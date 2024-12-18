Effective governance and management systems are essential to mitigating data privacy risk and maintaining compliance with global data protection and privacy laws. We therefore take a multi-layered approach to privacy management, collaborating with multiple stakeholders so that personal data is appropriately categorized and protected.

Risk Management and Compliance

S&P Global’s Privacy organization comprises two distinct functions: Privacy Legal for enterprise-wide legal guidance on data privacy and Information Governance and Privacy Compliance for operationalizing enterprise compliance. Senior leaders in these functions report to the Chief Legal Officer and the Chief Risk Officer respectively.

As part of its role, Information Governance and Privacy Compliance works closely with Enterprise Risk Management to identify, assess and mitigate privacy-related risks across the company. It also works with the Third-Party Risk Management team to conduct vendor/engagement assessments and support compliance with privacy and security requirements globally. Privacy risk management is further supported by the Risk and Compliance Liaisons Group, a monthly forum for highlighting and discussing key risks. We assess our AI use on an ongoing basis, including reviewing AI legal requirements and legislation in the jurisdictions in which we operate.

Changes in the global privacy, data localization and data protection legislative, regulatory and commercial environments in which we operate may materially and adversely impact our ability to collect, compile, use and publish data, and may impact our financial results. As a global organization, we continuously monitor the legal and regulatory landscape within and across jurisdictions and adjust our policies and programs as necessary. In 2024, this included continuing to adapt to evolving requirements concerning user consent and cookie management, data transfer and storage, AI and other issues. We also launched readiness projects for new and evolving laws in the United States, Saudi Arabia and China, and prepared for compliance with new and emerging regulatory requirements across our business lines.

Policies and Training

Our Global Corporate Privacy Policy outlines how we collect, share, use and protect personal information, and how users may exercise their privacy rights. It also includes our commitment to notify affected stakeholders of any security incident involving their personal information. The Policy is reviewed annually (with our last update on September 1, 2024) and updated as needed to account for changes or updates to global regulations, or changes in the way we collect and manage personal information.

Our Code of Business Ethics (COBE) outlines the responsibility of each employee, contractor and vendor to understand and enforce our privacy-related policies and procedures, and our vendor agreements contain specific provisions requiring compliance with our privacy-related policies. All colleagues are required to complete annual training on privacy principles, policies and regulations. We also provide specialized privacy training for colleagues and teams with enhanced privacy responsibilities.

Incident Response

Our Cyber Incident Response Plan lays out a clear process for escalation and procedures to follow in the case of a cyber incident. We also maintain a dedicated Data Incident Response Plan, which covers any potential breach of company or client data that does not include any impact on information systems, including a personal data breach. In 2024, we strengthened our approach by performing an analysis of our Data Incident Response Plan and process against our Cyber Incident Response Plan. We used the findings from this review to further refine and align our response plans. We disclose information on breaches of customer privacy in our public filings with the U.S. Securities and Exchange Commission (SEC).