S&P Global has a 150-year-old history of market intelligence, research, and ratings. Given that legacy, it should come as no surprise that the company uses that intelligence to create forward-thinking business strategies.
As S&P Global—home to such iconic brands as S&P Global Ratings, S&P Global Market Intelligence, S&P Dow Jones Indices, and S&P Global Platts—grows, privacy and data protection programs have become critical to its success. Leah Perry serves as associate general counsel and global head of privacy within the company’s global legal and regulatory affairs department, and focuses her practice on those issues.
That practice has paid off. S&P Global’s security and privacy awareness program won two gold Omni Awards in 2016. The Omni Awards recognize outstanding media productions, and S&P Global was selected for its awareness program, which is dedicated to training its employees on cybersecurity and privacy protection best practices. Perry was part of the team honored for the program.
“S&P Global integrated privacy, security, and communications professionals into a working team—a rare collaborative mix,” says MediaPro Chief Strategist Tom Pendergast.
A History of Innovative Thought
The accolades are a testament to the work of S&P’s leadership team, as its board and management have repositioned its business portfolio in the past several years. Some of these changes included branding shifts, as in 2014, when The McGraw-Hill Companies split into McGraw-Hill Education and McGraw Hill Financial, with Perry joining the financial side of the company that same year.
Shareholders in April 2016 approved changing the company’s name from McGraw Hill Financial to S&P Global, thanks to the increased emphasis on data and analytics that aligned more closely with the S&P brand.
Why align more closely with S&P? Information systems, Perry explains, have vastly different security needs and regulatory obligations than the company’s legacy in publishing. So S&P Global’s privacy program had to evolve, too.
“I had to shift how we thought about privacy and data protection,” she says.
MORE THAN TRAINING
The S&P Global team now undergoes bi-yearly knowledge assessments, regular simulated phishing exercises to allow employees to practice identifying phishing threats, and monthly security and privacy videos that highlighted some of the key risks and behaviors needed to avoid those risks.
“The animated videos we deployed were especially effective in engaging our employees,”says Peter Chung of S&P Global. “Leveraging amusing and informational videos in our office lobbies and outside our elevators got employees to notice our message. This generated compliments on our program and created a lot of feedback on our Intranet—a level of engagement I’d just not seen in the past.”
Understanding the Global Connection
That data protection also needed to reach beyond US borders. The European Union’s General Data Protection Regulation (GDPR) is on most privacy professionals’ minds right now, since it already affects how most of the world treats privacy.
The GDPR, which replaces the data protection directive of 1995, is designed to simplify and standardize data protection both in the EU and in dealings with organizations in countries outside the EU. Although it may simplify some of the code, it also comes with a price for many businesses: sanctions have steeply increased. Sanctions now include fines up to €10 million, equaling up to 2 percent of annual worldwide revenue, or €20 million, which equals up to 4 percent of annual worldwide revenue. In both cases, the higher value is the sanction imposed.
Sanctions like these, Perry says, have changed—and likely will continue to change—how other countries fine companies that do not comply with privacy regulations. That’s why many international companies are taking an even deeper look at privacy and data protection. Perry has worked to keep S&P Global ahead of the game by creating a cross-sectional working group that runs across global divisions and departments that play a critical role in implementation. It’s a necessary step to keeping the data and analytics company compliant.
Why M&A Matters
Perry notes that many attorneys don’t think of mergers and acquisitions while considering data privacy and protection, but with employees across the globe, shared information cannot be overlooked.
“When a contract has been signed and due diligence is being performed, employee data has to be shared,” Perry explains. “Privacy regulations then become critical.”
Regulatory standards now help define when employees’ information—and what type of information—can be shared.
The best action in the case of mergers and acquisitions, Perry says, is to build standards of privacy before an M&A deal is considered. Doing so in early stages of development will help standardize processes, as well as protect both the company and the employee in the future.
A Global Security Mindset
In addition to acquisitions, S&P Global continually develops new products to serve clients across the globe. Understanding how those products fit into privacy regulation—particularly big data and technology for mobile devices—is crucial for the company.
“Rules must be universal,” Perry says. “We have to be able to look at issues broadly and in great detail. We need to be able to see everything in order to handle privacy on a global setting.”
That mindset requires Perry to think beyond her role as a privacy lawyer and think like a businessperson. She must consider the customer, the employees who create and manage a product, and business goals.
“The business has 20,000 employees, but millions of customers,” she says. “I have to think of them all.”
Many businesses fall short on one end of that mind-set: they emphasize customer privacy and security, but forget to worry about employee privacy. Considering the stringent regulatory environment that protects employees, that’s not a shortcut companies should take.
A third party in Perry’s scope is vendors. The US Securities & Exchange Commission and European Securities and Markets Authorities have recently stated that they will emphasize privacy and data protection, including those involving vendors. For Perry, that means building out a robust and easily understood privacy management program.
These three considerations—vendors, employees, and customers—are important for S&P Global, but Perry says they should be important to any organization.
“No one operates on an isolated island,” she says. “Understanding these issues is critical because of the way the world works. Everything we do can affect customers and other businesses across the world.”
The GDPR is a good reminder of that interconnectivity. As the EU creates more stringent sanctions against noncompliant companies, other markets, including the Asia-Pacific area, are also looking into similar fines.
The GDPR shouldn’t be heeded just for its ability to punish, though. Perry says cybersecurity, in addition to being a hot-button issue, is one of the most feared and least understood in the current business, social, and political climate. Organizations that ignore these fears leave themselves exposed and at-risk.
“A company’s reputation is the hardest thing to build, but the easiest thing to lose,” she says. “A cybersecurity breach can damage it in a matter