, President and Chief Executive Officer of Moody’s. “Creating transparency and enabling trust is at the core of Moody’s mission – to help organizations assess complex, interconnected risks and make more informed decisions. Bitsight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of financial loss.”

Cybersecurity is one of the biggest threats to global commerce in the 21st century,” said Steve Harvey, President and Chief Executive Officer of Bitsight. “Our partnership with Moody’s and acquisition of VisibleRisk expands our reach to help customers manage cyber risk in an increasingly digital world.”

Bitsight will create a Risk Solutions Division focused on delivering a suite of critical solutions and analytics serving stakeholders including chief risk officers, c-suite executives, and boards of directors.

Following transaction close, Moody’s will become the largest shareholder of Bitsight, with a minority stake in the company. The investment was funded with cash on hand and will not have a material impact on Moody’s 2021 financial results.

For more information on Moody’s and cyber, visit https://www.moodys.com/cyber.

ABOUT MOODY’S CORPORATION
Moody’s (NYSE: MCO) is a global integrated risk assessment firm that empowers organizations to make better decisions. Its data, analytical solutions and insights help decision-makers identify opportunities and manage the risks of doing business with others. We believe that greater transparency, more informed decisions, and fair access to information open the door to shared progress. With over 11,500 employees in more than 40 countries, Moody’s combines international presence with local expertise and over a century of experience in financial markets. Learn more at moodys.com/about.

About Bitsight
Bitsight is transforming the way that the global marketplace addresses cyber risk with cybersecurity ratings and analytics. The Bitsight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help organizations manage their own security performance; mitigate third party risk; underwrite cyber insurance policies; conduct financial diligence; and improve national security. With 2,300 global customers and the largest ecosystem of users and information, Bitsight is the Standard in Security Ratings. Learn more at bitsight.com.

“SAFE HARBOR” STATEMENT UNDER THE PRIVATE SECURITIES LITIGATION REFORM ACT OF 1995
Certain statements contained in this release are forward-looking statements and are based on future expectations, plans and prospects for the business and operations of Moody’s Corporation (the “Company”) that involve a number of risks and uncertainties. Such statements may include, among other words, “believe”, “expect”, “anticipate”, “intend”, “plan”, “will”, “predict”, “potential”, “continue”, “strategy”, “aspire”, “target”, “forecast”, “project”, “estimate”, “should”, “could”, “may” and similar expressions or words and variations thereof that convey the prospective nature of events or outcomes generally indicative of forward-looking statements. Stockholders and investors are cautioned not to place undue reliance on these forward-looking statements. The forward-looking statements and other information in this release are made as of the date hereof and the Company undertakes no obligation (nor does it intend) to publicly supplement, update or revise such statements on a going-forward basis, whether as a result of subsequent developments, changed expectations or otherwise, except as required by applicable law or regulation. In connection with the “safe harbor” provisions of the Private Securities Litigation Reform Act of 1995, the Company is identifying examples of factors, risks and uncertainties that could cause actual results to differ, perhaps materially, from those indicated by these forward-looking statements. Those factors, risks and uncertainties include, but are not limited to, the impact of COVID-19 on volatility in the U.S. and world financial markets, on general economic conditions and GDP in the U.S. and worldwide, and on the Company’s own operations and personnel. Many other factors could cause actual results to differ from Moody’s outlook, including credit market disruptions or economic slowdowns, which could affect the volume of debt and other securities issued in domestic and/or global capital markets; other matters that could affect the volume of debt and other securities issued in domestic and/or global capital markets, including regulation, credit quality concerns, changes in interest rates and other volatility in the financial markets such as that due to Brexit and uncertainty as companies transition away from LIBOR; the level of merger and acquisition activity in the U.S. and abroad; the uncertain effectiveness and possible collateral consequences of U.S. and foreign government actions affecting credit markets, international trade and economic policy, including those related to tariffs, tax agreements and trade barriers; concerns in the marketplace affecting our credibility or otherwise affecting market perceptions of the integrity or utility of independent credit agency ratings; the introduction of competing products or technologies by other companies; pricing pressure from competitors and/or customers; the level of success of new product development and global expansion; the impact of regulation as an NRSRO, the potential for new U.S., state and local legislation and regulations; the potential for increased competition and regulation in the EU and other foreign jurisdictions; exposure to litigation related to Moody’s Investors Service’s rating opinions, as well as any other litigation, government and regulatory proceedings, investigations and inquiries to which the Company may be subject from time to time; U.S. legislation modifying the pleading standards and EU regulations modifying the liability standards applicable to credit rating agencies in a manner adverse to credit rating agencies; provisions of EU regulations imposing additional procedural and substantive requirements on the pricing of services and the expansion of supervisory remit to include non-EU ratings used for regulatory purposes; the possible loss of key employees; failures or malfunctions of our operations and infrastructure; any vulnerabilities to cyber threats or other cybersecurity concerns; the outcome of any review by controlling tax authorities of the Company’s global tax planning initiatives; exposure to potential criminal sanctions or civil remedies if the Company fails to comply with foreign and U.S. laws and regulations that are applicable in the jurisdictions in which the Company operates, including data protection and privacy laws, sanctions laws, anti-corruption laws, and local laws prohibiting corrupt payments to government officials; the impact of mergers, acquisitions or other business combinations and the ability of the Company to successfully integrate such acquired businesses; currency and foreign exchange volatility; the level of future cash flows; the levels of capital investments; and a decline in the demand for credit risk management tools by financial institutions. These factors, risks and uncertainties as well as other risks and uncertainties that could cause Moody’s actual results to differ materially from those contemplated, expressed, projected, anticipated or implied in the forward-looking statements are currently, or in the future could be, amplified by the COVID-19 outbreak, and are described in greater detail under “Risk Factors” in Part I, Item 1A of the Company’s annual report on Form 10-K for the year ended December 31, 2020 and in other filings made by the Company from time to time with the SEC or in materials incorporated herein or therein. Stockholders and investors are cautioned that the occurrence of any of these factors, risks and uncertainties may cause the Company’s actual results to differ materially from those contemplated, expressed, projected, anticipated or implied in the forward-looking statements, which could have a material and adverse effect on the Company’s business, results of operations and financial condition. New factors may emerge from time to time, and it is not possible for the Company to predict new factors, nor can the Company assess the potential effect of any new factors on it.