Microsoft
Jeremys
Software_IT_Services_BFC_2018.pdf
© 2018 The SASB Foundation. All rights reserved.
TECHNOLOGY & COMMUNICATIONS SECTOR
Sustainable Industry Classification System® (SICS®) TC-SI
Prepared by the Sustainability Accounting Standards Board
October 2018
sasb.org
Software & IT Services
BASIS FOR CONCLUSIONS
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY
About SASB
The SASB Foundation was founded in 2011 as a not-for-profit, independent standards-setting organization. The
SASB Foundation’s mission is to establish and maintain industry-specific standards that assist companies in
disclosing financially material, decision-useful sustainability information to investors.
The SASB Foundation operates in a governance structure similar to the structure adopted by other
internationally recognized bodies that set standards for disclosure to investors, including the Financial
Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB). This structure
includes a board of directors (“the Foundation Board”) and a standards-setting board (“the Standards Board” or
“the SASB”). The Standards Board develops, issues, and maintains the SASB standards. The Foundation Board
oversees the strategy, finances and operations of the entire organization, and appoints the members of the
Standards Board.
The Foundation Board is not involved in setting standards, but is responsible for overseeing the Standards
Board’s compliance with the organization’s due process requirements. As set out in the SASB Rules of
Procedure, the SASB’s standards-setting activities are transparent and follow careful due process, including
extensive consultation with companies, investors, and relevant experts.
SUSTAINABILITY ACCOUNTING STANDARDS BOARD
1045 Sansome Street, Suite 450
San Francisco, CA 94111
415.830.9220
sasb.org
The information, text, and graphics in this publication (the “Content”) are owned by The SASB Foundation. All rights reserved. The Content may be used only for non‐commercial, informational, or scholarly use, provided that all copyright and other proprietary notices related to the Content are kept intact, and that no modifications are made to the Content. The Content may not be otherwise disseminated, distributed, republished, reproduced, or modified without the prior written permission of The SASB Foundation. To request permission, please contact us at [email protected].
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY
Table of Contents Introduction ............................................................................................................................................................. 4
The Standards Board ........................................................................................................................................... 4
Development of the Sustainability Accounting Standards .................................................................................... 4
Approval of the Industry Standard ....................................................................................................................... 5
Future Updates to the Standards ......................................................................................................................... 6
Revision TC-SI:01 – Industry: Software & IT Services; Topic Name: Environmental Footprint of Hardware Infrastructure ........................................................................................................................................................... 7
Revision TC-SI:02 – Industry: Software & IT Services; Topic Name: Environmental Footprint of Hardware Infrastructure ........................................................................................................................................................... 9
Revision TC-SI:03 – Industry: Software & IT Services; Topic Name: Data Privacy & Freedom of Expression .. 11
Revision TC-SI:04 – Industry: Software & IT Services; Topic Name: Data Privacy & Freedom of Expression .. 14
Revision TC-SI:05 – Industry: Software & IT Services; Topic Name: Data Security ........................................... 16
Revision TC-SI:06 – Industry: Software & IT Services; Topic Name: Data Security ........................................... 19
Revision TC-SI:07 – Industry: Software & IT Services; Topic Name: Recruiting & Managing a Global, Diverse & Skilled Workforce .............................................................................................................................................. 22
Revision TC-SI:08 – Industry: Software & IT Services; Topic Name: Intellectual Property Protection & Competitive Behavior ........................................................................................................................................... 25
Appendix A. Standards Board – Sector Committee Assignments ..................................................................... 27
Appendix B. Redline Metric Tables ...................................................................................................................... 28
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 4
Introduction
The publication of the Sustainability Accounting Standard (“Standard”) for the Software & IT Services Industry marks
an important milestone for the industry and for global capital markets more generally. It is the first Standard designed
to assist companies in the Software & IT Services industry in disclosing financially material, decision-useful
sustainability information to investors.
The Software & IT Services Industry Standard was first released in a provisional form in June 2015 after an extensive
standard-setting process. Following the release of the Provisional Standard, the SASB staff, under the guidance of the
SASB standard-setting board (“the Standards Board” or “the SASB”), engaged in further due process to revise the
Standard. In October 2018, the Standards Board approved revisions to the Standard. The Standards Board
subsequently voted to approve the Software & IT Services Industry Standard, thereby including it in as one of the 77
industries for which the SASB has developed and published an industry standard.
The Basis for Conclusions describes the rationale for revisions made to the provisional industry standard. Additionally,
the document outlines the standard-setting process the Standards Board used to codify the standard. All standard-
setting documentation, including prior drafts of the standard, summary reports, and comment letters, which informed
the development of the standard, are publicly available at the Standard Setting Archive of the SASB website.
The Standards Board
The Standards Board is charged with developing, issuing, and maintaining SASB standards. The Standards Board
operates in accordance with its primary governance documents, including the SASB’s Conceptual Framework and
Rules of Procedure. The Conceptual Framework sets out the basic concepts, principles, definitions, and objectives that
guide the Standards Board in its approach to setting standards. The Rules of Procedure establishes the due process
followed by the Standards Board and staff in their standard-setting activities. The standard-setting process is designed
to ensure each industry standard reflects the core objectives established in the Conceptual Framework to facilitate
companies’ cost-effective reporting of financially material and decision-useful sustainability information to investors.
In its standard-setting role, the Standards Board operates in a transparent manner, including holding public board
meetings. The Standards Board currently uses a sector-based committee structure, with three Standards Board
members assigned primary responsibility for each given sector. In addition to sector committee reviews, the full
Standards Board evaluates revisions to the standards. Information on Standards Board meetings, including minutes,
agendas, and a schedule of upcoming meetings is available on the SASB website. A list of Standards Board members
and their respective sector committee assignments is included in Appendix A.
Development of the Sustainability Accounting Standards
SASB staff initiated its standard-setting activities in 2012 under the oversight of the Standards Council.1 From August
2012 to March 2016, the SASB staff developed provisional standards for each of the industries identified in the
Sustainable Industry Classification System® (SICS®).2 The provisional standards were developed through an iterative
1 The Standards Council served in a process oversight role, distinct from the standard-setting role the Standards Board serves in. Upon
completion of the provisional phase in 2016, the Standards Council was disbanded. 2 At the time of the development of the provisional standards, SICS® contained 79 industries. SICS® was subsequently revised to 77
industries as a result of the combining of industries that contained similar sustainability-related risk and opportunity characteristics.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 5
and transparent process centered on independent research, market input, and oversight from the Standards Council.
Each provisional industry standard was developed based on staff research, industry working group (“IWG”) feedback,
public comments, and individual consultations with companies, investors, and other relevant experts. Throughout the
development of the provisional standards, more than 2,800 individuals participated in IWGs, 172 public comment
letters were received, and hundreds of individual consultations were conducted with market participants by the SASB
staff.
In 2016, following the issuance of the provisional standards across all industries, the SASB staff initiated a dedicated
market consultation period to gain further insight into market views on the provisional standards. Subsequently, the
Standards Board was seated and initiated a due process phase that culminated in the codification of 77 industry
standards in October 2018. This standard-setting phase that began with the provisional standards and concluded with
the codified standards is described more fully below. All standard-setting documentation discussed below are publicly
available at the Standard Setting Archive of the SASB website.
Consultation: In the six-month period from Q4 2016 – Q1 2017, the SASB staff conducted
consultations to gather additional input from companies, investors, and relevant experts on the
provisional standards. Throughout this phase, the SASB staff received input on the complete set of
industry standards from individual consultations conducted with 141 companies, 19 industry
associations, and 271 investor consultations via 38 institutional investors. The Consultation Summary
comprises the findings from the consultations.
Technical Agenda: In July 2017, after a period of review to evaluate market input from consultations
on the provisional standards, the Standards Board worked with the SASB staff to publish the Technical
Agenda. The Technical Agenda formally lists the areas of focus to address in preparing the standards
for codification, emphasizing those issues for which strong evidence surfaced and/or those which
received significant market feedback during the consultation period.
Public Comment Period: In October 2017, the Standards Board published exposure drafts of the
standards, which incorporated proposed changes guided by the Technical Agenda to the provisional
standards. This opened a 90-day period, subsequently extended to a 120-day period, from October
2017 to January 2018, for public comment and review of proposed changes to provisional standards.
Market participants provided 120 comment letters during the comment period. All letters received and
a Summary of Public Comments are available at the Standard Setting Archive.
The Standards Board and the SASB staff evaluated the public comments received in conjunction with previous market
input and research to determine the revisions to be made to the provisional standard.
Approval of the Industry Standard
On October 13, 2018, the Standards Board voted unanimously to revise the Provisional Standard for the Software & IT
Services industry. In light of these revisions, on October 16, 2018, the Standards Board voted unanimously in favor of
removing this Standard’s provisional status. In doing so, the Standards Board considered all phases of the standard-
setting process, including those detailed in the above documents, to assess their underlying rationale, their adherence
to due process, and their faithfulness to the essential concepts of sustainability accounting, as described in the
Conceptual Framework.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 6
The following section of this document describes the rationale for the revisions. Appendix B contains a redline table
that summarizes these revisions. Revisions relative to the provisional standard that have not altered the scope or
content of disclosure topics or metrics, such as those that are intended to improve the consistency, clarity, and
accuracy of the standard, are not specifically addressed in the Basis for Conclusions.
Future Updates to the Standards
As social, economic, regulatory, and other developments alter an industry’s competitive landscape, the SASB
standards may need to evolve to reflect new market dynamics. The Standards Board will follow a regular standards
review cycle to address emerging and evolving issues that may result in updates to the SASB standards.
The Standards Board intends to direct the SASB staff to compile and publish a Research Agenda, which outlines items
that have been identified as requiring further analysis. Evidence-based research and market input, including feedback
from outreach and consultation, will inform reviews of issues on the Research Agenda. Items from the Research
Agenda may later be added to the Standards Board’s Technical Agenda for additional due process and formal
deliberation. All updates are subject to the standard-setting process described in the Rules of Procedure.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 7
Revision TC-SI:01 – Industry: Software & IT Services; Topic Name: Environmental Footprint of Hardware Infrastructure
Summary of Change – Revise Technical Protocol
The SASB revised the technical protocol associated with provisional metric TC0102-013 to ensure that regional
measures of renewable energy—such as Guarantees of Origin (GOs), the European Union (EU) equivalent of the
United States’ renewable energy certificates (REC) (both units of renewable energy credits)—are accounted for.
Adherence to Criteria for Accounting Metrics
The Software & IT Services Industry Provisional Standard includes a topic, Environmental Footprint of Hardware
Infrastructure, with three associated metrics to describe a company’s management of energy and water issues related
to their data center operations. Specifically, provisional metric TC0102-01 specifies that companies should disclose the
total amount of energy they use, along with the percentages of that energy from the grid or renewable sources. The
provisional technical protocol describes how the company should calculate renewable energy, including the treatment
of renewable energy units. Although the provisional technical protocol provides measurable, relevant guidance, it
lacks references to a more complete set of renewable energy standards. To improve the completeness of the technical
protocol, the SASB revised the technical protocol to include references to equivalent standards—notably, the GOs of
the European Union.
Supporting Analysis
Companies with a global footprint are likely to have RECs, GOs, and other equivalent regional renewable energy units
on their books. This revision provided clarity that the SASB recognizes GOs and other equivalents for reporting
purposes. Companies commonly report aggregated renewable energy units, including equivalents (for which the
revised technical protocol provides guidance on). For example, the 2015 Citizenship Report for largest (by market cap)
company in this industry uses a single line item to note the renewable energy units it had purchased, but a footnote
indicates the figure includes “Renewable energy certificates (RECs) in the United States, Guarantees of Origin in the
European Union, GreenPower instruments in Australia, and GoldPower instruments in China, Taiwan, and Turkey.”4
Renewable energy units in different markets have subtle differences, but ultimately are each equivalent to 1 MWh of
renewable energy produced, and have similar requirements for retirement (so that they cannot be double-counted).
For example, the EU guideline 2009/28/EC mandated the creation of national registries for the trade of GOs.5
Updating the technical protocol to account for additional renewable energy markets helped the technical protocol
better fulfill the SASB Conceptual Framework’s attribute of completeness.
Market Input
Investors: The revision was presented to investors and no positive or negative feedback was received.
3 TC0102-01 – Total energy consumed, percentage grid electricity, percentage renewable energy 4 “Microsoft 2015 Citizenship Report Environmental Data Addendum,” Microsoft, 2015, accessed July 15, 2017, p. 3,
http://download.microsoft.com/download/7/3/6/736CED21-9D8B-4CBB-98E8- DCBAE7026251/Microsoft%202015%20Citizenship%20Report.pdf.
5 “Directive 2009/28/EC of the European Parliament and of the Council,” April 23, 2009, Official Journal of the European Union, accessed July 23, 2018, http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32009L0028.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 8
Companies: Multiple global companies raised the concern that the provisional technical protocol did not recognize
renewable energy standards outside of the U.S. and expressed a desire to ensure associated disclosures reflect the full
extent of their renewable energy efforts.
Benefits
Improves the SASB Standard: The inclusion of regionally recognized renewable energy units beyond RECs improves
the completeness of the technical protocol by explicitly acknowledging their place in the market as well as their
applicability to companies with different geographic profiles.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 9
Revision TC-SI:02 – Industry: Software & IT Services; Topic Name: Environmental Footprint of Hardware Infrastructure
Summary of Change – Revise Metric
The SASB revised provisional metric TC0102-02 from “Total water withdrawn, percentage recycled, percentage in
regions with High or Extremely High Baseline Water Stress” to remove the component of the metric that measures
water recycling, and replace it with water consumption. The resulting metric is, “(1) Total water withdrawn, (2) total
water consumed, percentage of each in regions with High or Extremely High Baseline Water Stress.”
Adherence to Criteria for Accounting Metrics
The Software & IT Services Industry Provisional Standard contains a topic, Environmental Footprint of Hardware
Infrastructure, which addresses corporate performance on managing water-related risks and opportunities,
including operating impacts due to water stress or quality issues, and regulatory risk or reputational factors, as well as
the management of hazardous waste. With respect to water, provisional metric TC0102-02 provided a high-level view
of water use, as measured by water withdrawals and recycling, and a company’s exposure to water stress within its
operations, as measured by water withdrawals in water stressed regions. While provisional metric TC0102-02 was
comparable and distributive, it did not provide a representative view of a company's performance with respect to
management of water stress and water use. The revision of the metric to focus on water consumption as opposed to
water recycling provides a more complete view of water use and related water risk.
Supporting Analysis
Companies in the industry are exposed to risks related to water management that include dependence on water as an
input for the operation of their data centers.
Key aspects of water management include both consumptive and non-consumptive use. Non-consumptive water use
is primarily impacted by factors relating to water access and aggregate withdrawals, and provides a relevant,
representative indicator of risk due to the potential for a company’s operations to be adversely affected by the limited
ability to withdraw water, either due to physical or legal (rights) factors. Consumptive use is an important factor
where water is utilized in the operational activities of a company, particularly as a critical component of cooling
computing centers. Water consumption, which measures the net difference between water withdrawals and what is
discharged into the environment or to a third party, provides investors with a more complete view of the water-
intensity of a company’s operations than water recycling.
Risks related to both water access and consumption are further exacerbated by elevated water stress and/or scarcity.
Water access and use in such regions may result in a higher risk of operational curtailment due to inadequate water
availability. Furthermore, water stressed regions may be more exposed to increasing water prices over the medium to
long term.6 As such, the revised metric requires disclosure on both water withdrawals and water consumption in areas
of High or Extremely High Baseline Water Stress.
While the revised metric incorporates water consumption, the element of the provisional metric that captures the
volume of water recycled has been eliminated. Water recycling is one strategy that companies can use to mitigate
6 Freyman, Monika, et al, “An Investor Handbook for Water Risk Integration,” Ceres, March 2015, accessed June 6, 2018,
https://riacanada.ca/wp-content/uploads/2015/04/Ceres-Investor-Water-Handbook.pdf.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 10
risks associated with water use, however, it’s not the only strategy or always an applicable strategy. Other strategies
include efforts to use water more efficiently, to minimize water losses, and to substitute water use with other inputs.7
The amount of water recycled in the provisional metric did not provide a representative or complete picture of a
company’s efforts to manage performance on water use. Instead, such risk is better characterized by water
consumption.
Finally, the revised metric is aligned with the GRI 303: Water and CDP Water reporting frameworks, which was revised
prior to the 2018 reporting cycle.
Market Input
Investors: No direct feedback was received from investors regarding the revision. However, investors generally
provided feedback in support of changes that would improve the representativeness of the information generated by
the standard.
Companies: While this revision did not receive direct feedback from companies in this industry, the change was
discussed as a high-level improvement by two large companies in the technology sector.
Benefits
Improves alignment: The revised metrics more closely align with the water frameworks and metrics promulgated by
the Carbon Disclosure Project (CDP) and Global Reporting Initiative (GRI).
Improves the SASB Standard: The inclusion of data on water consumption enables companies to more fairly represent
performance on the topic. The change also improves the completeness of disclosure by giving a more informative,
holistic view of performance on water management.
7 The World Resources Institute, “Aqueduct water risk framework,” working paper, January 2013, accessed June 6, 2018,
http://www.wri.org/sites/default/files/aqueduct_water_risk_framework.pdf.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 11
Revision TC-SI:03 – Industry: Software & IT Services; Topic Name: Data Privacy & Freedom of Expression
Summary of Change – Revise Metric
The SASB revised metric TC0102-05 from “Percentage of users whose customer information is collected for secondary
purpose, percentage who have opted in,” to “Number of users whose information is used for secondary purposes.”
Adherence to Criteria for Accounting Metrics
The Software & IT Services Industry Provisional Standard includes a topic, Data Privacy & Freedom of Expression, which
addresses risks related to the use of personally identifiable information (PII) for secondary purposes. The five
provisional metrics associated with the topic measure a company’s use of the personal data of its users, along with the
company’s approach to policies and practices related to behavioral advertising and customer privacy. The second part
of provisional metric TC0102-05, “Percentage of users whose customer information is collected for secondary
purposes, percentage who have opted in,” seeks to measure the users who have “opted in,” or who have indicated
permission for their personal data to be collected for secondary purposes. Legal requirements generally establish
certain opt-in/opt-out policies that companies must adopt to use customer data for secondary purposes. Therefore,
the component of the provisional metric, “percentage [of users] who have opted in,” was highly unlikely to yield
distributive data, as virtually all customers should have either actively opted in or would be classified as such per
definitions used in company policies. As a result, the metric was revised to eliminate the component that measures the
portion of users that have opted in. This revision improves the distribution of the data generated by the metric and
additionally enhances the cost-effectiveness of the metric.
Additionally, the SASB revised the unit of measure of the metric from relative (percentage) to absolute (number) to
improve the usefulness of the information provided by the metric. The absolute number of users whose information is
used for secondary purposes is more useful in assessing magnitude of potential risk exposure associated with failure to
manage customer privacy. Additionally, the absolute number is likely to be more useful in estimating financial costs
associated with managing or potential monetary losses as a result of alleged or actual violation of customer privacy
laws or regulations. To assess relative performance of companies in the industry, activity metrics and/or data reported
by companies in their financial filings would allow analysts to normalize performance.
Supporting Analysis
Due to the regional differences in the regulatory environment related to customer privacy, the definition of user
"consent," and therefore the opt-in policies, vary significantly. In the E.U., such definitions are considerably stricter
and companies are unable to assume consent if it is not explicitly obtained by users. For example, the E.U.’s General
Data Protection Regulation (GDPR) states that consent shall be freely given, specific, informed, unambiguous, and
explicit.8 In the U.S., regulations regarding obtaining consent from customers are less strict, often vary considerably
based on state regulations, and such requirements as those established by GDPR are not generally required to be a
part of opt-in policies.9 Therefore, depending on the location of the customer base, companies may have flexibility to
classify "customers who have opted in" in such a way that allows them to use customer information for secondary
8 Regulation (EU) 2016/679 of the European Parliament and of the council, European Union, April 27, 2016, accessed June 5, 2018,
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. 9 Martin A. Weiss and Kristin Archick, “U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield,” Congressional Research Service, accessed
June 7, 2018, https://fas.org/sgp/crs/misc/R44257.pdf.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 12
purposes. In fact, any disclosures that indicate the use of customer data for secondary purposes absent customer
consent may be considered illogical from a legal perspective, at least in regions where such data privacy regulations
exist. These factors suggest that disclosure on the “percentage [of users] who have opted in” would virtually always
indicate that all users opted in, and thus, this information is not distributive. Additionally, considering the regional
differences in regulatory frameworks covering customer consent and opt-in/opt-out policies, investors would derive
more decision-useful information from discussion and analysis of relevant policies and procedures adopted by
companies than from a quantitative measure of users who opted in to the collection and use of their data. Such
information can be obtained from metric TC0102-04, “Discussion of policies and practices relating to behavioral
advertising and customer privacy” included in the disclosure topic, which ensures completeness and usefulness of
information provided to investors to assess companies’ performance on the disclosure topic.
Further, by revising the unit of measure for the first part of the metric from “percentage of customers whose
information is used for secondary purposes” to the “number of customers,” the usefulness of information is
enhanced by giving investors more flexibility in analyzing performance on the disclosure topic. Specifically, the
absolute number of users whose information is used for secondary purposes is likely to be more useful in estimating
financial costs associated with management of the issue or monetary losses associated with potential failure to meet
relevant regulatory requirements. In other words, the absolute unit of measure is more useful in assessing magnitude
of both chronic cost-related impacts and acute risks related to customer privacy or data security.
Lastly, it may be noted that the SASB standards often gravitate toward absolute measures, consistent with the revised
metric, for reasons such as:
Multiple alternatives regarding suitable normalization bases for performance indicators, with investor
preference varying depending on use case; and
The incorporation of industry-specific activity metrics within the standard to facilitate multiple means for
normalization of the sustainability accounting metrics included in the standard based on investor preference.
However, relative measures may also be included when such format is found more decision-useful by investors. As
discussed in the Market Input section, feedback from multiple investors across various SASB sectors points to the
usefulness of both absolute and relative metrics.
Market Input
Investors: No direct feedback was received from investors regarding this revision. However, investors provided
feedback that generally supports improvements to the distributiveness of disclosures. With respect to the revision of
the unit of measure, broad feedback received throughout the SASB standards’ development process in various sectors
suggests the usefulness of both absolute and normalized measurements of performance.
Companies: Feedback was received on the provisional form of the metric from multiple companies that indicated a
need for revision. While direct input on this specific revision was not received, the revision indirectly addresses some of
the concerns companies shared related to the provisional metric. More specifically, a large company in a different
industry indicated that the data generated by the provisional metric may be considered competition sensitive
information. Another large company that provided feedback on the provisional metric pointed out that the number of
account holders who “opt in” may provide inappropriate representation of performance on the customer privacy
issue. The company stated that performance on this metric would be indicative of consumer behavior rather than a
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 13
reflection of business practices. The revisions to this metric, as described above, are intended to alleviate company
concerns among other benefits.
Benefits
Improves the SASB Standard: The revision improves the distributiveness of the metric, while enhancing cost-
effectiveness by eliminating a reporting requirement of the metric. The revision of the unit of measure enhances
decision-usefulness of information generated by the metric.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 14
Revision TC-SI:04 – Industry: Software & IT Services; Topic Name: Data Privacy & Freedom of Expression
Summary of Change – Revise Metric
The SASB revised provisional metric TC0102-07 from “Number of government or law enforcement requests for
customer information, percentage resulting in disclosure” to “(1) Number of law enforcement requests for user
information, (2) number of users whose information was requested, (3) percentage resulting in disclosure.”
Adherence to Criteria for Accounting Metrics
The Software & IT Services Industry Provisional Standard includes a topic, Data Privacy & Freedom of Expression, with
five associated metrics to describe a company’s management of risks related to how it stores and protects customers’
sensitive data. Specifically, provisional metric TC0102-07 asks companies to disclose governmental and law
enforcement requests for information. The revision of the metric to include the number of users whose information
was requested eliminates ambiguity in the information elicited by the provisional metric and mirrors the way
companies currently report. The revised metric thus provides a fair and more complete representation of performance
which results in a more decision-useful set of disclosures when combined with the existing metrics related to the
topic.
Supporting Analysis
The provisional metric does not fairly represent company performance with respect to Data Privacy & Freedom of
Expression, as it does not include the number of users whose information a government or law enforcement entity
may have requested (e.g., one request could ask for information for a single user, or for thousands of users). More
than 35 companies in the technology and communications sector issue standalone transparency reports that break
out the information in this manner.
The transparency report of the industry’s largest U.S. listed company (by market cap) illustrates both the number of
requests and the number of accounts affected.10 This company’s total number of requests of approximately 26,000
was significantly different than the number of accounts or users specified in these requests, which was approximately
45,000. Both numbers are needed to adequately understand the magnitude of impact. This revision improves
alignment with current industry practice as well the completeness of the set of disclosures related to Data Privacy &
Freedom of Expression.
Market Input
Investors: Investors were supportive of changes that improve alignment with what companies currently disclose.
Companies: Company feedback on the revision was not received.
10 “Law Enforcement Requests Report,” Microsoft, 2016, accessed July 23, 2018, https://www.microsoft.com/en-us/about/corporate-
responsibility/lerr/.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 15
Benefits
Improves the SASB Standard: The metric revision improves the completeness of the set of metrics which define the
topic.
Improves alignment with existing reporting frameworks: Companies currently report the information broken out by
number of requests and number of users whose information was requested.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 16
Revision TC-SI:05 – Industry: Software & IT Services; Topic Name: Data Security
Summary of Change – Revise Metric
The SASB revised provisional metric TC0102-09 from “Number of data security breaches and percentage involving
customers’ personally identifiable information” to “(1) Number of data breaches, (2) percentage involving personally
identifiable information (PII), (3) number of users affected.”
Adherence to Criteria for Accounting Metrics
The Software & IT Services Industry Provisional Standard includes a topic, Data Security, with two associated metrics
that describe a company’s management of risks related to the storage and protection of its users’ sensitive data. The
revision eliminates ambiguity regarding what data are being asked for in the provisional metric by clarifying that the
number of unique data breaches shall be disclosed. Furthermore, the revised metric provides additional useful
information by including the number of customers affected by such data breaches. The revised metric is more aligned
with current corporate disclosures on the topic than the provisional metric. Additionally, the technical protocol for the
provisional metric did not provide a definition for the term “encryption,” and when discussing encrypted data
breaches, provided a narrow scope of disclosure that may unintentionally exclude critical information, and result in
incomplete disclosures. To improve the completeness of disclosures and alignment with existing terms defined by
regulatory agencies, the SASB revised the technical protocol to incorporate the National Initiative for Cybersecurity
Careers and Studies (NICCS) definition of “data breach” and “encryption,” and provided further reporting guidance
on the scope of disclosures involving encrypted data. This revision improves alignment between the SASB Standard
and existing regulatory reporting definitions, as well as increases clarity for companies preparing the data, ultimately
improving the cost-effectiveness of the standard.
Supporting Analysis
The technical protocol associated with the provisional metric did not satisfy the measurability and completeness
attributes of a technical protocol, as it did not specify what was intended to be measured by “number of data security
breaches,” which may include the number of unique instances of breaches, or it may include the number of exposed
customer records. For example, if a company faced two cyber-attacks during the reporting period, with one exposing
200,000 customer records, and another exposing 50,000 customer records, the provisional metric was unclear
whether the company would report this as “2” or “250,000.” Evidence shows that both the number of incidents and
the number of records affected are useful data points to understand the frequency and magnitude of data breaches.
Furthermore, an analysis of corporate disclosures demonstrates that, broadly speaking, a structure of disclosure that
includes the number of incidents and the number of records affected is a best practice for corporate disclosures. For
example, after their own major breaches, three large companies11,12,13,14 each revealed, for the respective incidents, the
11 Brad Arkin, “Important Customer Security Announcement,” Adobe, October 3, 2013, accessed July 23, 2018,
https://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html. 12 Tanya Agrawal, David Henry, & Jim Finkle, “JPMorgan hack exposed data of 83 million, among biggest breaches in history,” Reuters,
October 2, 2014, accessed July 23, 2018, https://www.reuters.com/article/us-jpmorgan-cybersecurity-idUSKCN0HR23T20141003. 13 Cory Scott, “Protecting Our Members,” LinkedIn, May 18, 2016, accessed July 23, 2018, https://blog.linkedin.com/2016/05/18/protecting-
our-members. 14 Keir Thomas, “Citigroup Hack Nabs Data from 210k,” PCWorld, June 9, 2011, accessed July 23, 2018,
http://www.pcworld.com/article/229891/Citigroup_Hack_Nets_Over_200k_in_Stolen_Customer_Details.html.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 17
number of accounts affected. In greater detail, one company’s public disclosure after a data breach that came to light
in 2016 provides an illustrative example of the alignment of the revision with current corporate disclosures on the
topic. In 2016, the company disclosed an unauthorized data breach associated with more than 1 billion user accounts,
the largest known data breach to date. The firm’s disclosure distinguished between unique incidents and number of
records compromised, consistent with the revised metric.15
Finally, the SASB revised the technical protocol of metric TC0102-09 to define the terms “data breach” and
“encryption” using definitions identified by NICCS, which is managed by the Cybersecurity Education and Awareness
Branch (CE&A) within the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications. The
NICCS is a part of the CE&A’s work to promote cybersecurity awareness, training, and education for the Nation’s
cybersecurity professionals.16 The NICCS glossary of key cybersecurity terms is informed by ongoing feedback from
end users and stakeholders, and is often cited by the U.S. Securities Exchange Commission in documents such as the
Commission Statement and Guidance on Public Company Cybersecurity Disclosures.17 The revision to align
cybersecurity terms with those of NICCS improves clarity by referencing governmental sources, and will therefore likely
lead to more consistent and complete disclosures. Further, the revision likely improves cost-effectiveness of reporting
for companies by increasing uniformity across different reporting frameworks.
Additionally, when calculating the percentage of data breaches in which account holders’ personally identifiable
information was breached, the technical protocol for the provisional metric included guidance on the scope of
disclosure as it relates to incidents whereby encrypted data is acquired with an encryption key. However, this language
failed to acknowledge instances through which weakly encrypted data is acquired without an encryption key but can
still be converted to plaintext. Thus, the SASB revised the technical protocol to provide additional reporting guidance
on the inclusion of incidents where there is reasonable belief that acquired encrypted data could be readily converted
to plaintext. The revision results in more complete disclosures by expanding the scope of disclosure to include
instances in which the attacker can recover the plaintext information.
Market Input
Investors: Many investors across multiple industries and sectors consistently communicated during SASB’s consultation
period that clarification of this metric was necessary, where there was strong agreement with the revised metric.
Companies: Multiple companies voiced confusion over the wording of the provisional metric and communicated that
it needed to be clarified in a manner similar to this revision.
Benefits
Improves the SASB Standard: The revision enhances the standardization of the metric by improving the measurability
and the completeness of the technical protocol. The revision also enhances cost-effectiveness by aligning the SASB
Standard with existing regulatory reporting terms.
15 Ibid. 16 “Cybersecurity Education and Awareness,” United States Department of Homeland Security, last modified September 27,2017, accessed
May 6, 2018, https://www.dhs.gov/cyber-education-and-awareness. 17 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Securities and Exchange Commission, issued on
February 20, 2018, https://www.sec.gov/rules/interp/2018/33-10459.pdf.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 18
Improves decision-usefulness: The revision generates more useful information, given that both the number of unique
cyber security data breaches and the number of customers affected are important elements needed to better
understand corporate performance on the topic.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 19
Revision TC-SI:06 – Industry: Software & IT Services; Topic Name: Data Security
Summary of Change – Revise Metric
The SASB revised provisional metric:
TC0102-10 Discussion of management approach to identifying and addressing data security risks
to the following metric:
Description of approach to identifying and addressing data security risks, including use of third-party
cybersecurity standards
Adherence to Criteria for Accounting Metrics
The Software & IT Services Industry Provisional Standard includes a topic for Data Security, and two associated metrics
which describe a company’s performance as it relates to protecting customer data. Quantitative metric TC0102-09
asks for the number of data breaches, as well as the percentage that contained customers’ personally identifiable
information18. Qualitative metric TC0102-10 asks companies to discuss their strategy to identify and address data
security risks. Company approach to ensuring cyber preparedness of its operations may include various strategies. One
strategy, the use of third-party cybersecurity standards, can help companies in the Software & IT Services industry
identify vulnerabilities in its information systems that may pose a data security risk. Therefore, company disclosure on
its use of third-party cybersecurity risk management standards and frameworks, of which use is rapidly growing,
would yield relevant and decision-useful information to investors assessing performance on the Data Security topic.
The SASB evaluated the potential addition of a stand-alone quantitative metric “Percentage of operations, by revenue,
independently certified to a suitable third-party cybersecurity management standard” to measure companies’
approach to managing data security risks via aligning their cybersecurity practices with external standards. This metric
was proposed in the 2017-18 public comment period. However, additional research and stakeholder feedback
highlighted concerns that such metric may not be viable to implement nor sufficiently representative of performance.
Based on the above, the SASB revised existing provisional metric TC0102-10 to expand its scope by including a
description of company use of third-party cybersecurity standards. The resulting metric is, “Description of approach to
identifying and addressing data security risks, including use of third-party cybersecurity standards.” The revision
enhances completeness of the information requested by the provisional metric, which will likely improve its decision-
usefulness.
Supporting Analysis
The SASB revised the provisional metric TC0102-10 to improve its completeness and decision-usefulness. Specifically,
the revised metric asks companies to discuss how they identify relevant cybersecurity standards to implement, the
extent of their implementation (i.e., operations, business unit, geography, product, or information system), approach
18 Please see Revision TC-SI:05 for an update to provisional metric TC0201-09.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 20
to third-party verification of the use of the standards, as well as ongoing activities and initiatives related to increasing
the use of cybersecurity risk management standards.
The revision reverses the SASB’s earlier proposal in the 2017-18 public comment period to include an additional
quantitative metric that would measure the percentage of company’s operations independently certified to a suitable
third-party cybersecurity management standard. Additional research and input from subject matter experts suggested
that the format of the proposed quantitative metric was not viable and inadequate. The metric was found to neither
generate information representative of company performance on managing the topic nor be decision-useful to
investors.
Specifically, the proposed metric required companies to calculate the percentage as revenue generated from products
that are certified to a suitable third-party cybersecurity management standard divided by the total revenue generated
from all products that are eligible for such certifications. Such guidance was neither applicable nor feasible to follow
since products of companies in the Software & IT Services industry are not generally covered by third-party
cybersecurity standards. Rather, cybersecurity risk management standards address security of companies’ operations,
processes, and information systems. Furthermore, it should be noted that the proposed quantitative metric relied on a
measure of "certifications," which is an inaccurate (or oversimplified) characterization of the implementation of third-
party frameworks or standards concerning data security across information technology systems. Therefore, the SASB
withdrew the initial proposal and instead incorporated the use of third-party cybersecurity certifications by expanding
the scope of the existent qualitative provisional metric TC0102-10.
The revision improves representativeness, completeness, and usefulness of the provisional metric by requesting
discussion of companies’ use of third-party cybersecurity standards as one of the strategies to manage data security
risk exposure. The technical protocol of the metric references several cybersecurity standards that are commonly used
by companies in the industry, such as ISO 27000 series, AICPA’s System and Organizational Controls (SOC), and
ISACA’s COBIT 5, which ensures alignment of the SASB standard with existent corporate reporting. An example of a
company’s use of third-party standards includes a major technology company’s use of ISO 27001 for its cloud
platform, which it refers to as “one of the most widely recognized, internationally accepted independent security
standards.”19 This company constitutes 40 percent of the market capitalization of the industry.
Market Input
Investors: Multiple investors agreed that this topic deserves increased attention and that a focus on management
systems is the best approach to ensure completeness of information generated by the standard. Investors noted that
companies should have an externally verified cybersecurity framework, and understanding how companies use third-
party cybersecurity standards to manage risk exposure of their operations is crucial to being able to understand the
magnitude of the related risk.
Companies: Companies have communicated views on the importance of this topic but did not provide input on the
quantitative metric that was proposed in the 2017-18 public comment period. However, this revision is designed to
ensure the metric associated with the topic is pragmatic to implement.
19 “Google Cloud Platform and the EU Data Protection Directive,” Google, accessed July 20, 2017,
https://cloud.google.com/security/compliance/eu-data-protection/.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 21
Others: The inclusion of a measure on the use of third-party cybersecurity standards was suggested by and discussed
with multiple subject matter experts who believe it to be representative of corporate data security performance. The
SASB received feedback that a quantitative measure of performance through a percentage of revenue generated from
products that are certified to a suitable third-party cybersecurity management standard is not appropriate due to the
calculation guidance being neither applicable nor feasible for companies to follow.
Benefits
Improves the SASB Standard: This revision enhances completeness of the information generated by the requested
discussion, which further improves decision-usefulness of information regarding a company’s cybersecurity.
Improves alignment: By referencing third-party cybersecurity risk management standards that are already being used
by leading companies in the industry, the revision ensures the metric’s alignment and comparability of the information
it provides to investors.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 22
Revision TC-SI:07 – Industry: Software & IT Services; Topic Name: Recruiting & Managing a Global, Diverse & Skilled Workforce
Summary of Change – Revise Metric
The SASB revised the technical protocol for provisional metric TC0102-13 “Percentage of gender and racial/ethnic
group representation for: (1) executives and (2) all others” to “Percentage of gender and racial/ethnic group
representation for (1) management (2) technical staff and (3) all other employees.” Further, the SASB updated the
reporting guidance to require gender breakdown globally but racial/ethnic breakdown only in the United States per
the U.S. Equal Employment Opportunity Commission (EEOC)’s EEO-1 Job Classification Guide categories. The technical
protocol was revised to specify that companies should describe their policies for promoting inclusivity and fostering
equitable employee representation across their global operations.
Adherence to Attributes of Technical Protocols
The Software & IT Services Industry Provisional Standard includes a topic, Recruiting & Managing a Global, Diverse &
Skilled Workforce, with associated metrics to describe a company’s management of risks and opportunities associated
with hiring and retaining diverse candidates. The SASB replaced the term “executives” with “management,” which is
defined in the technical protocol as both executive and non-executive management, consistent with the original intent
of the metric. Further, the addition of the category for technical staff improves alignment between the SASB
standards and current reporting practices and made the standards more useful for investors. Provisional metric
TC0102-13 requires global disclosure of gender and racial/ethnic breakdown according to the U.S. Equal Employment
Opportunity Commission (EEOC)’s EEO-1 Job Classification Guide.
This revision to the technical protocol of provisional metric TC0102-13 recognizes that the U.S. EEOC racial/ethnic
classification can only be consistently applied to a company’s U.S. workforce and may not be applicable to its global
workforce. In addition, the revised technical protocol includes a discussion of company policies for promoting
inclusivity and fostering equitable employee representation across global operations. While the technical protocol
specifies that companies may report racial/ethnic breakdown outside of the U.S. by country or region, the SASB
clarified that the U.S. EEOC’s EEO-1 Job Classification Guide shall be used for classifying employees only for a U.S.
workforce. For a non-U.S. workforce, companies shall use occupational classifications systems adopted in countries
where the workforce is employed. For non-U.S. employees, the registrant shall categorize the employees in a manner
generally consistent with the definitions provided above, though in accordance with, and further facilitated by, any
applicable local regulations, guidance, or generally accepted definitions. These revisions enhance the global
applicability of the technical guidance associated with the metric to companies with a global workforce.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 23
Supporting Analysis
Companies with transparent hiring, promotion, and wage practices to promote workforce diversity and inclusion can
benefit from improvements in productivity,20 revenues,21 and market share22 over the medium to long term. Widely-
accepted diversity metrics, such as those required by the U.S. EEOC, include the gender and racial/ethnic breakdown
of employees and managers.
Identifying diversity figures for technical employees gives greater insight into the diversity of the highly paid and
sought-after group of workers tasked with creating a company’s products. Further, this change ensures that company
diversity figures aren't skewed by the sometimes-different ethnic makeup among different departments or teams. This
type of disclosure is already common practice in company diversity reports.23,24,25,26
There are also several challenges related to reporting regional racial/ethnic data. First, classification categories vary
significantly country-by-country and region-by-region; therefore, it would not be practical or necessarily representative
of racial/ethnic diversity for companies to aggregate their global number of employees by EEO-1 categories, which are
designed for U.S.-based reporting. Second, such data are typically only available in some countries (e.g., Canada,
Brazil) due to privacy laws preventing disclosure. Finally, some countries also look at age, disability, gender identity,
sexual orientation, or other aspects of diversity, which may be defined differently by each country.
The revision to provisional metric TC0102-13 addresses these concerns and brings the metric into alignment with
existing industry disclosure by requiring gender breakdown globally but racial/ethnic breakdown per the EEO-1
categories only in the U.S. Companies shall describe their policies for promoting inclusivity and preventing the
development of a globally homogenous workforce outside of the U.S. that is not representative of the local
population. The technical protocol additionally allows companies the opportunity to disclose racial/ethnic or other
breakdown by region or country-specific categories, if they choose. This update recognizes that a perfectly
representative workforce would mirror population demographics, but that regional demographics and ideal
racial/ethnic representation may vary widely by region. Thus, the revision improves the usefulness of the metric and its
alignment with existing industry disclosures.
Market Input
Investors: Multiple investors across sectors consistently communicated during SASB’s consultation period that while a
gender breakdown is relevant globally, a racial/ethnic group breakdown by EEO-1 categories is feasible only in the
U.S.
20 A. Garnero, S. Kampelmann, and F. Rycx, “The Heterogeneous Effects of Workforce Diversity on Productivity, Wages, and Profits,” Centre
Pour La Recherche Economique et Ses Applications Document de travail no 1304, September 2013, pp. 4-5, accessed June 5, 2018, http://www.cepremap.fr/depot/docweb/docweb1304.pdf.
21 "Global Diversity and Inclusion: Fostering Innovation Through a Diverse Workforce,” Forbes Insights, last modified July 2011, accessed June 5, 2018, http://images.forbes.com/forbesinsights/StudyPDFs/Innovation_Through_Diversity.pdf.
22 "Kelly Services: Diversity must help bottom line to be sustainable," Crain's Detroit Business, last modified November 14, 2013, accessed June 5, 2018, http://www.crainsdetroit.com/article/20131103/NEWS/311039959/kelly-services-diversity-must-help-bottom-line-to-be- sustainable.
23 “HP Global Diversity & Inclusion,”, HP, accessed May, 24th, 2018, http://www8.hp.com/us/en/hp-information/about- hp/diversity/index.html.
24 “Diversity,” Google, accessed May 24th, 2018, https://diversity.google/commitments/. 25 “Inclusion & Diversity,” Apple, accessed May 24th, 2018, https://www.apple.com/diversity/. 26 “Facebook Diversity Update: Building a more diverse, inclusive workforce,” Facebook, accessed May 24th, 2018,
https://fbnewsroomus.files.wordpress.com/2017/08/fb_diversity_2017_final.pdf.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 24
Companies: Companies noted that they currently break out technical employees and that SASB standards would be
more useful if they did the same. In addition, a limited number of companies stated that the provisional metric was
U.S.-centric and would not result in meaningful information for large, multinational companies that operate in
different countries.
Benefits
Improves the SASB Standard: This change improves cost-effectiveness by limiting the required quantitative disclosure
on race/ethnicity to U.S. operations, which are measurable and complete. It also improves decision-usefulness by only
requiring the aggregation of gender data, which is more likely to be comparable across companies in different
industries and geographies.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 25
Revision TC-SI:08 – Industry: Software & IT Services; Topic Name: Intellectual Property Protection & Competitive Behavior
Summary of Change – Remove Metric
The SASB removed provisional metric TC0102-16 “Number of patent litigation cases, number successful, and number
as patent holder.”
Adherence to Criteria for Accounting Metrics
The Software & IT Services Industry Provisional Standard includes a topic, Intellectual Property Protection &
Competitive Behavior, with an associated metric to describe how companies balance protection of their intellectual
property (IP) with ensuring fair use. Related to this, provisional metric TC0102-16 asked companies to disclose the
number of patent litigation cases they were involved in, if they were the patent holder in the case, and their
subsequent number of “successful” legal proceedings.
The number of cases a company is currently involved in is only an approximate indicator of a company’s litigation
strategy. Provisional metric TC0102-16 did not fairly represent company performance, nor is it likely to be useful for
investors. The removal of this metric increases the cost-effectiveness of the standard.
Supporting Analysis
While IP protection is inherent to the business model of companies in the Software & IT Services industry, companies’
IP practices can sometimes conflict with the best interests of society. IP protection, on the one hand, is an important
driver of innovation; on the other hand, companies could use it to restrict access to the benefits from innovation,
particularly if they are dominant market players. This metric was meant to give analysts insight into how companies
were protecting their IP while respecting fair use.
Virtually all companies in the industry provide disclosures on the topic, indicating its potential to significantly impact
companies. Generally, companies already disclose on major patent litigation cases currently affecting them and a few
companies disclose the amount of fines or potential fines resulting from the most significant cases, but there are no
companies who disclose information in the format of the provisional metric in their financial filings.
It is unclear how an analyst would use the raw number of patent litigation cases to compare one company’s
performance on protecting its intellectual property and promoting fair use to another’s. The existence of patent trolls
also complicates this kind of ratio, as companies ultimately don’t have power over having lawsuits, whether merited or
frivolous, brought against them.27 It is also unlikely to be an accurate measure of performance on the topic as the
concept of defining a “successful” patent litigation is fraught. For example, a company could “settle” a patent lawsuit
but admit no fault. A company could also have many frivolous lawsuits brought against it and “win;” in this case it is
still unclear how this relates to performance on promoting fair use. This could be the best outcome for the company
and its shareholders but would not be counted as “successful” under the provisional metric framework. An issue as
complex as IP protection likely cannot be usefully captured by a quantitative measure.
27 “Patent Trolls,” Electronic Frontier Foundation, accessed June 13, 2018, https://www.eff.org/issues/resources-patent-troll-victims.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 26
Market Input
Investors: SASB did not receive significant support from investors on this metric.
Companies: A large company in another industry in this sector provided a comment during SASB’s 2017-18 public
comment period noting that disclosure on provisional metric TC0102-16 would reveal competitively sensitive
information, and that its peers likely feel similarly. SASB received comments from a large company in another industry
with similar metrics stating that developing a useful quantitative metric for the topic would likely not be possible.
Benefits
Improves cost-effectiveness: The removal of this metric reduces the costs to companies of reporting on the SASB
Standard.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 27
Appendix A. Standards Board – Sector Committee Assignments
STANDARDS BOARD MEMBER SECTOR CHAIR OTHER COMMITTEES
Jeffrey Hales, PhD (Chair)
Professor, Georgia Institute of Technology – Ernest Scheller Jr. College of Business
Financials, Renewable Resources & Alternative Energy
Transportation, Services, Resource Transformation
Verity Chegar (Vice Chair)
Vice President, BlackRock Extractives & Minerals Processing
Financials, Technology & Communications, Infrastructure
Robert B. Hirth Jr. (Vice Chair)
Senior Managing Director, Protiviti; Chairman Emeritus, COSO
Technology & Communications Health Care, Extractives & Minerals Processing, Services
Daniel L. Goelzer, JD
Senior Counsel, Baker & McKenzie LLP Services
Financials, Resource Transformation, Infrastructure
Kurt Kuehn
Former CFO, United Parcel Service Transportation, Infrastructure
Consumer Goods, Renewable Resources & Alternative Energy
Lloyd Kurtz, CFA
Senior Portfolio Manager, Head of Social Impact Investing, Wells Fargo Private Bank
Health Care, Resource Transformation Technology & Communications, Food & Beverage
Elizabeth Seeger
Head of Sustainable Investing, KKR Consumer Goods
Health Care, Extractives & Minerals Processing, Food & Beverage
Stephanie Tang, JD
Director of Legal, Corporate Securities, Stitch Fix Food & Beverage
Transportation, Consumer Goods, Renewable Resources & Alternative Energy
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 28
Appendix B. Redline Metric Tables Redline tables are provided below for all sustainability accounting metrics (Table 1) and activity metrics (Table 2). All
significant revisions to topics and metrics between the provisional standard and the codified standard are shown in
redline; however, such redlines are not intended to communicate the full scope of such revisions, for which readers
should refer to the codified Standard and accompanying content elsewhere in the Basis for Conclusions.
All redlines presented in these tables are associated with a revision number in the Revision Number column. Significant revisions to the technical protocol associated with a given metric will not necessarily be apparent in redline in the
tables; however, the associated revision number will be noted in the Revision Number column of each table.
Any redlines that depict revisions to metrics but that are not accompanied by a revision number (i.e., “n/a”) are not
addressed in the Basis for Conclusions as these revisions have not altered the scope or content of metrics, such as those that are intended to improve the consistency, clarity, and accuracy of the standard. Similarly, if a metric is not accompanied by a revision number, the technical protocol may have been revised to improve the consistency, clarity,
and accuracy of the standard.
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 29
Software & IT Services Industry
Table 1.
TOPIC ACCOUNTING METRIC CATEGORY UNIT OF MEASURE
PROVISIONAL METRIC CODE
CODIFIED METRIC CODE28
REVISION NUMBER
Environmental Footprint of Hardware Infrastructure
(1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable energy
Quantitative Gigajoules (GJ), Percentage (%)
TC0102-01 TC-SI-130a.1 TC-SI:01
(1) Total water withdrawn, (2) total water consumed, percentage recycled, percentage of each in regions with High or Extremely High Baseline Water Stress
Quantitative
Thousand cCubic meters (m3), Percentage (%)
TC0102-02 TC-SI-130a.2 TC-SI:02
Discussionescription of the integration of environmental considerations to strategic planning for data center needs
Discussion and Analysis
n/a TC0102-03 TC-SI-130a.3 n/a
Data Privacy & Freedom of Expression
Discussion Description of policies and practices relating behavioral advertising and user privacyto collection, usage, and retention of customers’ information and personally identifiable information
Discussion and Analysis
n/a TC0102-04 TC-SI-220a.1 n/a
Percentage Number of users whose customer information is collected for secondary purposes, percentage who have opted-in
Quantitative Percentage (%)Number
TC0102-05 TC-SI-220a.2 TC-SI:03
Amount of legal and regulatory fines and settlementsTotal amount of monetary losses as a result of legal proceedings associated with customer user privacy
Quantitative U.S. dollars ($)Reporting currency
TC0102-06 TC-SI-220a.3 n/a
28 The Provisional Metric Code column provides the metric code that appeared in the Provisional Standard. The Codified Metric Code column provides the revised metric code that appears in the Codified Standard. The revised metric code is structured as follows: [Sector Code]-[Industry Code]-[Topic Code].[Metric Number].
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 30
TOPIC ACCOUNTING METRIC CATEGORY UNIT OF MEASURE
PROVISIONAL METRIC CODE
CODIFIED METRIC CODE28
REVISION NUMBER
(1) Number of government or law enforcement requests for customer user information, (2) number of users whose information was requested, (3) percentage resulting in disclosure
Quantitative Number, Percentage (%)
TC0102-07 TC-SI-220a.4 TC-SI:04
List of countries where core products or services are subject to government-required monitoring, blocking, content filtering, or censoring
Discussion and Analysis
n/a TC0102-08 TC-SI-220a.5 n/a
Data Security (1) Number of data security breaches, and (2) percentage involving customers’ personally identifiable information (PII), (3) number of users affected
Quantitative Number, Percentage (%)
TC0102-09 TC-SI-230a.1 TC-SI:05
Discussion Description of management approach to identifying and addressing data security risks, including use of third-party cybersecurity standards
Discussion and Analysis
n/a TC0102-10 TC-SI-230a.2 TC-SI:06
Recruiting & Managing a Global, Diverse & Skilled Workforce
Percentage of employees that are (1) foreign nationals and (2) located offshore
Quantitative Percentage (%) TC0102-11 TC-SI-330a.1 n/a
Employee engagement as a percentage Quantitative Percentage (%) TC0102-12 TC-SI-330a.2 n/a
Percentage of gender and racial/ethnic group representation for: (1) executives management (2) technical staff and (2) all other employeess
Quantitative Percentage (%) TC0102-13 TC-SI-330a.3 TC-SI:07
Intellectual Property Protection & Competitive Behavior
Number of patent litigation cases, number successful, and number as patent holder
Quantitative Number TC0102-16 n/a TC-SI:08
Total amount of monetary losses as a result of legal proceedings Amount of legal and regulatory fines and settlements associated with anti-competitive practicesregulations
Quantitative U.S. dollars ($)Reporting currency
TC0102-17 TC-SI-520a.1 n/a
BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 31
TOPIC ACCOUNTING METRIC CATEGORY UNIT OF MEASURE
PROVISIONAL METRIC CODE
CODIFIED METRIC CODE28
REVISION NUMBER
Managing Systemic Risks from Technology Disruptions
Number of (1) performance issues and (2) service disruptions; (3) total customer downtime
Quantitative Number, Days TC0102-14 TC-SI-550a.1 n/a
Discussion Description of business continuity risks related to disruptions of operations
Discussion and Analysis
n/a TC0102-15 TC-SI-550a.2 n/a
Table 2.
ACTIVITY METRIC CATEGORY UNIT OF MEASURE PROVISIONAL METRIC CODE
CODIFIED METRIC CODE29
REVISION NUMBER
(1) Number of licenses or subscriptions, (2) percentage cloud-based Quantitative Number, Percentage (%) TC0102-A TC-SI-000.A n/a
(1) Data processing capacity, (2) percentage outsourced Quantitative See note TC0102-B TC-SI-000.B n/a
(1) Petabytes Amount of data storage, (2) percentage outsourced
Quantitative Petabytes, Percentage (%) TC0102-C TC-SI-000.C n/a
29 The Provisional Metric Code column provides the metric code that appeared in the Provisional Standard. The Codified Metric Code column provides the revised metric code that appears in the Codified Standard. The revised metric code is structured as follows: [Sector Code]-[Industry Code]-[Topic Code].[Metric Number].
SUSTAINABILITY ACCOUNTING STANDARDS BOARD
1045 Sansome Street, Suite 450 San Francisco, CA 94111 415.830.9220 [email protected] sasb.org
