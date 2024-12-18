S&P Global Offerings
Featured Topics
Featured Products
Events
S&P Global Offerings
Featured Topics
Featured Products
Events
S&P Global Offerings
Featured Topics
Featured Products
Events
S&P Global Offerings
Featured Topics
Featured Products
Events
Language
Featured Products
By Topic
Market Insights
About S&P Global
Featured Products
By Topic
Market Insights
About S&P Global
Data Privacy and Cybersecurity
As a provider of data and connected technology solutions, S&P Global understands the fundamental importance of maintaining the privacy and security of digital information and systems. Upholding the protection and ethical use of data and information is crucial not only for safeguarding the organizations, individuals and communities we work with every day, but also to advancing our purpose and meeting our business objectives.
This material topic includes our efforts to identify and address data and associated infrastructure security risks, prevent and respond to cybersecurity incidents, and protect the security and integrity of confidential business information and personal/sensitive data.
Respecting and safeguarding the fundamental human right to privacy.
Establishing and maintaining governance and protections in compliance with industry standards and government regulations.
Maintaining and enhancing proactive risk management and incident response procedures.
Monitoring and adapting to evolving technologies, trends, regulations and risks.
Conducted company-wide review of artificial intelligence (AI) governance practices and use cases to align and strengthen processes and policies across divisions.
Performed a review and reassessment of all applications and assets processing, collecting, storing or otherwise using personal information at the organization.
Completed readiness projects for new and evolving laws in the United States, Saudi Arabia and China.
Continued to invest in technologies and tools to enhance automated identification, assessment, prioritization and mitigation of cyber and technology risks.
S&P Global’s Privacy and Information Security teams work in close collaboration with other corporate functions and our business divisions to identify relevant risks and implement policies and procedures across the organization. Where appropriate, we align our approach with external standards and best-practice recommendations, including the National Institute of Standards and Technology’s (NIST) Privacy Framework and Cybersecurity Framework, and the International Organization for Standardization’s (ISO) 27001 and 27002 standards. We periodically engage third parties to assess our continued alignment with internal policies and selected external standards, including the NIST frameworks.
Effective governance and management systems are essential to mitigating data privacy risk and maintaining compliance with global data protection and privacy laws. We therefore take a multi-layered approach to privacy management, collaborating with multiple stakeholders so that personal data is appropriately categorized and protected.
S&P Global’s Privacy organization comprises two distinct functions: Privacy Legal for enterprise-wide legal guidance on data privacy and Information Governance and Privacy Compliance for operationalizing enterprise compliance. Senior leaders in these functions report to the Chief Legal Officer and the Chief Risk Officer respectively.
As part of its role, Information Governance and Privacy Compliance works closely with Enterprise Risk Management to identify, assess and mitigate privacy-related risks across the company. It also works with the Third-Party Risk Management team to conduct vendor/engagement assessments and support compliance with privacy and security requirements globally. Privacy risk management is further supported by the Risk and Compliance Liaisons Group, a monthly forum for highlighting and discussing key risks. We assess our AI use on an ongoing basis, including reviewing AI legal requirements and legislation in the jurisdictions in which we operate.
Changes in the global privacy, data localization and data protection legislative, regulatory and commercial environments in which we operate may materially and adversely impact our ability to collect, compile, use and publish data, and may impact our financial results. As a global organization, we continuously monitor the legal and regulatory landscape within and across jurisdictions and adjust our policies and programs as necessary. In 2024, this included continuing to adapt to evolving requirements concerning user consent and cookie management, data transfer and storage, AI and other issues. We also launched readiness projects for new and evolving laws in the United States, Saudi Arabia and China, and prepared for compliance with new and emerging regulatory requirements across our business lines.
Our Global Corporate Privacy Policy outlines how we collect, share, use and protect personal information, and how users may exercise their privacy rights. It also includes our commitment to notify affected stakeholders of any security incident involving their personal information. The Policy is reviewed annually (with our last update on September 1, 2024) and updated as needed to account for changes or updates to global regulations, or changes in the way we collect and manage personal information.
Our Code of Business Ethics (COBE) outlines the responsibility of each employee, contractor and vendor to understand and enforce our privacy-related policies and procedures, and our vendor agreements contain specific provisions requiring compliance with our privacy-related policies. All colleagues are required to complete annual training on privacy principles, policies and regulations. We also provide specialized privacy training for colleagues and teams with enhanced privacy responsibilities.
Our Cyber Incident Response Plan lays out a clear process for escalation and procedures to follow in the case of a cyber incident. We also maintain a dedicated Data Incident Response Plan, which covers any potential breach of company or client data that does not include any impact on information systems, including a personal data breach. In 2024, we strengthened our approach by performing an analysis of our Data Incident Response Plan and process against our Cyber Incident Response Plan. We used the findings from this review to further refine and align our response plans. We disclose information on breaches of customer privacy in our public filings with the U.S. Securities and Exchange Commission (SEC).
S&P Global knows how important it is to have the right tools, controls and partnerships in place to safeguard our networks and systems from external threats, and to ensure that our data and content are protected. This is why we continuously update our strategies, processes, training and technologies to mitigate risk, stay ahead of the evolving cyberthreat landscape and handle information in a secure and responsible way.
Our Board, and Nominating and Audit Committees, gave significant consideration over the past several years to the appropriate Board and committee oversight structure for risks associated with technology and cybersecurity. The full Board receives briefings from management on enterprisewide technology, cybersecurity risk management and the overall technology and cybersecurity environment. Specifically, the full Board receives biannual reports from the Chief Digital Solutions Officer and the Chief Information Security Officer (CISO).
The Board coordinates with the Audit Committee and Finance Committee to ensure active Board- and committee-level oversight of the company’s technology and cyber risk profile, enterprise technology and cyber strategies, and information security initiatives.
Our Corporate Information Security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Corporate Information Security manages and continually enhances the company’s enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur.
Central to this organization is our Cyber Incident Response team, which is responsible for the company’s protection, detection and response capabilities. In the event of a cybersecurity incident, the company is equipped with an incident response plan that includes: (i) detection and analysis, (ii) containment and eradication, (iii) remediation and (iv) preparation for future incidents.
Management engages third-party services to conduct evaluations of the company’s cybersecurity controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our defense industrial base peers, government agencies, information-sharing and analysis centers, and cybersecurity associations. This includes participation in industry-wide security training and receipt of ongoing threat intelligence from the Financial Services Information Sharing and Analysis Center (FS-ISAC). S&P Global is also an active partner with the World Economic Forum’s Centre for Cybersecurity, a global platform aimed at fostering international dialogue to address systemic cybersecurity challenges.
The company’s risk management program also assesses thirdparty risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers.
Our people play a critical role in identifying, avoiding and mitigating cybersecurity threats. All colleagues receive mandatory annual training on our information security policies and procedures, and our Information Security team works to continually update our training modules to address new and emerging risks. For example, in 2024, we enhanced our training with targeted phishing conducted for high-risk groups, including transitioning to a more advanced phishing simulator to enhance the overall knowledge and education around social engineering threats.
For additional information on our approach to cybersecurity, see our public filings with the U.S. SEC.