One of Morningstar’s most valuable assets is the trust we’ve built with our
stakeholders. We recognize our responsibility to safeguard their information
and we expend considerable effort and resources to protect all data
pertaining to our clients, colleagues, and partners.
Our chief information security officer leads a dedicated team responsible
for our comprehensive information security program. The program covers IT
risk governance, software and product security, security operations and
incident management, IT compliance, technical disaster recovery, and
determining enterprise-wide security policies and procedures. The team is
responsible for maintaining and implementing Morningstar's Information
Security Policies, which define requirements for information classification,
appropriate data handling and usage, roles and responsibilities, access
controls and provisioning, logging, monitoring, cryptography and key
management, security awareness, virus prevention, risk assessments, physical
security, mobile device policy, network security, vulnerability management,
policy enforcement, and handling of exceptions. Policies are aligned with
ISO 27001:2013 and NIST (National Institute of Standards and Technology)
SP-800 publications. We regularly benchmark our information security program
against NIST’s Cybersecurity Framework to identify our current maturity and
measure progress in our program.
Preparedness is a crucial component of our information security and privacy
programs. All Morningstar employees undergo annual security awareness
training. We also operate a quarterly phishing exercise to educate and test
our employees. The security operations team conducts red team exercises to
assess any ability to compromise our infrastructure and gain insight into
our ability to detect and respond to an attack.
On a business level, we perform quarterly tabletop exercises to prepare
stakeholders for security incidents and practice our response procedures.
Furthermore, our enterprise resilience team manages both disaster recovery
as well as business continuity plans and prepares the firm to recover from
high-impact incidents. Should an incident occur, we operate a 24x7 security
operations team to respond to security incidents and notify relevant
stakeholders.
At the board level, our Audit Committee has oversight of our cybersecurity
risk exposures and regularly reviews and discusses risks related to our
cybersecurity practices with management.
For more detail please see Morningstar’s Approach to Data and Information
Security, available at
www.morningstar.com/company/corporate-sustainability-policies-reports.
Information on our website is not
incorporated by reference into this Report.