Information Security

Information Security Program

MSCI is committed to designing and maintaining an appropriate, robust program of information security to secure data, systems, and services.

MSCI has a mature and mandated set of global IT Risk and Information Security policies, standards, and procedures that are developed in accordance with National Institute of Standards and Technology (NIST) standards.

The highlights of our information security program include:

  • A dedicated function led by our Chief Information Security Officer – that provides oversight and guidance to our information security and resiliency program;
  • Managing technical and operational risks to our services.
  • Use of specialized technology, such as next generation firewalls and IP-based permissions, to limit connectivity to our hosted services, applications, cloud services and client data;
  • Testing of our applications and services in a controlled testing environment before they are released into production;
  • Coordinated change management processes which include applications, infrastructure, cloud services and facilities;
  • Comprehensive business resiliency planning with extensive disaster recovery and business continuity testing;
  • Regular internal and external security audits and vulnerability assessments by third party security vendors and in house staff;
  • 24x7 cyber security operations monitoring of our sites and services, using our Information Security Management Systems (ISMS) to detect and act on weaknesses and potential intrusions;
  • Role-based access controls to identify, authenticate, and authorize individuals to access systems based on their responsibilities;
  • Disabling accounts after defined periods of inactivity and conducting access reviews periodically;
  • Protection, including encryption, for the secure communication of sensitive data; and
  • Review of our applications, infrastructure and security program in light of new threats and vulnerabilities;
  • Contracting with reputable, trusted third parties, that are required to adhere to MSCI Supplier Code of Conduct.


Information Security & Data Protection Awareness

The MSCI Information Security & Data Protection Awareness program includes mandatory training for all new hires, and recurring delivered training throughout the year. Awareness campaigns with education materials are periodically distributed to all employees and made available for reference on our corporate intranet. Additionally, tailored cyber briefings are regularly provided to MSCI Executive Committee and Board members.



Further Information or Enquiries

If you have any questions about MSCI’s security arrangements, please contact your account executive or via