Data Privacy and Cybersecurity

As a global data and analytics provider, protecting privacy and the security of information and related systems is fundamental to our business, and a key sustainability issue for the company. Our customers, employees, partners and stakeholders rely on us to safeguard personal information and respect the individual right to privacy. Data privacy is therefore a top priority and integral to the daily management of the company.

Our Approach
and Performance

We take a multi-layered approach to the governance and management of data privacy, working with multiple stakeholders to ensure that personal data is properly categorized and protected. This helps mitigate data privacy risk while also ensuring compliance with global data protection and privacy laws.

In January 2022, S&P Global split its Privacy Center into two distinct functions – Privacy Legal and Information Governance and Privacy Compliance – with the goal of enhancing legal oversight and implementation of data privacy policies across the company. The Privacy Legal function is led by the Associate General Counsel, Privacy, and is responsible for providing enterprise-level legal guidance on data privacy, information governance and data protection matters. The Information Governance and Privacy Compliance function is led by the Head of Information Governance and Privacy and is responsible for operationalizing corporate-level compliance with all S&P Global privacy policies.

In 2022, we focused on strengthening our Privacy teams, reducing regulatory risk, enhancing awareness and compliance, and increasing operational efficiency. Key accomplishments included the following:

Completed key privacy integration milestones with IHS Markit, including:

• Harmonized key policies (Corporate, Candidate and Employee Privacy policies, Cookie Notice and Terms of Use).
• Completed website unification, including branding, cookie compliance, joint policy references and harmonized user preference centers.
• Integrated consumer rights management systems and privacy assessment processes.
• Harmonized our approach to corporate vendor data protection appendices and standard contractual clauses.
• Implemented a joint intercompany data transfer agreement with all affiliates.
• Completed readiness projects for new and updated regulations in the United States and the People’s Republic of China.
• Achieved operational compliance with client U.S./UK/EU data transfers resulting from Brexit and changes in the EU Standard Contractual Clauses.
• Partnered with Information Security to overhaul the Cyber Incident Response Plan and Data Incident Response Plan, to enhance efficiency and coordination of stakeholders.

S&P Global is subject to a wide variety of legal and regulatory requirements related to data protection and privacy in the countries where we operate, and with growing concern about data privacy, many of these requirements are rapidly evolving. Although the lack of regulatory consistency and harmonization is an increasing challenge for organizations like ours, it is important for us to stay abreast of these changes. As such, we continuously monitor the legal and regulatory landscape, focusing on potential effects to our people, products and services, and adjust our policies and programs as appropriate. 

For example, to meet the requirements of new and emerging privacy laws, S&P Global has continued to mature our privacy governance tool, OneTrust, including automating individual personal information access request workflows by country and harmonizing cookie functionality across all websites. We’ve also created a centralized OneTrust assessment process covering Privacy Impact Assessments, Legitimate Interest Analysis and Data Protection Impact Assessments.

Our Code of Business Ethics outlines key privacy-related expectations, and all colleagues are required to complete annual training on privacy principles, policies and regulations. We also provide additional data privacy training for colleagues in selected roles. We also continue to provide training to our legal and procurement teams on new standards for cross-border data transfers.

Corporate Privacy
Policy

Our commitment to privacy and data protection is formalized by the Global Corporate Privacy Policy, which outlines how we collect, share, use and protect personal information, and how users may exercise their privacy rights. It also includes our commitment to notify affected stakeholders of any security incident involving their personal information, in accordance with applicable law. Available in 12 languages, the policy is presented in a layered format for increased transparency and includes a Preference Center for each division to manage opt-out requests and customer opt-in preferences, as well as seven jurisdiction-specific addenda covering jurisdictions such as China, Japan and Brazil. The policy is reviewed annually and updated as needed in response to changing regulations and evolving best practices.

As a data-driven business, S&P Global knows how important it is to have the right tools, controls and partnerships in place to safeguard our networks and systems from external threats, and to ensure that our data and content are protected. This is why we continuously update our strategies, processes, training and technologies to mitigate risk, stay ahead of the evolving cyberthreat landscape and handle information in a secure and responsible way.

Our Approach
and Performance

Our Cybersecurity organization works to identify technology and cybersecurity risks and to implement policies and procedures to keep our networks, systems and data secure. In 2022, the organization underwent significant change, as key strategies, tools, processes and technologies were merged and updated in the context of the merger with IHS Markit.

S&P Global’s leadership included cybersecurity in our 2022 Enterprise Goals, reflecting its continued importance to the resiliency of our business. The Board, as a whole and through the Audit Committee, oversees our technology and cyber risk profile, enterprise-wide technology, cybersecurity strategies and information security initiatives. In addition, the Board receives updates at least twice yearly from the Chief Information Officer and the Chief Information Security Officer and is briefed on technology and cybersecurity risk management through committee updates.

Where appropriate, we align our policies and procedures with the best-practice recommendations of the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Financial Services Information Sharing and Analysis Center (FS-ISAC). To stay updated on new threats and continue a robust cybersecurity posture, our Information Security team participates in industry-wide security training and receives ongoing threat intelligence from organizations such as FS-ISAC. S&P Global is also an active partner with the World Economic Forum's Centre for Cybersecurity, a global platform aimed at fostering international dialogue to address systemic cybersecurity challenges.

Incident Response and
Ongoing Improvements

Our Cyber Incident Response Plan provides a framework for responding in the event of a cyberattack. We also continue to improve and update the company’s security capabilities and resiliency.

Our people play a critical role in identifying, avoiding and mitigating cybersecurity threats. All colleagues receive mandatory annual training on our information security policies and procedures, and our Information Security team works to ensure our training modules are continually updated to address new and emerging risks.

We also conduct simulations to test our defenses, including a monthly phishing simulation. Continuous training and random phishing security testing in 2022 resulted in a decrease in susceptibility rate for our users, bringing our yearly average to 6%.

We are also revamping our phishing training program in 2023 to further enhance the vigilance of our people.