Data Privacy and Cybersecurity

Our Approach

S&P Global’s Privacy and Information Security teams work in close collaboration with other corporate functions and our business divisions to identify relevant risks and implement policies and procedures across the organization. Where appropriate, we align our approach with external standards and best-practice recommendations, including the National Institute of Standards and Technology’s (NIST) Privacy Framework and Cybersecurity Framework, and the International Organization for Standardization’s (ISO) 27001 and 27002 standards. We periodically engage third parties to assess our continued alignment with internal policies and selected external standards, including the NIST frameworks.

Effective governance and management systems are essential to mitigating data privacy risk and maintaining compliance with global data protection and privacy laws. We therefore take a multi-layered approach to privacy management, collaborating with multiple stakeholders so that personal data is appropriately categorized and protected.

Risk Management and Compliance

S&P Global’s Privacy organization comprises two distinct functions:

– Privacy Legal is led by the Associate General Counsel, Privacy, and is responsible for providing enterprise-level legal guidance on data privacy, information governance and data protection matters.

– Information Governance and Privacy Compliance is led by the Head of Information Governance and Privacy and is responsible for operationalizing enterprise compliance with all S&P Global privacy policies.

As part of its role, Information Governance and Privacy Compliance works closely with Enterprise Risk Management (ERM) to identify, assess and mitigate privacy-related risks across the company. It also works with the Third-Party Risk Management team to conduct vendor/engagement assessments and support compliance with privacy and security requirements globally. Privacy risk management is further supported by the Risk and Compliance Liaisons Group, a monthly forum for highlighting and discussing key risks.

In 2023, we worked to enhance data governance by conducting a company-wide review to align and strengthen privacy-related leadership, tools and policies across divisions. We also continued to automate and enhance our internal Privacy Impact Assessment and Data Subject Access Request processes, including updating related procedures to account for new and emerging risks.

Changes in the global privacy, data localization and data protection legislative, regulatory and commercial environments in which we operate may materially and adversely impact our ability to collect, compile, use and publish data, and may impact our financial results. As a global organization, we continuously monitor the legal and regulatory landscape within and across jurisdictions and adjust our policies and programs as necessary. In 2023, this included continuing to adapt to evolving requirements concerning user consent and cookie management, data transfer and storage, artificial intelligence (AI) and other issues. We also unified and centralized key documents and processes to streamline updating and maintenance of Records of Processing Activities (RoPA) under GDPR.

Policies and Training

Our Global Corporate Privacy Policy outlines how we collect, share, use and protect personal information, and how users may exercise their privacy rights. It also includes our commitment to notify affected stakeholders of any security incident involving their personal information. The policy is reviewed annually and updated as needed to account for changes or updates to global regulations, or changes in the way we collect and manage personal information.

Our Code of Business Ethics (COBE) outlines the responsibility of each employee, contractor and vendor to understand and enforce our privacy-related policies and procedures, and our vendor agreements contain specific provisions requiring compliance with our privacy-related policies. All colleagues are required to complete annual training on privacy principles, policies and regulations. We also provide specialized privacy training for colleagues and teams with enhanced privacy responsibilities. 

Incident Response

Our Cyber Incident Response Plan lays out a clear process for escalation and procedures to follow in the case of a cyber incident. We also maintain a dedicated Data Incident Response Plan, which covers any potential breach of company or client data that does not include any impact on information systems, including a personal data breach. In 2023, we strengthened our data incident/resilience approach by onboarding a dedicated data incident manager, responsible for coordinating necessary actions in response to any actual or potential incidents. We disclose information on breaches of customer privacy in our public filings with the U.S. Securities and Exchange Commission (SEC). 

S&P Global knows how important it is to have the right tools, controls and partnerships in place to safeguard our networks and systems from external threats, and to ensure that our data and content are protected. This is why we continuously update our strategies, processes, training and technologies to mitigate risk, stay ahead of the evolving cyberthreat landscape and handle information in a secure and responsible way.

Board and Management Oversight

Our Board, and Nominating and Audit Committees, gave significant consideration over the past several years to the appropriate Board and committee oversight structure for risks associated with technology and cybersecurity. The full Board receives briefings from management on enterprise-wide technology, cybersecurity risk management and the overall technology and cybersecurity environment by management. Specifically, the full Board receives biannual reports from the Chief Digital Solutions Officer and the Chief Information Security Officer (CISO).

The Board coordinates with the Audit Committee and Finance Committee to ensure active Board- and committee- level oversight of the company’s technology and cyber risk profile, enterprise technology and cyber strategies, and information security initiatives.

Our Corporate Information Security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Corporate Information Security manages and continually enhances the company’s enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur.

Central to this organization is our Cyber Incident Response team, which is responsible for the company’s protection, detection and response capabilities. In the event of a cybersecurity incident, the company is equipped with an incident response plan that includes: (i) detection and analysis, (ii) containment and eradication, and (iii) remediation and (iv) preparation for future incidents.

Engagement of Third-Party Support

Management engages third-party services to conduct evaluations of the company’s cybersecurity controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our defense industrial base peers, government agencies, information-sharing and analysis centers, and cybersecurity associations. This includes participation in industry-wide security training and receipt of ongoing threat intelligence from the Financial Services Information Sharing and Analysis Center (FS-ISAC). S&P Global is also an active partner with the World Economic Forum’s Centre for Cybersecurity, a global platform aimed at fostering international dialogue to address systemic cybersecurity challenges.

Third-Party Risk

The company’s risk management program also assesses third-party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers.

Employee Training

Our people play a critical role in identifying, avoiding and mitigating cybersecurity threats. All colleagues receive mandatory annual training on our information security policies and procedures, and our Information Security team works to ensure our training modules are continually updated to address new and emerging risks. For example, in 2023, we enhanced our training with targeted phishing conducted for high-risk groups, including crafting phishing emails based on real-scenario tactics, techniques and procedures.

For additional information on our approach to cybersecurity, see our public filings with the U.S. SEC.