S&P Global Inc. - (SPGI)
10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity
Risk Management and strategy.
Integrated Risk Management
Management is responsible for the day-to-day management of the Company’s risk exposures in a manner consistent with the strategic direction and objectives established by the Board. As a critical component of the Company’s risk management process, management has adopted an integrated risk management framework to continuously identify, assess, measure, manage, monitor and report current and emerging non-financial risks. As part of this framework, the Company has an Enterprise Risk Management (“ERM”) Committee which is chaired by the Company’s Chief Risk & Compliance Officer. Our Chief Information Security Officer (“CISO”) is also a member of the ERM Committee. The ERM Committee oversees the Company’s risk management framework, including the implementation of the framework components across the Company and promotes a strong Company-wide culture of risk management, compliance and control.
Engagement of Third-party Support
We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our defense industrial base peers, government agencies, information sharing and analysis centers and cybersecurity associations.
Third-party Risk Management
Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers.
Impact of Risks from Cybersecurity Threats
We are regularly subject to cybersecurity attacks. None of the risks from cybersecurity threats we’ve faced to date have materially affected, and we do not believe are reasonably likely to materially affect the Company, our business strategy, results of operations or financial condition.
Governance.
Board Oversight of Cybersecurity Threats
The board of directors of the Company (the “Board”) has oversight responsibility for the Company’s risk management framework, including technology and cybersecurity risks facing the Company.
Our Board, and Nominating and Audit Committees, gave significant consideration over the past several years to the appropriate Board and Committee oversight structure for risks associated with technology and cybersecurity. The full Board receives briefings from management on enterprise-wide technology, cybersecurity risk management and the overall technology and cybersecurity environment by management. Specifically, the full Board receives biannual reports from the Chief Digital Solutions Officer and the CISO.
The Board coordinates with the Audit Committee and Finance Committee to ensure active Board- and Committee-level oversight of the Company’s technology and cyber risk profile, enterprise technology and cyber strategies, and information security initiatives. In addition, the Board has delegated primary responsibility for oversight of the Company’s key risks, including cybersecurity, to the Audit Committee. The Audit Committee reviews technology and cybersecurity risks, as well as
28
the Company’s risk mitigation processes and internal control procedures to protect sensitive business information. The Audit Committee also receives regular updates from the Chief Digital Solutions Officer and the CISO on the Company’s technology and cybersecurity programs. In addition, the Finance Committee oversees management’s strategy with regard to technology and associated risks, including cybersecurity risks, when considering major capital expenditures and acquisitions. The Board also receives regular updates from the Audit Committee and Finance Committee on their in-depth Committee-level reviews.
Role of Management
In addition to the risk management activities undertaken by the ERM Committee, our corporate information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The current CISO has more than 26 years of technology industry leadership, cybersecurity expertise and engineering and operations experience. The corporate information security organization manages and continually enhances the Company’s enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. Central to this organization is our cyber incident response team, which is responsible for the Company’s protection, detection and response capabilities. In the event of a cybersecurity incident, the Company is equipped with an incident response plan that includes: (i) detection and analysis, (ii) containment and eradication, and (iii) remediation and (iv) preparation for future incidents. Incident responses are led by our Information Security team and supported by Legal, Compliance and other functions as appropriate. The CISO and the Chief Digital Solutions Officer provide regular updates to the Board and the Audit Committee concerning the Company’s technology and cybersecurity programs, associated risks and the Company’s efforts to help mitigate those risks.