S&P Global Inc. 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

S&P Global Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 17:29:21 EST.

Filings

10-K filed on 2025-02-11

S&P Global Inc. filed a 10-K at 2025-02-11 17:29:21 EST
Accession Number: 0000064040-25-000052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and strategy. Integrated Risk Management Management is responsible for the day-to-day management of the Company’s risk exposures in a manner consistent with the strategic direction and objectives established by the Board. As a critical component of the Company’s risk management process, management has adopted an integrated risk management framework to continuously identify, assess, measure, manage, monitor and report current and emerging non-financial risks. As part of this framework, the Company has an Enterprise Risk Management (“ERM”) Committee which is chaired by the Company’s Chief Risk Officer. Our Chief Information Security Officer (“CISO”) is also a member of the ERM Committee. The ERM Committee oversees the Company’s risk management framework, including the implementation of the framework components across the Company and promotes a strong Company-wide culture of risk management, compliance and control. Engagement of Third-party Support We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our defense industrial base peers, government agencies, information sharing and analysis centers and cybersecurity associations. Third-party Risk Management Our risk management program also assesses third-party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers. Impact of Risks from Cybersecurity Threats We are regularly subject to cybersecurity attacks. None of the risks from cybersecurity threats we’ve faced to date have materially affected, and we do not believe are reasonably likely to materially affect the Company, our business strategy, results of operations or financial condition. For further information about risks we face from cybersecurity threats, see the risk factor entitled " Our size, scale and role in the global markets increases our risk for cyber attacks and other cyber-security risks. Our information systems and networks and those of our third-party service providers are exposed to risks related to cybersecurity and protection of confidential information, including material non-public information, which could have a material adverse effect on our business, financial condition or results of operations " in Item 1A, Risk Factors in this Annual Report on Form 10-K. Governance. Board Oversight of Cybersecurity Threats The board of directors of the Company (the “Board”) has oversight responsibility for the Company’s risk management framework, including technology and cybersecurity risks facing the Company. Our Board, and Nominating and Audit Committees, gave significant consideration over the past several years to the appropriate Board and Committee oversight structure for risks associated with technology and cybersecurity. The full Board receives briefings from management on enterprise-wide technology, cybersecurity risk management and the overall technology and cybersecurity environment by management. Specifically, the full Board receives biannual reports from the Chief Digital Solutions Officer and the CISO. The Board coordinates with the Audit Committee and Finance Committee to ensure active Board- and Committee-level oversight of the Company’s technology and cyber risk profile, enterprise technology and cyber strategies, and information security initiatives. In addition, the Board has delegated primary responsibility for oversight of the Company’s key risks, including cybersecurity, to the Audit Committee. The Audit Committee reviews technology and cybersecurity risks, as well as the Company’s risk mitigation processes and internal control procedures to protect sensitive business information. The Audit Committee also receives regular updates from the Chief Digital Solutions Officer and the CISO on the Company’s technology and cybersecurity programs. In addition, the Finance Committee oversees management’s strategy with regard to technology and associated risks, including cybersecurity risks, when considering major capital expenditures and acquisitions. The Board also receives regular updates from the Audit Committee and Finance Committee on their in-depth Committee-level reviews. Role of Management In addition to the risk management activities undertaken by the ERM Committee, our corporate information security organization, led by our CISO , is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The current CISO has more than 27 years of technology industry leadership, cybersecurity expertise and engineering and operations experience. The corporate information security organization manages and continually enhances the Company’s enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. Central to this organization is our cyber incident response team, which is responsible for the Company’s protection, detection and response capabilities. In the event of a cybersecurity incident, the Company is equipped with an incident response plan that includes: (i) detection and analysis, (ii) containment and eradication, and (iii) remediation and (iv) preparation for future incidents. Incident responses are led by our Information Security team and supported by Legal, Compliance and other functions as appropriate. The CISO and the Chief Digital Solutions Officer provide regular updates to the Board and the Audit Committee concerning the Company’s technology and cybersecurity programs, associated risks and the Company’s efforts to help mitigate those risks.

Company Information