Our audit committee receives quarterly reports from senior executives tasked with managing these areas. These reports cover, among other things, technology operations such as product uptime and disaster recovery, product security, internet-facing security, any known security incidents and their remediation, and company-wide training activities. With the increase in data privacy regulation around the globe, we plan to include additional topics relating to our activities around data privacy, including compliance with regulations.

At a management level, these areas are managed by our Chief Technology Officer and Chief Information Security Officer, who have staff primarily dealing with cybersecurity issues. We also have an internal legal counsel devoting full time to privacy issues and is building a compliance staff around privacy-related activities.

Morningstar’s Privacy and Security Advisory Council meets on a quarterly basis to discuss environmental, regulatory, and technological changes and associated risk to security and confidentiality of the organization’s information. This meeting is chaired by the Chief Information Security Officer and consists of executive management from the Information Technology, Legal, Audit, and Compliance departments. Council meetings provide a forum for the cross-functional, global identification and resolution of security issues, endorsement of security strategies, and review of significant exceptions to information privacy and security policy. The Privacy and Security Advisory Council also works to identify key corporate security initiatives and standards (for example, virus protection, data classification, security monitoring, intrusion detection, access control to applications and facilities, and remote access policies).

At an enterprise level, our information security policies align with ISO 27001:2013. Certain products have been subject to client-driven SOC1 and SOC2 audits.