S&P Global Market Intelligence LLC

TCFD Reporting

Our TCFD Reporting solution provides comprehensive and standardized reporting on climate-related financial risks and opportunities, including Policy, Market, Reputation and Technology risks. It helps organizations align with the Task Force on Climate-related Financial Disclosures (TCFD) framework, enabling them to effectively disclose climate-related information to stakeholders and make informed strategic decisions.

Features

• Identify, assess and quantify climate related risks and opportunities
• TCFD/ISSB aligned report according to standards and recommendations
• Scenario analysis using widely recognized IEA and IPCC scenarios
• Policy, Market, Reputation and Technology Risks
• Transition Risk as well as Physical risk across eight hazards
• Workshops and stakeholder engagement to maximise education and uptake
• Scope 1, 2, 3 baseline footprint calculation
• Set science based targets with validated methodology
• Transparent methodology and approach
• Backed by S&P’s comprehensive and extensive environmental data and expertise

Benefits

• Minimal client data input required, save time and energy
• Identify risks that are financially material to the business
• Identify suppliers that pose a threat to continuity
• Data-driven quantification to provide financial impact metrics
• Access to world renowned team of analysts and scientists
• Enhance transparency and credibility with investors and regulators
• Combine world class data with exceptional consulting services
• Management summary reports for effective internal communications
• CSV data delivery for seamless integration with financial models
• Educational workshops to drive next steps and insights

£42,900 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at dpearcey@spglobal.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

978852846775334

Contact

Daniel Pearcey
+447967785826
dpearcey@spglobal.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: No
• System requirements: None

User support

• Email or online ticketing support: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Each client is provided with an analyst team that will work with the client to prepare and develop their TCFD report. We will also conduct management interviews and workshops to increase your understanding of the results and your performance.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We will provide full support with data ingestion and throughout the reporting process.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Once we no longer have a legitimate business need to process your personal information/data, we follow our applicable information governance policies, procedures and standards and retain your information for as long as necessary to accomplish the purpose for which it was collected, following which we either delete or anonymize your personal information/data, or if deletion or anonymization is not possible, then we pseudonymize and/or securely store your personal information and isolate it from any further processing until deletion is possible.
• End-of-contract process: Our contracts will be subscription based and the termination covers as part of our agreement. Please note that there will not be any additional cost.; ; S&P Global has a detailed Exit Strategy document and process. There is a policy for deletion of data in the hosted environment that is followed up written notification of the termination of contracts. S&P Global have a company policy around the deletion of documents and this is reviewed annually. In general, we use several methods to wipe data. These methods are employed dependent on classification of data present on the system. Data is destroyed by overwriting, degaussing, or physical destruction.

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: Users can customize the modules of the report.

Scaling

• Independence of resources: We ensure to have more than enough resources assigned to each client separately to avoid any delays.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Encryption at rest provides data protection for stored data (at rest). Encryption at rest is designed to prevent unauthorized users from accessing the unencrypted data by ensuring the data is encrypted on disk. In addition to satisfying compliance and regulatory requirements, encryption at rest provides defense-in-depth protection. Attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromise the contained data. Encryption solutions must be applied to servers, desktop computers, thumb drives, mobile devices (phones, tablets, laptops) and Cloud storage. AES 256 based encryption is used for data protection.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: It can be done via CSV
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • PPT
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: To protect data between the buyer's network and S&P Global's network, several security measures are in place. These include:; • Encryption: Data is encrypted using industry-standard protocols such as SSL/TLS to ensure secure communication.; • Firewalls: Robust firewalls are implemented to monitor and control network traffic, preventing unauthorized access to sensitive data.; • Access Controls: Strict access controls are enforced, ensuring that only authorized personnel can access and manage data.; • Intrusion Detection and Prevention Systems: Advanced systems are in place to detect and prevent any unauthorized access attempts or suspicious activities.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: SPGI manages network interfaces including gateways, routers, firewalls, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). S&P Global's' Network Security Standard Policy defines the minimum requirements necessary for providing appropriate access controls over the SPGI network infrastructure. This standard applies to all Company owned or leased network devices, and all third-party service provider devices connected to or used to connect to the Company network for any purpose.

Availability and resilience

• Guaranteed availability: Every client project is assigned its own dedicated team with all deadlines/timelines communicated which are then the priority of the assigned account team to meet.
• Approach to resilience: Available on request
• Outage reporting: In accordance with contractual commitments or regulatory obligations, the Company may have to report InfoSec or Data Incidents to clients or customers. ; ; S&P Global has a robust incident management process in place to report and address any outages or service disruptions. When an outage occurs, the incident management team is immediately notified and begins investigating the issue. The team communicates updates and progress through various channels, including email notifications, status updates on the S&P Global website, and direct communication with affected users. Additionally, S&P Global may utilize automated monitoring systems to detect and report outages in real-time. This allows for prompt resolution and keeps users informed throughout the process. The incident management team works diligently to minimize the impact of outages and restore service as quickly as possible.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: According to S&P Global's 'User Provisioning and Access Controls Standard', All users must have an account provisioned via the Corporate Simple Access identity management facility before being granted access to any other SPGI system or application. Users are only given those privileges and entitlements necessary to perform their functions. Access rights are not activated before authorization procedures are completed. Similarly, All access are immediately revoked for users who terminated employment. Authorized users are assigned group and role membership, and account access authorizations (e.g., privileges) and other attributes for each account.
• Access restriction testing frequency: At least once a year
• Management access authentication: Other
• Description of management access authentication: S&P Global authenticates users when they access the service through a combination of username/password authentication and multi-factor authentication (MFA).

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: S&P Global’s Information Security policies and standards are based on the best practices recommendations for information security management as published in ISO/IEC-27002 and NIST 800 Standards.
• Information security policies and processes: SPGI’s Information Security Program mission is to protect customer information and the company’s reputation and brand through well established, uniform security practices while complying with legal requirements and industry best practices. This is accomplished by having a centralized accountability function with the goal of enhancing the company’s ability to: predict security events and their relative impact to SPGI environments; prevent attacks by augmenting the enterprise security posture; detect attacks that have evaded preventative measures; respond to security events for timely remediation; and improve/update the group’s capabilities and resiliency.; ; The Chief Information Security Officer (CISO) manages and coordinates SPGI’s Information Security Program. The CISO reports to SPGI’s Chief Information Officer (CIO) who is a member of the Operating Committee and reports to the President and Chief Executive Officer (CEO) of SPGI.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We follow robust configuration and change management process. The components of S&P Global's services are tracked throughout their lifetime using a configuration management database (CMDB). The CMDB maintains record of components, including hardware, software, and network devices. Each component is assigned a unique identifier and its attributes, such as version, configuration settings, and dependencies, are documented. This allows for accurate tracking and management of components throughout their lifecycle.; ; Before implementing any changes, S&P Global assesses them for potential security impact. This assessment involves evaluating the security implications of the proposed changes, including any potential vulnerabilities or risks that may arise.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: S&P Global's Network Vulnerability Assessment Standard is designed to identify risks affecting the infrastructure of the organization and provide actionable advice to efficiently and effectively address the risk. The Network Vulnerability assessment identifies both patch-related and configuration-related vulnerabilities. Scans occur both within and without the environment. All applications will go through the threat modeling, static vulnerability assessments, dynamic vulnerability assessments (for web applications and web APIs), and manual and penetration tests if deemed necessary, during the SDLC.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: S&P Global has Cyber Incident Response Program that is managed by the Information Security Monitoring & Cyber Incident Response Team (“CIRT”) in conjunction with the Security Operations centre (SOC) where security analysts monitor security events 24x7 and escalate validated or suspicious security incidents for further probing and invoke Incident Management Procedure as necessary. The CIRT is responsible for triaging, responding to and resolving security incidents. The Cyber Incident Response Plan is intended to include all necessary processes, procedures, internal and external communication strategies, provisions for business continuity, and steps to limit disruptions in service. This plan is rehearsed annually.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The Cyber Incident Response Team (CIRT) along with Privacy/Legal team is responsible for engaging the necessary business, risk management, compliance stakeholders, customers, employees, and regulators based on the nature of the incident, legal requirements, and industry practices in accordance with the Cybersecurity Incident Response Plan. In accordance with contractual commitments or regulatory obligations, the Company may have to report InfoSec or Data Incidents to clients or customers.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  The risks and impacts of climate change pose a substantial threat to communities and ecosystems worldwide. At S&P Global, we recognize that we must do our part to address this growing crisis, as the wellbeing of our people and business is inextricably linked to the health of the communities where we live and work. In 2021, we announced our goal of achieving net-zero emissions by 2040, which included near-term 2025 targets validated by the Science Based Targets initiative (SBTi). Our approach is informed by the latest climate science aimed at limiting global warming to 1.5°C and aligns with best practice of avoiding and lowering greenhouse gas (GHG) emissions by carefully tracking and disclosing our performance, implementing energy reduction initiatives and transitioning to low-carbon energy sources. ; For our impact report, please refer to the link - https://www.spglobal.com/en/who-we-are/corporate-responsibility/impact-report/index; For our TCFD report, please refer to the link - https://www.spglobal.com/en/who-we-are/corporate-responsibility/tcfd-report-2023.pdf

  Covid-19 recovery

  • The S&P Global Foundation responded by channeling $4.5 million in global grants for COVID-19 relief efforts, supporting first responders, helping the hungry, providing medical supplies and meeting other critical needs, as well as providing critical aid for small businesses to help address the strain of economic uncertainty.; • We provided hospitals and governments free access to Panjiva supply chain data relating to ventilators and personal protective equipment.; • Across the globe, S&P Global team members responded too, volunteering their time and donating funds to the S&P Global Foundation to help meet the needs of their local communities. In India, during a lockdown period, our CRISIL team used their corporate kitchen to serve 10,000 meals per day to Mumbai’s most vulnerable. And in the U.S., colleagues in our California, Colorado and New York offices got to work, 3D-printing face shields for local healthcare workers.; ; For more details, please refer to the link - https://www.spglobal.com/en/who-we-are/corporate-responsibility/cr-spotlight-covid-19

  Tackling economic inequality

  The S&P Global Supplier Diversity Program provides fair and equal procurement opportunities for all capable, competitive suppliers. We welcome companies managed or led by members of all underrepresented groups, including women, veterans and other historically disadvantaged populations, to apply. Partnering with diverse suppliers is one way that we are living out our overall commitment to fostering a diverse, equitable and inclusive workplace and community.; Please refer - https://www.spglobal.com/en/who-we-are/diversity-equity-inclusion/supplier-diversity

  Equal opportunity

  S&P Global is an equal opportunity employer and all qualified candidates will receive consideration for employment without regard to race/ethnicity, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, marital status, military veteran status, unemployment status, or any other status protected by law.

  Wellbeing

  S&P Global provides colleagues with a comprehensive, competitive benefits package that includes a host of programs, resources, and incentives to enable informed decisions and healthy lifestyles. Our global benefits differ from country to country, but specific offerings include flexible work environments and programs designed to promote our people’s physical, financial, mental, and emotional health.; ; To support a safe and healthy work environment, the company maintains a rigorous management system. Our facilities worldwide follow internally and externally audited occupational health and safety policies in line with ISO 45001 and ISO 14001 standards. All of our office locations follow ISO 45001, with our London office formally certified in ISO 45001. Of our office area, 49% is covered by ISO 14001 standards.; ; For more details, please visit - https://www.spglobal.com/en/who-we-are/corporate-responsibility/impact-report/our-people/employee-health-safety-and-wellbeing

Pricing

• Price: £42,900 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at dpearcey@spglobal.com. Tell them what format you need. It will help if you say what assistive technology you use.