Microsoft

TECHNOLOGY & COMMUNICATIONS SECTOR

SOFTWARE & IT SERVICES Sustainability Accounting Standard

Having Trouble Meeting Your Deadline?

Get your assignment on Microsoft completed on time. avoid delay and – ORDER NOW

Get a 20% Discount

Sustainable Industry Classification System® (SICS®) TC-SI

Prepared by the Sustainability Accounting Standards Board

October 2018

INDUSTRY STANDARD | VERSION 2018-10

© 2018 The SASB Foundation. All Rights Reserved. sasb.org

SOFTWARE & IT SERVICES Sustainability Accounting Standard

About SASB

The SASB Foundation was founded in 2011 as a not-for-profit, independent standards-setting organization. The SASB

Foundation’s mission is to establish and maintain industry-specific standards that assist companies in disclosing financially

material, decision-useful sustainability information to investors.

The SASB Foundation operates in a governance structure similar to the structure adopted by other internationally

recognized bodies that set standards for disclosure to investors, including the Financial Accounting Standards Board

(FASB) and the International Accounting Standards Board (IASB). This structure includes a board of directors (“the

Foundation Board”) and a standards-setting board (“the Standards Board” or "the SASB"). The Standards Board

develops, issues, and maintains the SASB standards. The Foundation Board oversees the strategy, finances and operations

of the entire organization, and appoints the members of the Standards Board.

The Foundation Board is not involved in setting standards, but is responsible for overseeing the Standards Board’s

compliance with the organization’s due process requirements. As set out in the SASB Rules of Procedure, the SASB’s

standards-setting activities are transparent and follow careful due process, including extensive consultation with

companies, investors, and relevant experts.

The SASB Foundation is funded by a range of sources, including contributions from philanthropies, companies, and

individuals, as well as through the sale and licensing of publications, educational materials, and other products. The SASB

Foundation receives no government financing and is not affiliated with any governmental body, the FASB, the IASB, or

any other financial accounting standards-setting body.

SUSTAINABILITY ACCOUNTING STANDARDS BOARD

1045 Sansome Street, Suite 450

San Francisco, CA 94111

415.830.9220

[email protected]

sasb.org

The information, text, and graphics in this publication (the “Content”) are owned by The SASB Foundation. All rights reserved. The Content may be used only for non-commercial, informational, or scholarly use, provided that all copyright and other proprietary notices related to the Content are kept intact, and that no modifications are made to the Content. The Content may not be otherwise disseminated, distributed, republished, reproduced, or modified without the prior written permission of The SASB Foundation. To request permission, please contact us at [email protected].

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 2

Table of Contents

Introduction………………………………………………………………………………………………………………………………………………..4

Purpose of SASB Standards………………………………………………………………………………………………………………………..4

Overview of SASB Standards………………………………………………………………………………………………………………………4

Use of the Standards…………………………………………………………………………………………………………………………………5

Industry Description…………………………………………………………………………………………………………………………………..5

Sustainability Disclosure Topics & Accounting Metrics…………………………………………………………………………………..6

Environmental Footprint of Hardware Infrastructure……………………………………………………………………………………….8

Data Privacy & Freedom of Expression………………………………………………………………………………………………………..12

Data Security………………………………………………………………………………………………………………………………………….19

Recruiting & Managing a Global, Diverse & Skilled Workforce………………………………………………………………………..23

Intellectual Property Protection & Competitive Behavior…………………………………………………………………………………28

Managing Systemic Risks from Technology Disruptions………………………………………………………………………………….30

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 3

INTRODUCTION

Purpose of SASB Standards The SASB’s use of the term “sustainability” refers to corporate activities that maintain or enhance the ability of the

company to create value over the long term. Sustainability accounting reflects the governance and management of a

company’s environmental and social impacts arising from production of goods and services, as well as its governance and

management of the environmental and social capitals necessary to create long-term value. The SASB also refers to

sustainability as “ESG” (environmental, social, and governance), though traditional corporate governance issues such as

board composition are not included within the scope of the SASB’s standards-setting activities.

SASB standards are designed to identify a minimum set of sustainability issues most likely to impact the operating

performance or financial condition of the typical company in an industry, regardless of location. SASB standards are

designed to enable communications on corporate performance on industry-level sustainability issues in a cost-effective

and decision-useful manner using existing disclosure and reporting mechanisms.

Businesses can use the SASB standards to better identify, manage, and communicate to investors sustainability

information that is financially material. Use of the standards can benefit businesses by improving transparency, risk

management, and performance. SASB standards can help investors by encouraging reporting that is comparable,

consistent, and financially material, thereby enabling investors to make better investment and voting decisions.

Overview of SASB Standards The SASB has developed a set of 77 industry-specific sustainability accounting standards (“SASB standards” or “industry

standards”), categorized pursuant to SASB’s Sustainable Industry Classification System® (SICS®). Each SASB standard

describes the industry that is the subject of the standard, including any assumptions about the predominant business

model and industry segments that are included. SASB standards include:

1. Disclosure topics – A minimum set of industry-specific disclosure topics reasonably likely to constitute material

information, and a brief description of how management or mismanagement of each topic may affect value creation.

2. Accounting metrics – A set of quantitative and/or qualitative accounting metrics intended to measure performance

on each topic.

3. Technical protocols – Each accounting metric is accompanied by a technical protocol that provides guidance on

definitions, scope, implementation, compilation, and presentation, all of which are intended to constitute suitable criteria

for third-party assurance.

4. Activity metrics – A set of metrics that quantify the scale of a company’s business and are intended for use in

conjunction with accounting metrics to normalize data and facilitate comparison.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 4

Furthermore, the SASB Standards Application Guidance establishes guidance applicable to the use of all industry

standards and is considered part of the standards. Unless otherwise specified in the technical protocols contained in the

industry standards, the guidance in the SASB Standards Application Guidance applies to the definitions, scope,

implementation, compilation, and presentation of the metrics in the industry standards.

The SASB Conceptual Framework sets out the basic concepts, principles, definitions, and objectives that guide the

Standards Board in its approach to setting standards for sustainability accounting. The SASB Rules of Procedure is focused

on the governance processes and practices for standards setting.

Use of the Standards SASB standards are intended for use in communications to investors regarding sustainability issues that are likely to

impact corporate ability to create value over the long term. Use of SASB standards is voluntary. A company determines

which standard(s) is relevant to the company, which disclosure topics are financially material to its business, and which

associated metrics to report, taking relevant legal requirements into account1. In general, a company would use the SASB

standard specific to its primary industry as identified in SICS® . However, companies with substantial business in multiple

SICS® industries can consider reporting on these additional SASB industry standards.

It is up to a company to determine the means by which it reports SASB information to investors. One benefit of using

SASB standards may be achieving regulatory compliance in some markets. Other investor communications using SASB

information could be sustainability reports, integrated reports, websites, or annual reports to shareholders. There is no

guarantee that SASB standards address all financially material sustainability risks or opportunities unique to a company’s

business model.

Industry Description The Software & Information Technology (IT) Services industry offers products and services globally to retail, business, and

government customers, and includes companies involved in the development and sales of applications software,

infrastructure software, and middleware. The industry is generally competitive, but with dominant players in some

segments. While relatively immature, the industry is characterized by high-growth companies that place a heavy emphasis

on innovation and depend on human and intellectual capital. The industry also includes IT services companies delivering

specialized IT functions, such as consulting and outsourced services. New industry business models include cloud

computing, software as a service, virtualization, machine-to-machine communication, big data analysis, and machine

learning. Additionally, brand value is key for companies in the industry to scale and achieve network effects, whereby

wide adoption of a particular software product leads to self-perpetuating growth in sales.

1 Legal Note: SASB standards are not intended to, and indeed cannot, replace any legal or regulatory requirements that may be applicable to a reporting entity’s operations.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 5

SUSTAINABILITY DISCLOSURE TOPICS & ACCOUNTING METRICS

Table 1. Sustainability Disclosure Topics & Accounting Metrics

TOPIC ACCOUNTING METRIC CATEGORY UNIT OF

MEASURE CODE

Environmental Footprint of Hardware Infrastructure

(1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable

Quantitative Gigajoules (GJ), Percentage (%)

TC-SI-130a.1

(1) Total water withdrawn, (2) total water consumed, percentage of each in regions with High or Extremely High Baseline Water Stress

Quantitative Thousand cubic meters (m³), Percentage (%)

TC-SI-130a.2

Discussion of the integration of environmental considerations into strategic planning for data center needs

Discussion and Analysis

n/a TC-SI-130a.3

Data Privacy & Freedom of Expression

Description of policies and practices relating to behavioral advertising and user privacy

Discussion and Analysis

n/a TC-SI-220a.1

Number of users whose information is used for secondary purposes

Quantitative Number TC-SI-220a.2

Total amount of monetary losses as a result of legal proceedings associated with user privacy2

Quantitative Reporting currency

TC-SI-220a.3

(1) Number of law enforcement requests for user information, (2) number of users whose information was requested, (3) percentage resulting in disclosure

Quantitative Number, Percentage (%)

TC-SI-220a.4

List of countries where core products or services are subject to government-required monitoring, blocking, content filtering, or censoring3

Discussion and Analysis

n/a TC-SI-220a.5

Data Security

(1) Number of data breaches, (2) percentage involving personally identifiable information (PII), (3) number of users affected4

Quantitative Number, Percentage (%)

TC-SI-230a.1

Description of approach to identifying and addressing data security risks, including use of third-party cybersecurity standards

Discussion and Analysis

n/a TC-SI-230a.2

Recruiting & Managing a Global, Diverse

Percentage of employees that are (1) foreign nationals and (2) located offshore5

Quantitative Percentage (%) TC-SI-330a.1

Employee engagement as a percentage6 Quantitative Percentage (%) TC-SI-330a.2

2 Note to TC-SI-220a.3 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the monetary losses.

3 Note to TC-SI-220a.5 – Disclosure shall include a description of the extent of the impact in each case and, where relevant, a discussion of the entity’s policies and practices related to freedom of expression.

4 Note to TC-SI-230a.1 – Disclosure shall include a description of corrective actions implemented in response to data breaches. 5 Note to TC-SI-330a.1 – Disclosure shall include a description of potential risks of recruiting foreign nationals and/or offshore

employees, and management approach to addressing these risks. 6 Note to TC-SI-330a.2 – Disclosure shall include a description of methodology employed.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 6

& Skilled Workforce Percentage of gender and racial/ethnic group

representation for (1) management, (2) technical staff, and (3) all other employees7

Quantitative Percentage (%) TC-SI-330a.3

TOPIC ACCOUNTING METRIC CATEGORY UNIT OF

MEASURE CODE

Intellectual Property Protection & Competitive Behavior

Total amount of monetary losses as a result of legal proceedings associated with anti- competitive behavior regulations8

Quantitative Reporting currency

TC-SI-520a.1

Managing Systemic Risks from Technology Disruptions

Number of (1) performance issues and (2) service disruptions; (3) total customer downtime9

Quantitative Number, Days TC-SI-550a.1

Description of business continuity risks related to disruptions of operations

Discussion and Analysis

n/a TC-SI-550a.2

Table 2. Activity Metrics

ACTIVITY METRIC CATEGORY UNIT OF

MEASURE CODE

(1) Number of licenses or subscriptions, (2) percentage cloud- based

Quantitative Number, Percentage (%)

TC-SI-000.A

(1) Data processing capacity, (2) percentage outsourced10 Quantitative See note TC-SI-000.B

(1) Amount of data storage, (2) percentage outsourced11 Quantitative Petabytes, Percentage (%)

TC-SI-000.C

7 Note to TC-SI-330a.3 – The entity shall describe its policies and programs for fostering equitable employee representation across its global operations.

8 Note to TC-SI-520a.1 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the monetary losses.

9 Note to TC-SI-550a.1 – Disclosure shall include a description of each significant performance issue or service disruption and any corrective actions taken to prevent future disruptions.

10 Note to TC-SI-000.B – Data processing capacity shall be reported in units of measure typically tracked by the entity or used as the basis for contracting software and IT services, such as Million Service Units (MSUs), Million Instructions per Second (MIPS), Mega Floating- Point Operations per Second (MFLOPS), compute cycles, or other. Alternatively, the entity may disclose owned and outsourced data processing needs in other units of measure, such as rack space or data center square footage. The percentage outsourced shall include On-Premise cloud services, those that are hosted on Public Cloud, and those that are residing in Colocation Data Centers.

11 Note to TC-SI-000.C – The percentage outsourced shall include On-Premise cloud services, those that are hosted on Public Cloud, and those that are residing in Colocation Data Centers.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 7

Environmental Footprint of Hardware Infrastructure

Topic Summary With the growth of cloud-based service offerings, companies in this industry own, operate, or rent increasingly more data

centers and other hardware; thus, managing the energy and water use associated with IT hardware infrastructure is

important to shareholder value. Data centers need to be powered continuously, and disruptions to the energy supply can

have a material impact on operations, depending on the magnitude and timing of the disruption. Companies face a

tradeoff between energy and water consumption due to data center cooling needs; cooling data centers with water

instead of chillers is a means of improving energy efficiency, but it can lead to dependence on significant local water

resources. Decisions about data center specifications are important for managing costs, obtaining a reliable supply of

energy and water, and lowering reputational risks, particularly as there is an increasing global regulatory focus on climate

change and as opportunities arise from innovations in energy efficiency and renewable energy.

Accounting Metrics

TC-SI-130a.1. (1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable

1 The entity shall disclose (1) the total amount of energy it consumed as an aggregate figure, in gigajoules (GJ).

1.1 The scope of energy consumption includes energy from all sources, including energy purchased from sources

external to the entity and energy produced by the entity itself (self-generated). For example, direct fuel usage,

purchased electricity, and heating, cooling, and steam energy are all included within the scope of energy

consumption.

1.2 The scope of energy consumption includes only energy directly consumed by the entity during the reporting

period.

1.3 In calculating energy consumption from fuels and biofuels, the entity shall use higher heating values (HHV),

also known as gross calorific values (GCV), which are directly measured or taken from the Intergovernmental

Panel on Climate Change (IPCC), the U.S. Department of Energy (DOE), or the U.S. Energy Information

Administration (EIA).

2 The entity shall disclose (2) the percentage of energy it consumed that was supplied from grid electricity.

2.1 The percentage shall be calculated as purchased grid electricity consumption divided by total energy

consumption.

3 The entity shall disclose (3) the percentage of energy it consumed that is renewable energy.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 8

3.1 Renewable energy is defined as energy from sources that are replenished at a rate greater than or equal to

their rate of depletion, such as geothermal, wind, solar, hydro, and biomass.

3.2 The percentage shall be calculated as renewable energy consumption divided by total energy consumption.

3.3 The scope of renewable energy includes renewable fuel the entity consumed, renewable energy the entity

directly produced, and renewable energy the entity purchased, if purchased through a renewable power

purchase agreement (PPA) that explicitly includes renewable energy certificates (RECs) or Guarantees of Origin

(GOs), a Green e Energy Certified utility or supplier program, or other green power products that explicitly ‐

include RECs or GOs, or for which Green e Energy Certified RECs are paired with grid electricity.‐

3.3.1 For any renewable electricity generated on-site, any RECs and GOs must be retained (i.e., not sold) and

retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy.

3.3.2 For renewable PPAs and green power products, the agreement must explicitly include and convey that

RECs and GOs be retained or replaced and retired or cancelled on behalf of the entity in order for the

entity to claim them as renewable energy.

3.3.3 The renewable portion of the electricity grid mix that is outside of the control or influence of the entity

is excluded from the scope of renewable energy.

3.4 For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited

to the following:

3.4.1 Energy from hydro sources is limited to those that are certified by the Low Impact Hydropower Institute

or that are eligible for a state Renewable Portfolio Standard;

3.4.2 Energy from biomass sources is limited to materials certified to a third-party standard (e.g., Forest

Stewardship Council, Sustainable Forest Initiative, Programme for the Endorsement of Forest

Certification, or American Tree Farm System), materials considered eligible sources of supply according

to the Green-e Framework for Renewable Energy Certification, Version 1.0 (2017) or Green-e regional

standards, and/or materials that are eligible for an applicable state renewable portfolio standard.

4 The entity shall apply conversion factors consistently for all data reported under this disclosure, such as the use of

HHVs for fuel usage (including biofuels) and conversion of kilowatt hours (kWh) to GJ (for energy data including

electricity from solar or wind energy).

5 The entity may disclose the trailing twelve-month (TTM) weighted average power usage effectiveness (PUE) for its

data centers.

5.1 PUE is defined as the ratio of the total amount of power used by a computer data center facility to the

amount of power delivered to computing equipment.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 9

5.2 If disclosing PUE, the entity shall follow the guidance and calculation methodology described in PUE™: A

Comprehensive Examination of the Metric (2014) , published by ASHRAE and The Green Grid Association.

TC-SI-130a.2. (1) Total water withdrawn, (2) total water consumed, percentage of each in regions with High or Extremely High Baseline Water Stress

1 The entity shall disclose the amount of water, in thousands of cubic meters, that was withdrawn from all sources.

1.1 Water sources include surface water (including water from wetlands, rivers, lakes, and oceans), groundwater,

rainwater collected directly and stored by the entity, and water and wastewater obtained from municipal

water supplies, water utilities, or other entities.

2 The entity may disclose portions of its supply by source if, for example, significant portions of withdrawals are from

non-freshwater sources.

2.1 Fresh water may be defined according to the local laws and regulations where the entity operates. Where

there is no legal definition, fresh water shall be considered to be water that has less than 1,000 parts per

million of dissolved solids per the U.S. Geological Survey.

2.2 Water obtained from a water utility in compliance with U.S. National Primary Drinking Water Regulations can

be assumed to meet the definition of fresh water.

3 The entity shall disclose the amount of water, in thousands of cubic meters, that was consumed in its operations.

3.1 Water consumption is defined as:

3.1.1 Water that evaporates during withdrawal, usage, and discharge;

3.1.2 Water that is directly or indirectly incorporated into the entity’s product or service;

3.1.3 Water that does not otherwise return to the same catchment area from which it was withdrawn, such

as water returned to another catchment area or the sea.

4 The entity shall analyze all of its operations for water risks and identify activities that withdraw and consume water

in locations with High (40–80 percent) or Extremely High (>80 percent) Baseline Water Stress as classified by the

World Resources Institute’s (WRI) Water Risk Atlas tool, Aqueduct.

5 The entity shall disclose its water withdrawn in locations with High or Extremely High Baseline Water Stress as a

percentage of the total water withdrawn.

6 The entity shall disclose its water consumed in locations with High or Extremely High Baseline Water Stress as a

percentage of the total water consumed.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 10

TC-SI-130a.3. Discussion of the integration of environmental considerations into strategic planning for data center needs

1 The entity shall describe its approach to the integration of environmental considerations, including energy and water

use, into strategic planning for data centers.

2 Discussion shall include, but is not limited to, how environmental factors impact the entity’s decisions regarding the

siting, design, construction, refurbishment, and operations of data centers.

2.1 Environmental factors and criteria may include, but are not limited to:

2.1.1 Location-based environmental factors, such as regional humidity, average temperature, and water

availability.

2.1.2 Environmental regulations, such as energy efficiency standards and national- or state-level carbon

legislation on pricing, and carbon intensity of grid electricity.

3 The scope of disclosure includes considerations for existing owned data centers, development of new data centers,

and outsourcing of data center services, where relevant.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 11

Data Privacy & Freedom of Expression

Topic Summary As software and IT services companies increasingly deliver products and services over the Internet and through mobile

devices, they must carefully manage two separate and often conflicting priorities. On the one hand, companies use

customer data to innovate and provide customers with new products and services and to generate revenues. On the other

hand, there are privacy concerns associated with companies having access to a wide range of customer data, such as

personal, demographic, content, and behavioral data. This dynamic is leading to increased regulatory scrutiny in many

countries around the world. The delivery of cloud-based software and IT services also raises concerns about potential

access to user data by governments that may use it to limit the freedoms of citizens. Effective management in this area is

important to reduce regulatory and reputational risks that can lead to decreased revenues, lower market share, and

regulatory actions involving potential fines and other legal costs.

Accounting Metrics

TC-SI-220a.1. Description of policies and practices relating to behavioral advertising and user privacy

1 The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy,

with a specific focus on how it addresses the collection, usage, and retention of user information.

1.1 User information includes information that pertains to a user’s attributes or actions, including but not limited

to, account statements, transaction records, records of communications, content of communications,

demographic data, behavioral data, location data, and/or personally identifiable information (PII).

1.2 Demographic data are defined as the quantifiable statistics that identify and distinguish a given population.

Examples of demographic data include gender, age, race/ethnicity, knowledge of languages, disabilities,

mobility, home ownership, and employment status.

1.3 Behavioral data are defined as the product of tracking, measuring, and recording individual behaviors, such as

online browsing patterns, buying habits, brand preferences, and product usage patterns.

1.4 Location data are defined as data describing the physical location or movement patterns of an individual, such

as Global Positioning System (GPS) coordinates or other related data that would enable identifying and

tracking an individual’s physical location.

1.5 PII is defined as any information about an individual that is maintained by an entity, including (1) any

information that can be used to distinguish or trace an individual’s identity, such as name, Social Security

Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) any other

information that is linked or linkable to an individual, such as medical, educational, financial, and employment

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 12

information. This definition is derived from the U.S. Government Accountability Office’s Report to

Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information .

2 The entity shall describe the information “lifecycle” (i.e., collection, usage, retention, processing, disclosure, and

destruction of information) and how information-handling practices at each stage may affect individuals’ privacy.

2.1 With respect to data collection, it may be relevant for the entity to discuss which data or types of data are

collected without the consent of an individual, which require opt-in consent, and which require opt-out action

from the individual.

2.2 With respect to usage of data, it may be relevant for the entity to discuss which data or types of data are used

by the entity internally, and under which circumstances the entity shares, sells, rents, or otherwise distributes

data or information to third parties.

2.3 With respect to retention, it may be relevant for the entity to discuss which data or types of data it retains, the

length of time of retention, and practices used to ensure that data is stored securely.

3 The entity shall discuss the degree to which its policies and practices address similar issues as those outlined in the

U.S. Office of Management and Budget’s (OMB) “Guidance for Implementing the Privacy Provisions of the E-

Government Act of 2002 (M-03-22),” including use of Privacy Impact Assessments (PIAs).

3.1 A PIA is an analysis of how information is handled that ensures handling conforms to applicable legal,

regulatory, and policy requirements regarding privacy; determines the risks and effects of collecting,

maintaining, and disseminating information in identifiable form in an electronic information system; and

examines and evaluates protections and alternative processes for handling information in order to mitigate

potential privacy risks.

3.2 As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why

the information is being collected, (c) the intended use of the information, (d) with whom the information will

be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing

information is voluntary) or to consent to particular uses of the information (other than required or authorized

uses), including how individuals can grant consent, and (f) how the information will be secured, among other

government-specific requirements.

4 The entity shall discuss how its policies and practices related to privacy of user information address children’s privacy,

which at a minimum includes the provisions of the U.S. Children’s Online Privacy Protection Act (COPPA).

5 The scope of disclosure includes both first- and third-party advertising.

6 With respect to behavioral advertising, the entity may describe how it addresses the following principles, described

by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising:

6.1 Education: participation in educational efforts for consumers about behavioral online advertising

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 13

6.2 Transparency: clearly disclosing information about data collection and data use practices

6.3 Consumer control: allowing users to choose whether data is collected or transferred to non-affiliates

6.4 Data security: providing basic security provisions and having clear policies relating to retention of user

information

6.5 Material changes: obtaining consent before applying changes to policies that are less restrictive than existing

ones

6.6 Sensitive data: abiding by COPPA, and handling user data such as financial information, Social Security

numbers, and medical information

6.7 Accountability: participation in self-regulatory organizations such as the Direct Marketing Association

TC-SI-220a.2. Number of users whose information is used for secondary purposes

1 The entity shall disclose the number of unique users whose information is used for secondary purposes.

1.1 User information includes information that pertains to a user‘s attributes or actions, including but not limited

to, account statements, transaction records, records of communications, content of communications,

demographic data, behavioral data, location data, and/or personally identifiable information (PII).

1.1.1 Demographic data are defined as the quantifiable statistics that identify and distinguish a given

population. Examples of demographic data include gender, age, race/ethnicity, knowledge of

languages, disabilities, mobility, home ownership, and employment status.

1.1.2 Behavioral data are defined as the product of tracking, measuring, and recording individual behaviors

such as online browsing patterns, buying habits, brand preferences, and product usage patterns.

1.1.3 Location data are defined as data describing the physical location or movement patterns of an

individual, such as Global Positioning System (GPS) coordinates or other related data that would enable

identifying and tracking an individual‘s physical location.

1.1.4 PII is defined as any information about an individual that is maintained by an entity, including: (1) any

information that can be used to distinguish or trace an individual’s identity, such as name, Social

Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2)

any other information that is linked or linkable to an individual, such as medical, educational, financial,

and employment information. This definition is derived from the U.S. Government Accountability

Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally

Identifiable Information .

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 14

1.2 Secondary purpose is defined as the intentional use of data by the entity (i.e., not a breach of security) that is

outside the primary purpose for which the data was collected. Examples of secondary purposes include, but

are not limited to, selling targeted ads, improving the entity’s products or service offerings, and transferring

data or information to a third party through sale, rental, or sharing.

1.3 User accounts that the entity cannot verify as belonging to the same individual shall be disclosed separately.

2 The scope of disclosure shall include the users whose information is used by the entity itself for secondary purposes

as well as the users whose information is provided to affiliates or non-affiliates to use for secondary purposes.

2.1 Affiliate is defined as an entity that directly or indirectly controls, is controlled by, or is under common control

with the entity.

2.2 Non-affiliates are all third parties other than the entity and its affiliates.

TC-SI-220a.3. Total amount of monetary losses as a result of legal proceedings associated with user privacy

1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of

legal proceedings associated with incidents relating to user privacy.

2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a

court, a regulator, an arbitrator, or otherwise.

3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement

or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period

as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement,

or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g.,

governmental, business, or individual).

4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense.

5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of

relevant industry regulations, such as:

5.1 California Consumer Privacy Act

5.2 EU Directive 2002/58/EC (ePrivacy Directive)

5.3 EU-U.S. Privacy Shield

5.4 EU’s General Data Protection Regulation (GDPR) (EU) 2016/679

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 15

5.5 Japan’s Act on the Protection of Personal Information

5.6 U.S. Children’s Online Privacy Protection Act

5.7 U.S. Federal Trade Commission Privacy Act

6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of

relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as:

6.1 European Data Protection Supervisor

6.2 Japan’s Personal Information Protection Commission

6.3 U.S. Federal Trade Commission

Note to TC-SI-220a.3

1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred

prosecution agreement, non-prosecution agreement) and context (e.g., unauthorized monitoring, sharing of data,

children’s privacy) of all monetary losses as a result of legal proceedings.

2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may

include, but is not limited to, specific changes in operations, management, processes, products, business partners,

training, or technology.

TC-SI-220a.4. (1) Number of law enforcement requests for user information, (2) number of users whose information was requested, (3) percentage resulting in disclosure

1 The entity shall disclose (1) the total number of unique requests for user information, including user content and

non-content data, from government or law enforcement agencies.

1.1 Content data includes user-generated information such as email text or recorded phone conversation.

1.2 Non-content data includes information such as an email address, a person’s name, country of residence, or

gender, or system-generated data such as IP addresses and traffic data.

1.3 Both content and non-content data can include personally identifiable information (PII).

1.3.1 PII is defined as any information about an individual that is maintained by an entity, including (a) any

information that can be used to distinguish or trace an individual’s identity, such as name, Social

Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (b)

any other information that is linked or linkable to an individual, such as medical, educational, financial,

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 16

and employment information. This definition is derived from the U.S. Government Accountability

Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally

Identifiable Information .

2 The entity shall disclose (2) the total number of unique users whose information was requested by government or

law enforcement agencies.

2.1 The number of records requested shall be calculated as the sum of unique users whose user information was

requested across all requests for information from government or law enforcement agencies received during

the reporting period.

2.1.1 If the entity is not able to verify that two records (i.e., user information) belong to the same user, the

entity shall consider this two users.

3 The entity shall disclose (3) the percentage of government and law enforcement requests that resulted in disclosure

to the requesting party.

3.1 The percentage shall be calculated as the number of unique requests that resulted in disclosure to the

requesting party divided by the total number of unique requests received.

3.2 The scope of requests that resulted in disclosure shall include requests that resulted in full or partial

compliance with the disclosure request within the reporting period.

3.3 The scope of the requests that resulted in disclosure shall include disclosure of aggregated, de-identified, and

anonymized data, which is intended to prevent the recipient from reconfiguring the data to identify an

individual’s actions or identity.

3.3.1 The entity may discuss whether these characteristics apply to a portion of its data releases if this

discussion would provide necessary context for interpretation of the entity disclosure.

4 The entity may additionally break down its disclosure by region or country.

5 The entity may describe its policy for determining whether to comply with a request for user data, including under

what conditions it will release user data, what requirements must be met in the request, and the level of

management approval required.

6 The entity may describe its policy for notifying users about such requests, including the timing of notification.

TC-SI-220a.5. List of countries where core products or services are subject to government-required monitoring, blocking, content filtering, or censoring

1 The entity shall disclose a list of the countries where its products and services are monitored, blocked, or content is

filtered or censored due to governmental, judicial, or law enforcement requests or requirements, where:

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 17

1.1 Monitoring occurs when a government authority or law enforcement agency has routine access to content or

non-content data of specific users or of all users of a particular product or service.

1.2 Blocking occurs when the entity is prohibited by law or government authority from providing some or all of

the entity’s products or services in a country.

1.3 Content filtering or censoring occurs when a government authority alters access to, or display of, content of a

product or service either directly by overriding service provision, or indirectly by requiring that a company

remove certain content. Examples include content that is considered politically or culturally sensitive.

2 The scope of this disclosure includes company operations that have been discontinued, or were never offered, in a

region due to government activity related to monitoring, blocking, content filtering, or censoring.

Note to TC-SI-220a.5

1 The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or

service lines, including the specific products affected, nature and duration of impact, and percent of customers

affected.

2 The entity may discuss implications of blocking or censorship, such as affecting ability to grow market share, or

increased costs to comply with these restrictions.

3 For products and services that have been modified in a manner material to their functionality, the entity shall identify

the product or service affected and discuss the nature of the modification, indicating whether modification was

undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the

modified product or service differs from the product or service offering in its home country or other significant

markets.

4 Where relevant, the entity shall discuss its policies and practices related to freedom of expression, including how they

influence its decision making when operating in countries that may request or require some form of monitoring,

blocking, content filtering, or censoring of the entity’s content.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 18

Data Security

Topic Summary Software & IT services companies are targets of growing data security threats from cyber attacks and social engineering,

which puts their own data and their customers’ data at risk. Inadequate prevention, detection, and remediation of data

security threats can influence customer acquisition and retention and result in decreased market share and lower demand

for the company’s products. In addition to reputational damage and customer turnover, data breaches can also result in

increased expenses, commonly associated with remediation efforts such as identity protection offerings and employee

training on data protection. Meanwhile, new and emerging data security standards and regulations are likely to affect the

operating expenses of companies through increased costs of compliance. Additionally, companies in this industry are well-

positioned to uncover revenue opportunities by providing secure software and services to meet the demand for ensuring

data is kept secure.

Accounting Metrics

TC-SI-230a.1. (1) Number of data breaches, (2) percentage involving personally identifiable information (PII), (3) number of users affected

1 The entity shall calculate and disclose (1) the total number of data breaches identified during the reporting period.

1.1 Data breach is defined as the unauthorized movement or disclosure of sensitive information to a party, usually

outside the organization, that is not authorized to have or see the information. This definition is derived from

the U.S. National Initiative for Cybersecurity Careers and Studies (NICCS) glossary.

1.2 The scope of disclosure is limited to data breaches that resulted in a deviation from the entity’s expected

outcomes for confidentiality and/or integrity.

2 The entity shall disclose (2) the percentage of data breaches in which personally identifiable information (PII) was

subject to the data breach.

2.1 PII is defined as any information about an individual that is maintained by an entity, including: (1) any

information that can be used to distinguish or trace an individual’s identity, such as name, Social Security

Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) any other

information that is linked or linkable to an individual, such as medical, educational, financial, and employment

information. This definition is derived from the U.S. Government Accountability Office’s Report to

Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information .

2.2 The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key

that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted

to plaintext.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 19

2.2.1 Encryption is defined as the process of transforming plaintext into ciphertext. This definition is derived

from the NICCS glossary.

2.3 The scope of disclosure is limited to breaches in which users were notified of the breach, either as required by

law or voluntarily by the entity.

3 The entity shall disclose (3) the total number of unique users who were affected by data breaches, which includes all

those whose personal data was compromised in a data breach.

3.1 Accounts that the entity cannot verify as belonging to the same user shall be disclosed separately.

4 The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal

investigation or until the law enforcement agency determines that such notification does not compromise the

investigation.

Note to TC-SI-230a.1

1 The entity shall describe the corrective actions taken in response to data breaches, such as changes in operations,

management, processes, products, business partners, training, or technology.

1.1 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may

provide further guidance on disclosures on the corrective actions taken in response to data breaches.

2 All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not

compromise the entity’s ability to maintain data privacy and security.

3 The entity may disclose its policy for disclosing data breaches to affected users in a timely manner.

TC-SI-230a.2. Description of approach to identifying and addressing data security risks, including use of third-party cybersecurity standards

1 The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security

risk.

1.1 Vulnerability is defined as a weakness in an information system, system security procedures, internal controls,

and/or implementation that could be exploited.

1.2 Data security risk is defined as any circumstance or event with the potential to adversely impact organizational

operations (including mission, functions, image, or reputation), organizational assets, individuals, other

organizations, or nations through an information system via unauthorized access, destruction, disclosure,

modification of information, and/or denial of service.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 20

2 The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including,

but not limited to, operational procedures, management processes, structure of products, selection of business

partners, employee training, and use of technology.

3 The entity shall describe its use of third-party cybersecurity risk management standards.

3.1 Third-party cybersecurity risk management standards are defined as standards, frameworks, and/or guidance

developed by a third-party with the explicit purpose of aiding companies in identifying cybersecurity threats,

and/or preventing, responding to, and/or remediating cybersecurity incidents.

3.2 Examples of third-party cybersecurity risk management standards include, but are not limited to:

3.2.1 The American Institute of Certified Public Accountants’ (AICPA) Service Organization Controls (SOC) for

Cybersecurity

3.2.2 ISACA’s COBIT 5

3.2.3 ISO/IEC 27000-series

3.2.4 National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure

Cybersecurity, Version 1.1

3.3 Disclosure shall include, but is not limited to:

3.3.1 Identification of the specific cybersecurity risk management standard(s) that have been implemented or

are otherwise in use

3.3.2 Description of the extent of its use of cybersecurity risk management standard(s), such as by applicable

operations, business unit, geography, product, or information system

3.3.3 The role of cybersecurity risk management standards in the entity’s overall approach to identifying

vulnerabilities in its information systems and addressing data security risks and vulnerabilities

3.3.4 If the third-party verification of the use of cybersecurity risk management standards is conducted,

including independent examinations or audits

3.3.5 Ongoing activities and initiatives related to increasing the use of cybersecurity risk management

standards, even if such standards are not currently in use

4 The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and

information systems.

5 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may provide

further guidance on disclosures on the entity’s approach to addressing data security risks and vulnerabilities.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 21

6 All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not

compromise the entity‘s ability to maintain data privacy and security.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 22

Recruiting & Managing a Global, Diverse & Skilled Workforce

Topic Summary Employees are key contributors to value creation in the Software & IT Services industry. While the number of job openings

in the industry continues to grow, companies commonly find it difficult to recruit qualified employees to fill these

positions. The shortage in technically skilled domestic employees has created intense competition to acquire highly skilled

employees, contributing to high employee turnover rates. To respond to talent shortages, companies often hire foreign

nationals and offshore operations, creating employee management and sustainability challenges and related business

risks. Some companies contribute to relevant education and training programs to expand the availability of domestic,

skilled employees. Companies offer significant monetary and non-monetary benefits to improve employee engagement

and therefore retention and productivity. Initiatives to improve employee engagement and work-life balance may

influence the recruitment and retention of a diverse workforce. The industry is characterized by relatively low

representation from women and minority groups; efforts to recruit from and develop diverse talent pools can serve to

address the talent shortage and generally improve the value of company offerings. Greater workforce diversity is

important for innovation and helps companies understand the needs of their diverse and global customer base.

Accounting Metrics

TC-SI-330a.1. Percentage of employees that are (1) foreign nationals and (2) located offshore

1 The entity shall disclose (1) the percentage of employees that are foreign nationals.

1.1 Foreign nationals are defined as anyone requiring a employment visa for work in the country in which he or

she is employed.

1.2 The percentage shall be calculated as the number of employees that are foreign nationals divided by the total

number of the entity’s employees.

2 The entity shall disclose (2) the percentage of employees that are located offshore from the entity’s country of

domicile, by region.

2.1 The percentage shall be calculated as the number of employees that are located offshore from the entity’s

country of domicile divided by the total number of the entity’s employees.

Note to TC-SI-330a.1

1 The entity shall describe potential risks from recruiting foreign nationals and/or offshore employees, which may arise

from immigration, naturalization, or visa regulations; loss of control; threats to intellectual property; or cultural or

political sensitivities.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 23

2 The entity shall describe management’s approach to addressing the risks it has identified related to recruiting foreign

nationals, which may include developing local talent pools, political lobbying for immigration reform, outsourcing of

operations, or joining or forming industry partnerships.

3 The entity shall describe management’s approach to addressing the additional risks it has identified related to

conducting offshore business activities, which may include implementing safeguards for data security, piracy, and IP

protection and diversifying the locations of offshore operations.

TC-SI-330a.2. Employee engagement as a percentage

1 The entity shall disclose employee engagement as a percentage.

1.1 Employee engagement levels include, but are not limited to:

1.1.1 Actively engaged

1.1.2 Not engaged

1.1.3 Passive

1.1.4 Actively disengaged

1.2 If employee engagement is measured as an index (e.g., strength of employee agreement with a survey

statement), the entity shall convert the index into a percentage for this disclosure. The percentage shall be

calculated as the number of employees who are actively engaged divided by the total number of employees

who completed the survey.

2 The percentage shall be calculated based on the results of an employee engagement survey or research study

conducted by the entity, by an external party contracted by the entity to perform such a study, or by an independent

third party.

Note to TC-SI-330a.2

1 The entity shall briefly describe:

1.1 The source of its survey (e.g., third-party survey or entity’s own)

1.2 The methodology used to calculate the percentage

1.3 A summary of questions or statements included in the survey or study (e.g., those related to goal setting,

support to achieve goals, training and development, work processes, and commitment to the organization)

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 24

2 When the survey methodology has changed compared to previous reporting years, the entity shall indicate results

based on both the old and new methods for the year in which the change is made.

3 If results are limited to a subset of employees, the entity shall include the percentage of employees included in the

study or survey, and the representativeness of the sample.

4 The entity may disclose results of other survey findings such as the percentage of employees who are: proud of their

work/where they work, inspired by their work/co-workers, and aligned with corporate strategy and goals.

TC-SI-330a.3. Percentage of gender and racial/ethnic group representation for (1) management, (2) technical staff, and (3) all other employees

1 The entity shall disclose gender representation for all employees and racial/ethnic group representation for its U.S.

employees by employee category.

1.1 The following employee categories shall be used: (1) management, (2) technical staff, and (3) all other

employees.

2 Gender and racial/ethnic group representation shall be disclosed in percentages, where the percentage shall be

calculated as the number of employees in each gender or racial/ethnic group in each employee category divided by

the total number of employees in the respective employee category.

3 For U.S. employees, the entity shall categorize the employees in accordance with the Equal Employment Opportunity

Commission’s Employer Information EEO-1 report (EEO-1 Survey) Instruction Booklet, where each employee category

for disclosure is defined by corresponding job categories and descriptions in the Instruction Booklet:

3.1 Management includes the following:

3.1.1 Executives/Senior Level Officials and Managers: individuals who plan, direct and formulate policies, set

strategy and provide the overall direction of enterprises/organizations for the development and delivery

of products or services, within the parameters approved by boards of directors or other governing

bodies. Residing in the highest levels of organizations, these executives plan, direct or coordinate

activities with the support of subordinate executives and staff managers. They include, in larger

organizations, those individuals within two reporting levels of the CEO, whose responsibilities require

frequent interaction with the CEO. Examples of these kinds of managers are: chief executive officers,

chief operating officers, chief financial officers, line of business heads, presidents or executive vice

presidents of functional areas or operating groups, chief information officers, chief human resources

officers, chief marketing officers, chief legal officers, management directors and managing partners.

3.1.2 Non-executive management includes First/Mid Level Officials and Managers: individuals who serve as

managers, other than those who serve as Executive/Senior Level Officials and Managers, including

those who oversee and direct the delivery of products, services or functions at group, regional or

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 25

divisional levels of organizations. These managers receive directions from the Executive/Senior Level

management and typically lead major business units. They implement policies, programs and directives

of executive/senior management through subordinate managers and within the parameters set by

Executive/Senior Level management. Examples of these kinds of managers are: vice presidents and

directors, group, regional or divisional controllers; treasurers; human resources, information systems,

marketing, and operations managers. The First/Mid Level Officials and Managers subcategory also

includes those who report directly to middle managers. These individuals serve at functional, line of

business segment or branch levels and are responsible for directing and executing the day-to-day

operational objectives of enterprises/organizations, conveying the directions of higher level officials and

managers to subordinate personnel and, in some instances, directly supervising the activities of exempt

and non-exempt personnel. The EEO-1 Job Classification Guide provides examples of job titles in this

category.

3.2 Technical staff includes employees categorized in the 15-0000 group (Computer and Mathematical

Occupations) or 17-0000 group (Architecture and Engineering Occupations) of the U.S. Bureau of Labor

Statistics’ 2018 Standard Occupational Classification System.

3.3 All other employees includes those employees who are not classified as management or technical staff.

4 For non-U.S. employees, the entity shall categorize the employees in a manner generally consistent with the

definitions provided above, though in accordance with, and further facilitated by, any applicable local regulations,

guidance, or generally accepted definitions.

5 The entity shall categorize the gender of its employees as female, male, or not disclosed/available.

6 The entity shall categorize the racial/ethnic group of its U.S. employees in accordance with the EEO-1 Survey

Instruction Booklet and use the following categories: Asian, Black or African American, Hispanic or Latino, White,

Other (which includes Native American or Alaska Native, Native Hawaiian or Pacific Islander, and “Two or More

Races” classifications), or not disclosed/available.

7 The entity may provide supplemental disclosures on gender and/or racial/ethnic group representation by country or

region.

8 The entity may provide supplemental contextual disclosures on factors that significantly influence gender and/or

racial/ethnic group representation, such as the country or region where employees are located.

9 The entity may disclose gender and/or racial/ethnic group representation by employee category in the following table

formats:

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 26

Table 3. Gender Representation of Global Employees (%)

FEMALE MALE N/A *

Management

Technical Staff

All Other Employees

* N/A = not available or not disclosed

Table 4. Racial/Ethnic Group Representation of U.S. Employees (%)

ASIAN BLACK OR AFRICAN

AMERICAN

HISPANIC OR LATINO

WHITE OTHER ^ N/A *

Management

Technical Staff

All Other Employees

^ Other includes the classifications: Native American or Alaska Native, Native Hawaiian or Pacific Islander, and “Two or More Races”

* N/A = not available or not disclosed

Note to TC-SI-330a.3

1 The entity shall describe its policies and programs for fostering equitable employee representation across its global

operations.

1.1 Relevant policies may include maintaining transparency of hiring, promotion, and wage practices, ensuring

equal employment opportunity, developing and disseminating diversity policies, and ensuring management

accountability for equitable representation.

1.2 Relevant programs may include trainings on diversity, mentorship and sponsorship programs, partnership with

employee resource and advisory groups, and provision of flexible work schedules to accommodate the varying

needs of employees.

1.3 Relevant aspects of employee representation include, at a minimum, gender and race/ethnicity. The entity may

disclose on other aspects of its workforce, such as age, physical abilities/qualities, sexual orientation, and

religious beliefs, as relevant to local jurisdiction.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 27

Intellectual Property Protection & Competitive Behavior

Topic Summary Companies in the Software & IT Services industry spend a significant proportion of their revenues on IP protection,

including acquiring patents and copyrights. While IP protection is inherent to the business model of some companies in

the industry and is an important driver of innovation, companies’ IP practices can sometimes be a contentious societal

issue. Companies could sometimes acquire patents and other IP protection to restrict competition and access to benefits

from innovation, particularly if they are dominant market players. Due to the complexity of software, its abstract nature,

and increasing IP rights protection related to software, companies in the industry must navigate overlapping patent claims

to be able to operate. As a result, companies in the industry may find themselves constantly in litigation or subject to

regulatory scrutiny either due to allegations of patent violations if they engage in unethical business practices, or are

perceived as doing so, or because they are suing others for IP infringement. Adverse legal or regulatory rulings related to

antitrust and IP can expose companies in the industry to costly and lengthy litigations and potential monetary losses as a

result. Such rulings may also affect a company’s market share and pricing power if its patents or dominant position in key

markets are legally challenged, with potentially significant impacts on revenue. Therefore, companies that can balance the

protection of their IP and its use to spur innovation while ensuring their IP management and other business practices do

not unfairly restrict competition, have the potential to lower regulatory scrutiny and legal actions while protecting their

market value.

Accounting Metrics

TC-SI-520a.1. Total amount of monetary losses as a result of legal proceedings associated with anti-competitive behavior regulations

1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of

legal proceedings associated with anti-competitive behavior such as those related to enforcement of laws and

regulations on price fixing, anti-trust behavior (e.g., exclusivity contracts), patent misuse, or network effects and

bundling of services and products to limit competition.

2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a

court, a regulator, an arbitrator, or otherwise.

3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement

or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period

as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement,

or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g.,

governmental, business, or individual).

4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 28

5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of

relevant regulations, such as:

5.1 Articles 101 to 109 of the Treaty on the Functioning of the European Union

5.2 Japan’s Act on Prohibition of Private Monopolization and Maintenance of Fair Trade

5.3 The U.S. Clayton Antitrust Act of 1914

5.4 The U.S. Federal Trade Commission Act of 1914

5.5 The U.S. Sherman Antitrust Act of 1890

6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of

relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as:

6.1 Japan Fair Trade Commission

6.2 U.S. Federal Trade Commission

Note to TC-SI-520a.1

1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred

prosecution agreement, non-prosecution agreement) and context (e.g., price fixing, patent misuse, anti-trust) of all

monetary losses as a result of legal proceedings.

2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may

include, but is not limited to, specific changes in operations, management, processes, products, business partners,

training, or technology.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 29

Managing Systemic Risks from Technology Disruptions

Topic Summary With trends toward increased cloud computing and use of Software as a Service (SaaS), software and IT service providers

need to ensure they have robust infrastructure and policies in place to minimize disruptions to their services. Disruptions

such as programming errors or server downtime have the potential to generate systemic risks, as computing and data

storage functions move from individual company servers in various industries to data centers of cloud-computing service

providers. The risks are heightened particularly if the affected customers are in sensitive sectors, such as financial

institutions or utilities, which are considered critical national infrastructure. Companies’ investments in improving the

reliability and quality of their IT infrastructure and services are likely to affect their ability to attract and retain customers,

thereby impacting revenues and opportunities in new markets.

Accounting Metrics

TC-SI-550a.1. Number of (1) performance issues and (2) service disruptions; (3) total customer downtime

1 The entity shall disclose (1) the number of performance issues in software and information technology (IT) services

provided to customers.

1.1 Performance issues are defined as any planned or unplanned downtime causing an interruption, of more than

10 minutes but less than or equal to 30 minutes, in the provision of cloud-based services to customers.

1.2 Performance issues include, but are not limited to, those caused by technical failures, programming errors,

cyber attacks, weather events, or natural disasters at hosting facilities.

2 The entity shall disclose (2) the number of service disruptions in software and IT services provided to customers.

2.1 Service disruptions are defined as any planned or unplanned downtime causing an interruption of more than

30 minutes in provision of cloud-based services to customers.

2.2 Service disruptions include, but are not limited to, those caused by technical failures, programming errors,

cyber attacks, weather events, or natural disasters at hosting facilities.

3 The entity shall disclose (3) the total customer downtime related to performance issues and service disruptions in

software and IT services provided to customers.

3.1 Total customer downtime is defined as the interruption duration of each service disruption multiplied by the

number of software and IT services licenses affected, reported in license-days. For context, the entity shall

indicate the licensing basis (e.g., number of seats, number of CPU cores, number of cloud subscriptions) and

whether the licenses are consumption-based or capacity based.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 30

Note to TC-SI-550a.1

1 For each significant service disruption, the entity shall disclose the duration of the disruption, the extent of impact,

and the root cause, as well as any corrective actions taken to prevent future disruptions. Where material, the entity

shall indicate the associated cost incurred, such as remediation costs to correct technology or process issues, as well

as any liability costs.

2 A service disruption is considered significant if the cost to correct is material or if it is disruptive to a large number of

customers or fundamental business operations in a manner that affects time to market, revenue capture, or other

material parameters.

TC-SI-550a.2. Description of business continuity risks related to disruptions of operations

1 The entity shall describe potential business continuity risks associated with technology disruptions affecting

operations.

1.1 Examples of disruptions include, but are not limited to, those caused by technical failures, programming errors,

cyber attacks, weather events, or natural disasters at hosting facilities.

2 The entity shall discuss measures it implements to address business continuity risks, such as technologies or processes

that reduce impacts from disruptions, enhance the resilience of systems, insure against loss, or provide redundancies

to critical business operations.

3 The entity shall identify which critical business operations support cloud-based services, and shall further note

whether those operations are owned or outsourced.

4 The entity may discuss estimated amount of potential loss, probability of that loss, and the associated time frame.

These estimates may be based on insurance figures or other third-party or internal assessments of potential loss.

SUSTAINABILITY ACCOUNTING STANDARD | SOFTWARE & IT SERVICES | 31

SUSTAINABILITY ACCOUNTING STANDARDS BOARD

1045 Sansome Street, Suite 450

San Francisco, CA 94111

415.830.9220

[email protected]

sasb.org

© 2018 The SASB Foundation. All rights reserved. 

TECHNOLOGY & COMMUNICATIONS SECTOR

Sustainable Industry Classification System® (SICS®) TC-SI

Prepared by the Sustainability Accounting Standards Board

October 2018

sasb.org

Software & IT Services

BASIS FOR CONCLUSIONS 

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY

About SASB

The SASB Foundation was founded in 2011 as a not-for-profit, independent standards-setting organization. The

SASB Foundation’s mission is to establish and maintain industry-specific standards that assist companies in

disclosing financially material, decision-useful sustainability information to investors.

The SASB Foundation operates in a governance structure similar to the structure adopted by other

internationally recognized bodies that set standards for disclosure to investors, including the Financial

Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB). This structure

includes a board of directors (“the Foundation Board”) and a standards-setting board (“the Standards Board” or

“the SASB”). The Standards Board develops, issues, and maintains the SASB standards. The Foundation Board

oversees the strategy, finances and operations of the entire organization, and appoints the members of the

Standards Board.

The Foundation Board is not involved in setting standards, but is responsible for overseeing the Standards

Board’s compliance with the organization’s due process requirements. As set out in the SASB Rules of

Procedure, the SASB’s standards-setting activities are transparent and follow careful due process, including

extensive consultation with companies, investors, and relevant experts.

SUSTAINABILITY ACCOUNTING STANDARDS BOARD

1045 Sansome Street, Suite 450

San Francisco, CA 94111

415.830.9220

[email protected]

sasb.org

  The information, text, and graphics in this publication (the “Content”) are owned by The SASB Foundation. All rights reserved. The Content may  be used only for non‐commercial, informational, or scholarly use, provided that all copyright and other proprietary notices related to the  Content are kept intact, and that no modifications are made to the Content. The Content may not be otherwise disseminated, distributed,  republished, reproduced, or modified without the prior written permission of The SASB Foundation. To request permission, please contact us at  [email protected].

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY

Table of Contents Introduction …………………………………………………………………………………………………………………………………………. 4 

The Standards Board …………………………………………………………………………………………………………………………. 4 

Development of the Sustainability Accounting Standards ………………………………………………………………………… 4 

Approval of the Industry Standard ……………………………………………………………………………………………………….. 5 

Future Updates to the Standards …………………………………………………………………………………………………………. 6 

Revision TC-SI:01 – Industry: Software & IT Services; Topic Name: Environmental Footprint of Hardware Infrastructure ……………………………………………………………………………………………………………………………………….. 7 

Revision TC-SI:02 – Industry: Software & IT Services; Topic Name: Environmental Footprint of Hardware Infrastructure ……………………………………………………………………………………………………………………………………….. 9 

Revision TC-SI:03 – Industry: Software & IT Services; Topic Name: Data Privacy & Freedom of Expression .. 11 

Revision TC-SI:04 – Industry: Software & IT Services; Topic Name: Data Privacy & Freedom of Expression .. 14 

Revision TC-SI:05 – Industry: Software & IT Services; Topic Name: Data Security ……………………………………. 16 

Revision TC-SI:06 – Industry: Software & IT Services; Topic Name: Data Security ……………………………………. 19 

Revision TC-SI:07 – Industry: Software & IT Services; Topic Name: Recruiting & Managing a Global, Diverse & Skilled Workforce ……………………………………………………………………………………………………………………………. 22 

Revision TC-SI:08 – Industry: Software & IT Services; Topic Name: Intellectual Property Protection & Competitive Behavior …………………………………………………………………………………………………………………………. 25 

Appendix A. Standards Board – Sector Committee Assignments …………………………………………………………… 27 

Appendix B. Redline Metric Tables ………………………………………………………………………………………………………. 28 

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 4

Introduction

The publication of the Sustainability Accounting Standard (“Standard”) for the Software & IT Services Industry marks

an important milestone for the industry and for global capital markets more generally. It is the first Standard designed

to assist companies in the Software & IT Services industry in disclosing financially material, decision-useful

sustainability information to investors.

The Software & IT Services Industry Standard was first released in a provisional form in June 2015 after an extensive

standard-setting process. Following the release of the Provisional Standard, the SASB staff, under the guidance of the

SASB standard-setting board (“the Standards Board” or “the SASB”), engaged in further due process to revise the

Standard. In October 2018, the Standards Board approved revisions to the Standard. The Standards Board

subsequently voted to approve the Software & IT Services Industry Standard, thereby including it in as one of the 77

industries for which the SASB has developed and published an industry standard.

The Basis for Conclusions describes the rationale for revisions made to the provisional industry standard. Additionally,

the document outlines the standard-setting process the Standards Board used to codify the standard. All standard-

setting documentation, including prior drafts of the standard, summary reports, and comment letters, which informed

the development of the standard, are publicly available at the Standard Setting Archive of the SASB website.

The Standards Board

The Standards Board is charged with developing, issuing, and maintaining SASB standards. The Standards Board

operates in accordance with its primary governance documents, including the SASB’s Conceptual Framework and

Rules of Procedure. The Conceptual Framework sets out the basic concepts, principles, definitions, and objectives that

guide the Standards Board in its approach to setting standards. The Rules of Procedure establishes the due process

followed by the Standards Board and staff in their standard-setting activities. The standard-setting process is designed

to ensure each industry standard reflects the core objectives established in the Conceptual Framework to facilitate

companies’ cost-effective reporting of financially material and decision-useful sustainability information to investors.

In its standard-setting role, the Standards Board operates in a transparent manner, including holding public board

meetings. The Standards Board currently uses a sector-based committee structure, with three Standards Board

members assigned primary responsibility for each given sector. In addition to sector committee reviews, the full

Standards Board evaluates revisions to the standards. Information on Standards Board meetings, including minutes,

agendas, and a schedule of upcoming meetings is available on the SASB website. A list of Standards Board members

and their respective sector committee assignments is included in Appendix A.

Development of the Sustainability Accounting Standards

SASB staff initiated its standard-setting activities in 2012 under the oversight of the Standards Council.1 From August

2012 to March 2016, the SASB staff developed provisional standards for each of the industries identified in the

Sustainable Industry Classification System® (SICS®).2 The provisional standards were developed through an iterative

                                                             1 The Standards Council served in a process oversight role, distinct from the standard-setting role the Standards Board serves in. Upon

completion of the provisional phase in 2016, the Standards Council was disbanded. 2 At the time of the development of the provisional standards, SICS® contained 79 industries. SICS® was subsequently revised to 77

industries as a result of the combining of industries that contained similar sustainability-related risk and opportunity characteristics.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 5

and transparent process centered on independent research, market input, and oversight from the Standards Council.

Each provisional industry standard was developed based on staff research, industry working group (“IWG”) feedback,

public comments, and individual consultations with companies, investors, and other relevant experts. Throughout the

development of the provisional standards, more than 2,800 individuals participated in IWGs, 172 public comment

letters were received, and hundreds of individual consultations were conducted with market participants by the SASB

staff.

In 2016, following the issuance of the provisional standards across all industries, the SASB staff initiated a dedicated

market consultation period to gain further insight into market views on the provisional standards. Subsequently, the

Standards Board was seated and initiated a due process phase that culminated in the codification of 77 industry

standards in October 2018. This standard-setting phase that began with the provisional standards and concluded with

the codified standards is described more fully below. All standard-setting documentation discussed below are publicly

available at the Standard Setting Archive of the SASB website.

 Consultation: In the six-month period from Q4 2016 – Q1 2017, the SASB staff conducted

consultations to gather additional input from companies, investors, and relevant experts on the

provisional standards. Throughout this phase, the SASB staff received input on the complete set of

industry standards from individual consultations conducted with 141 companies, 19 industry

associations, and 271 investor consultations via 38 institutional investors. The Consultation Summary

comprises the findings from the consultations.

 Technical Agenda: In July 2017, after a period of review to evaluate market input from consultations

on the provisional standards, the Standards Board worked with the SASB staff to publish the Technical

Agenda. The Technical Agenda formally lists the areas of focus to address in preparing the standards

for codification, emphasizing those issues for which strong evidence surfaced and/or those which

received significant market feedback during the consultation period.

 Public Comment Period: In October 2017, the Standards Board published exposure drafts of the

standards, which incorporated proposed changes guided by the Technical Agenda to the provisional

standards. This opened a 90-day period, subsequently extended to a 120-day period, from October

2017 to January 2018, for public comment and review of proposed changes to provisional standards.

Market participants provided 120 comment letters during the comment period. All letters received and

a Summary of Public Comments are available at the Standard Setting Archive.

The Standards Board and the SASB staff evaluated the public comments received in conjunction with previous market

input and research to determine the revisions to be made to the provisional standard.

Approval of the Industry Standard

On October 13, 2018, the Standards Board voted unanimously to revise the Provisional Standard for the Software & IT

Services industry. In light of these revisions, on October 16, 2018, the Standards Board voted unanimously in favor of

removing this Standard’s provisional status. In doing so, the Standards Board considered all phases of the standard-

setting process, including those detailed in the above documents, to assess their underlying rationale, their adherence

to due process, and their faithfulness to the essential concepts of sustainability accounting, as described in the

Conceptual Framework.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 6

The following section of this document describes the rationale for the revisions. Appendix B contains a redline table

that summarizes these revisions. Revisions relative to the provisional standard that have not altered the scope or

content of disclosure topics or metrics, such as those that are intended to improve the consistency, clarity, and

accuracy of the standard, are not specifically addressed in the Basis for Conclusions.

Future Updates to the Standards

As social, economic, regulatory, and other developments alter an industry’s competitive landscape, the SASB

standards may need to evolve to reflect new market dynamics. The Standards Board will follow a regular standards

review cycle to address emerging and evolving issues that may result in updates to the SASB standards.

The Standards Board intends to direct the SASB staff to compile and publish a Research Agenda, which outlines items

that have been identified as requiring further analysis. Evidence-based research and market input, including feedback

from outreach and consultation, will inform reviews of issues on the Research Agenda. Items from the Research

Agenda may later be added to the Standards Board’s Technical Agenda for additional due process and formal

deliberation. All updates are subject to the standard-setting process described in the Rules of Procedure.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 7

Revision TC-SI:01 – Industry: Software & IT Services; Topic Name: Environmental Footprint of Hardware Infrastructure

Summary of Change – Revise Technical Protocol

The SASB revised the technical protocol associated with provisional metric TC0102-013 to ensure that regional

measures of renewable energy—such as Guarantees of Origin (GOs), the European Union (EU) equivalent of the

United States’ renewable energy certificates (REC) (both units of renewable energy credits)—are accounted for.

Adherence to Criteria for Accounting Metrics

The Software & IT Services Industry Provisional Standard includes a topic, Environmental Footprint of Hardware

Infrastructure, with three associated metrics to describe a company’s management of energy and water issues related

to their data center operations. Specifically, provisional metric TC0102-01 specifies that companies should disclose the

total amount of energy they use, along with the percentages of that energy from the grid or renewable sources. The

provisional technical protocol describes how the company should calculate renewable energy, including the treatment

of renewable energy units. Although the provisional technical protocol provides measurable, relevant guidance, it

lacks references to a more complete set of renewable energy standards. To improve the completeness of the technical

protocol, the SASB revised the technical protocol to include references to equivalent standards—notably, the GOs of

the European Union.

Supporting Analysis

Companies with a global footprint are likely to have RECs, GOs, and other equivalent regional renewable energy units

on their books. This revision provided clarity that the SASB recognizes GOs and other equivalents for reporting

purposes. Companies commonly report aggregated renewable energy units, including equivalents (for which the

revised technical protocol provides guidance on). For example, the 2015 Citizenship Report for largest (by market cap)

company in this industry uses a single line item to note the renewable energy units it had purchased, but a footnote

indicates the figure includes “Renewable energy certificates (RECs) in the United States, Guarantees of Origin in the

European Union, GreenPower instruments in Australia, and GoldPower instruments in China, Taiwan, and Turkey.”4

Renewable energy units in different markets have subtle differences, but ultimately are each equivalent to 1 MWh of

renewable energy produced, and have similar requirements for retirement (so that they cannot be double-counted).

For example, the EU guideline 2009/28/EC mandated the creation of national registries for the trade of GOs.5

Updating the technical protocol to account for additional renewable energy markets helped the technical protocol

better fulfill the SASB Conceptual Framework’s attribute of completeness.

Market Input

Investors: The revision was presented to investors and no positive or negative feedback was received.

                                                             3 TC0102-01 – Total energy consumed, percentage grid electricity, percentage renewable energy 4 “Microsoft 2015 Citizenship Report Environmental Data Addendum,” Microsoft, 2015, accessed July 15, 2017, p. 3,

http://download.microsoft.com/download/7/3/6/736CED21-9D8B-4CBB-98E8- DCBAE7026251/Microsoft%202015%20Citizenship%20Report.pdf.

5 “Directive 2009/28/EC of the European Parliament and of the Council,” April 23, 2009, Official Journal of the European Union, accessed July 23, 2018, http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32009L0028.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 8

Companies: Multiple global companies raised the concern that the provisional technical protocol did not recognize

renewable energy standards outside of the U.S. and expressed a desire to ensure associated disclosures reflect the full

extent of their renewable energy efforts.

Benefits

Improves the SASB Standard: The inclusion of regionally recognized renewable energy units beyond RECs improves

the completeness of the technical protocol by explicitly acknowledging their place in the market as well as their

applicability to companies with different geographic profiles.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 9

Revision TC-SI:02 – Industry: Software & IT Services; Topic Name: Environmental Footprint of Hardware Infrastructure

Summary of Change – Revise Metric

The SASB revised provisional metric TC0102-02 from “Total water withdrawn, percentage recycled, percentage in

regions with High or Extremely High Baseline Water Stress” to remove the component of the metric that measures

water recycling, and replace it with water consumption. The resulting metric is, “(1) Total water withdrawn, (2) total

water consumed, percentage of each in regions with High or Extremely High Baseline Water Stress.”

Adherence to Criteria for Accounting Metrics

The Software & IT Services Industry Provisional Standard contains a topic, Environmental Footprint of Hardware

Infrastructure, which addresses corporate performance on managing water-related risks and opportunities,

including operating impacts due to water stress or quality issues, and regulatory risk or reputational factors, as well as

the management of hazardous waste. With respect to water, provisional metric TC0102-02 provided a high-level view

of water use, as measured by water withdrawals and recycling, and a company’s exposure to water stress within its

operations, as measured by water withdrawals in water stressed regions. While provisional metric TC0102-02 was

comparable and distributive, it did not provide a representative view of a company's performance with respect to

management of water stress and water use. The revision of the metric to focus on water consumption as opposed to

water recycling provides a more complete view of water use and related water risk.

Supporting Analysis

Companies in the industry are exposed to risks related to water management that include dependence on water as an

input for the operation of their data centers.

Key aspects of water management include both consumptive and non-consumptive use. Non-consumptive water use

is primarily impacted by factors relating to water access and aggregate withdrawals, and provides a relevant,

representative indicator of risk due to the potential for a company’s operations to be adversely affected by the limited

ability to withdraw water, either due to physical or legal (rights) factors. Consumptive use is an important factor

where water is utilized in the operational activities of a company, particularly as a critical component of cooling

computing centers. Water consumption, which measures the net difference between water withdrawals and what is

discharged into the environment or to a third party, provides investors with a more complete view of the water-

intensity of a company’s operations than water recycling.

Risks related to both water access and consumption are further exacerbated by elevated water stress and/or scarcity.

Water access and use in such regions may result in a higher risk of operational curtailment due to inadequate water

availability. Furthermore, water stressed regions may be more exposed to increasing water prices over the medium to

long term.6 As such, the revised metric requires disclosure on both water withdrawals and water consumption in areas

of High or Extremely High Baseline Water Stress.

While the revised metric incorporates water consumption, the element of the provisional metric that captures the

volume of water recycled has been eliminated. Water recycling is one strategy that companies can use to mitigate

                                                             6 Freyman, Monika, et al, “An Investor Handbook for Water Risk Integration,” Ceres, March 2015, accessed June 6, 2018,

https://riacanada.ca/wp-content/uploads/2015/04/Ceres-Investor-Water-Handbook.pdf.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 10

risks associated with water use, however, it’s not the only strategy or always an applicable strategy. Other strategies

include efforts to use water more efficiently, to minimize water losses, and to substitute water use with other inputs.7

The amount of water recycled in the provisional metric did not provide a representative or complete picture of a

company’s efforts to manage performance on water use. Instead, such risk is better characterized by water

consumption.

Finally, the revised metric is aligned with the GRI 303: Water and CDP Water reporting frameworks, which was revised

prior to the 2018 reporting cycle.

Market Input

Investors: No direct feedback was received from investors regarding the revision. However, investors generally

provided feedback in support of changes that would improve the representativeness of the information generated by

the standard.

Companies: While this revision did not receive direct feedback from companies in this industry, the change was

discussed as a high-level improvement by two large companies in the technology sector.

Benefits

Improves alignment: The revised metrics more closely align with the water frameworks and metrics promulgated by

the Carbon Disclosure Project (CDP) and Global Reporting Initiative (GRI).

Improves the SASB Standard: The inclusion of data on water consumption enables companies to more fairly represent

performance on the topic. The change also improves the completeness of disclosure by giving a more informative,

holistic view of performance on water management.

                                                             7 The World Resources Institute, “Aqueduct water risk framework,” working paper, January 2013, accessed June 6, 2018,

http://www.wri.org/sites/default/files/aqueduct_water_risk_framework.pdf.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 11

Revision TC-SI:03 – Industry: Software & IT Services; Topic Name: Data Privacy & Freedom of Expression

Summary of Change – Revise Metric

The SASB revised metric TC0102-05 from “Percentage of users whose customer information is collected for secondary

purpose, percentage who have opted in,” to “Number of users whose information is used for secondary purposes.”

Adherence to Criteria for Accounting Metrics

The Software & IT Services Industry Provisional Standard includes a topic, Data Privacy & Freedom of Expression, which

addresses risks related to the use of personally identifiable information (PII) for secondary purposes. The five

provisional metrics associated with the topic measure a company’s use of the personal data of its users, along with the

company’s approach to policies and practices related to behavioral advertising and customer privacy. The second part

of provisional metric TC0102-05, “Percentage of users whose customer information is collected for secondary

purposes, percentage who have opted in,” seeks to measure the users who have “opted in,” or who have indicated

permission for their personal data to be collected for secondary purposes. Legal requirements generally establish

certain opt-in/opt-out policies that companies must adopt to use customer data for secondary purposes. Therefore,

the component of the provisional metric, “percentage [of users] who have opted in,” was highly unlikely to yield

distributive data, as virtually all customers should have either actively opted in or would be classified as such per

definitions used in company policies. As a result, the metric was revised to eliminate the component that measures the

portion of users that have opted in. This revision improves the distribution of the data generated by the metric and

additionally enhances the cost-effectiveness of the metric.

Additionally, the SASB revised the unit of measure of the metric from relative (percentage) to absolute (number) to

improve the usefulness of the information provided by the metric. The absolute number of users whose information is

used for secondary purposes is more useful in assessing magnitude of potential risk exposure associated with failure to

manage customer privacy. Additionally, the absolute number is likely to be more useful in estimating financial costs

associated with managing or potential monetary losses as a result of alleged or actual violation of customer privacy

laws or regulations. To assess relative performance of companies in the industry, activity metrics and/or data reported

by companies in their financial filings would allow analysts to normalize performance.

Supporting Analysis

Due to the regional differences in the regulatory environment related to customer privacy, the definition of user

"consent," and therefore the opt-in policies, vary significantly. In the E.U., such definitions are considerably stricter

and companies are unable to assume consent if it is not explicitly obtained by users. For example, the E.U.’s General

Data Protection Regulation (GDPR) states that consent shall be freely given, specific, informed, unambiguous, and

explicit.8 In the U.S., regulations regarding obtaining consent from customers are less strict, often vary considerably

based on state regulations, and such requirements as those established by GDPR are not generally required to be a

part of opt-in policies.9 Therefore, depending on the location of the customer base, companies may have flexibility to

classify "customers who have opted in" in such a way that allows them to use customer information for secondary

                                                             8 Regulation (EU) 2016/679 of the European Parliament and of the council, European Union, April 27, 2016, accessed June 5, 2018,

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. 9 Martin A. Weiss and Kristin Archick, “U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield,” Congressional Research Service, accessed

June 7, 2018, https://fas.org/sgp/crs/misc/R44257.pdf.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 12

purposes. In fact, any disclosures that indicate the use of customer data for secondary purposes absent customer

consent may be considered illogical from a legal perspective, at least in regions where such data privacy regulations

exist. These factors suggest that disclosure on the “percentage [of users] who have opted in” would virtually always

indicate that all users opted in, and thus, this information is not distributive. Additionally, considering the regional

differences in regulatory frameworks covering customer consent and opt-in/opt-out policies, investors would derive

more decision-useful information from discussion and analysis of relevant policies and procedures adopted by

companies than from a quantitative measure of users who opted in to the collection and use of their data. Such

information can be obtained from metric TC0102-04, “Discussion of policies and practices relating to behavioral

advertising and customer privacy” included in the disclosure topic, which ensures completeness and usefulness of

information provided to investors to assess companies’ performance on the disclosure topic.

Further, by revising the unit of measure for the first part of the metric from “percentage of customers whose

information is used for secondary purposes” to the “number of customers,” the usefulness of information is

enhanced by giving investors more flexibility in analyzing performance on the disclosure topic. Specifically, the

absolute number of users whose information is used for secondary purposes is likely to be more useful in estimating

financial costs associated with management of the issue or monetary losses associated with potential failure to meet

relevant regulatory requirements. In other words, the absolute unit of measure is more useful in assessing magnitude

of both chronic cost-related impacts and acute risks related to customer privacy or data security.

Lastly, it may be noted that the SASB standards often gravitate toward absolute measures, consistent with the revised

metric, for reasons such as:

 Multiple alternatives regarding suitable normalization bases for performance indicators, with investor

preference varying depending on use case; and

 The incorporation of industry-specific activity metrics within the standard to facilitate multiple means for

normalization of the sustainability accounting metrics included in the standard based on investor preference.

However, relative measures may also be included when such format is found more decision-useful by investors. As

discussed in the Market Input section, feedback from multiple investors across various SASB sectors points to the

usefulness of both absolute and relative metrics.

Market Input

Investors: No direct feedback was received from investors regarding this revision. However, investors provided

feedback that generally supports improvements to the distributiveness of disclosures. With respect to the revision of

the unit of measure, broad feedback received throughout the SASB standards’ development process in various sectors

suggests the usefulness of both absolute and normalized measurements of performance.

Companies: Feedback was received on the provisional form of the metric from multiple companies that indicated a

need for revision. While direct input on this specific revision was not received, the revision indirectly addresses some of

the concerns companies shared related to the provisional metric. More specifically, a large company in a different

industry indicated that the data generated by the provisional metric may be considered competition sensitive

information. Another large company that provided feedback on the provisional metric pointed out that the number of

account holders who “opt in” may provide inappropriate representation of performance on the customer privacy

issue. The company stated that performance on this metric would be indicative of consumer behavior rather than a

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 13

reflection of business practices. The revisions to this metric, as described above, are intended to alleviate company

concerns among other benefits.

Benefits

Improves the SASB Standard: The revision improves the distributiveness of the metric, while enhancing cost-

effectiveness by eliminating a reporting requirement of the metric. The revision of the unit of measure enhances

decision-usefulness of information generated by the metric.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 14

Revision TC-SI:04 – Industry: Software & IT Services; Topic Name: Data Privacy & Freedom of Expression

Summary of Change – Revise Metric

The SASB revised provisional metric TC0102-07 from “Number of government or law enforcement requests for

customer information, percentage resulting in disclosure” to “(1) Number of law enforcement requests for user

information, (2) number of users whose information was requested, (3) percentage resulting in disclosure.”

Adherence to Criteria for Accounting Metrics

The Software & IT Services Industry Provisional Standard includes a topic, Data Privacy & Freedom of Expression, with

five associated metrics to describe a company’s management of risks related to how it stores and protects customers’

sensitive data. Specifically, provisional metric TC0102-07 asks companies to disclose governmental and law

enforcement requests for information. The revision of the metric to include the number of users whose information

was requested eliminates ambiguity in the information elicited by the provisional metric and mirrors the way

companies currently report. The revised metric thus provides a fair and more complete representation of performance

which results in a more decision-useful set of disclosures when combined with the existing metrics related to the

topic.

Supporting Analysis

The provisional metric does not fairly represent company performance with respect to Data Privacy & Freedom of

Expression, as it does not include the number of users whose information a government or law enforcement entity

may have requested (e.g., one request could ask for information for a single user, or for thousands of users). More

than 35 companies in the technology and communications sector issue standalone transparency reports that break

out the information in this manner.

The transparency report of the industry’s largest U.S. listed company (by market cap) illustrates both the number of

requests and the number of accounts affected.10 This company’s total number of requests of approximately 26,000

was significantly different than the number of accounts or users specified in these requests, which was approximately

45,000. Both numbers are needed to adequately understand the magnitude of impact. This revision improves

alignment with current industry practice as well the completeness of the set of disclosures related to Data Privacy &

Freedom of Expression.

Market Input

Investors: Investors were supportive of changes that improve alignment with what companies currently disclose.

Companies: Company feedback on the revision was not received.

                                                             10 “Law Enforcement Requests Report,” Microsoft, 2016, accessed July 23, 2018, https://www.microsoft.com/en-us/about/corporate-

responsibility/lerr/.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 15

Benefits

Improves the SASB Standard: The metric revision improves the completeness of the set of metrics which define the

topic.

Improves alignment with existing reporting frameworks: Companies currently report the information broken out by

number of requests and number of users whose information was requested.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 16

Revision TC-SI:05 – Industry: Software & IT Services; Topic Name: Data Security

Summary of Change – Revise Metric

The SASB revised provisional metric TC0102-09 from “Number of data security breaches and percentage involving

customers’ personally identifiable information” to “(1) Number of data breaches, (2) percentage involving personally

identifiable information (PII), (3) number of users affected.”

Adherence to Criteria for Accounting Metrics

The Software & IT Services Industry Provisional Standard includes a topic, Data Security, with two associated metrics

that describe a company’s management of risks related to the storage and protection of its users’ sensitive data. The

revision eliminates ambiguity regarding what data are being asked for in the provisional metric by clarifying that the

number of unique data breaches shall be disclosed. Furthermore, the revised metric provides additional useful

information by including the number of customers affected by such data breaches. The revised metric is more aligned

with current corporate disclosures on the topic than the provisional metric. Additionally, the technical protocol for the

provisional metric did not provide a definition for the term “encryption,” and when discussing encrypted data

breaches, provided a narrow scope of disclosure that may unintentionally exclude critical information, and result in

incomplete disclosures. To improve the completeness of disclosures and alignment with existing terms defined by

regulatory agencies, the SASB revised the technical protocol to incorporate the National Initiative for Cybersecurity

Careers and Studies (NICCS) definition of “data breach” and “encryption,” and provided further reporting guidance

on the scope of disclosures involving encrypted data. This revision improves alignment between the SASB Standard

and existing regulatory reporting definitions, as well as increases clarity for companies preparing the data, ultimately

improving the cost-effectiveness of the standard.

Supporting Analysis

The technical protocol associated with the provisional metric did not satisfy the measurability and completeness

attributes of a technical protocol, as it did not specify what was intended to be measured by “number of data security

breaches,” which may include the number of unique instances of breaches, or it may include the number of exposed

customer records. For example, if a company faced two cyber-attacks during the reporting period, with one exposing

200,000 customer records, and another exposing 50,000 customer records, the provisional metric was unclear

whether the company would report this as “2” or “250,000.” Evidence shows that both the number of incidents and

the number of records affected are useful data points to understand the frequency and magnitude of data breaches.

Furthermore, an analysis of corporate disclosures demonstrates that, broadly speaking, a structure of disclosure that

includes the number of incidents and the number of records affected is a best practice for corporate disclosures. For

example, after their own major breaches, three large companies11,12,13,14 each revealed, for the respective incidents, the

                                                             11 Brad Arkin, “Important Customer Security Announcement,” Adobe, October 3, 2013, accessed July 23, 2018,

https://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html. 12 Tanya Agrawal, David Henry, & Jim Finkle, “JPMorgan hack exposed data of 83 million, among biggest breaches in history,” Reuters,

October 2, 2014, accessed July 23, 2018, https://www.reuters.com/article/us-jpmorgan-cybersecurity-idUSKCN0HR23T20141003. 13 Cory Scott, “Protecting Our Members,” LinkedIn, May 18, 2016, accessed July 23, 2018, https://blog.linkedin.com/2016/05/18/protecting-

our-members. 14 Keir Thomas, “Citigroup Hack Nabs Data from 210k,” PCWorld, June 9, 2011, accessed July 23, 2018,

http://www.pcworld.com/article/229891/Citigroup_Hack_Nets_Over_200k_in_Stolen_Customer_Details.html.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 17

number of accounts affected. In greater detail, one company’s public disclosure after a data breach that came to light

in 2016 provides an illustrative example of the alignment of the revision with current corporate disclosures on the

topic. In 2016, the company disclosed an unauthorized data breach associated with more than 1 billion user accounts,

the largest known data breach to date. The firm’s disclosure distinguished between unique incidents and number of

records compromised, consistent with the revised metric.15

Finally, the SASB revised the technical protocol of metric TC0102-09 to define the terms “data breach” and

“encryption” using definitions identified by NICCS, which is managed by the Cybersecurity Education and Awareness

Branch (CE&A) within the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications. The

NICCS is a part of the CE&A’s work to promote cybersecurity awareness, training, and education for the Nation’s

cybersecurity professionals.16 The NICCS glossary of key cybersecurity terms is informed by ongoing feedback from

end users and stakeholders, and is often cited by the U.S. Securities Exchange Commission in documents such as the

Commission Statement and Guidance on Public Company Cybersecurity Disclosures.17 The revision to align

cybersecurity terms with those of NICCS improves clarity by referencing governmental sources, and will therefore likely

lead to more consistent and complete disclosures. Further, the revision likely improves cost-effectiveness of reporting

for companies by increasing uniformity across different reporting frameworks.

Additionally, when calculating the percentage of data breaches in which account holders’ personally identifiable

information was breached, the technical protocol for the provisional metric included guidance on the scope of

disclosure as it relates to incidents whereby encrypted data is acquired with an encryption key. However, this language

failed to acknowledge instances through which weakly encrypted data is acquired without an encryption key but can

still be converted to plaintext. Thus, the SASB revised the technical protocol to provide additional reporting guidance

on the inclusion of incidents where there is reasonable belief that acquired encrypted data could be readily converted

to plaintext. The revision results in more complete disclosures by expanding the scope of disclosure to include

instances in which the attacker can recover the plaintext information.

Market Input

Investors: Many investors across multiple industries and sectors consistently communicated during SASB’s consultation

period that clarification of this metric was necessary, where there was strong agreement with the revised metric.

Companies: Multiple companies voiced confusion over the wording of the provisional metric and communicated that

it needed to be clarified in a manner similar to this revision.

Benefits

Improves the SASB Standard: The revision enhances the standardization of the metric by improving the measurability

and the completeness of the technical protocol. The revision also enhances cost-effectiveness by aligning the SASB

Standard with existing regulatory reporting terms.

                                                             15 Ibid. 16 “Cybersecurity Education and Awareness,” United States Department of Homeland Security, last modified September 27,2017, accessed

May 6, 2018, https://www.dhs.gov/cyber-education-and-awareness. 17 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Securities and Exchange Commission, issued on

February 20, 2018, https://www.sec.gov/rules/interp/2018/33-10459.pdf.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 18

Improves decision-usefulness: The revision generates more useful information, given that both the number of unique

cyber security data breaches and the number of customers affected are important elements needed to better

understand corporate performance on the topic.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 19

Revision TC-SI:06 – Industry: Software & IT Services; Topic Name: Data Security

Summary of Change – Revise Metric

The SASB revised provisional metric:

 TC0102-10 Discussion of management approach to identifying and addressing data security risks

to the following metric:

 Description of approach to identifying and addressing data security risks, including use of third-party

cybersecurity standards

Adherence to Criteria for Accounting Metrics

The Software & IT Services Industry Provisional Standard includes a topic for Data Security, and two associated metrics

which describe a company’s performance as it relates to protecting customer data. Quantitative metric TC0102-09

asks for the number of data breaches, as well as the percentage that contained customers’ personally identifiable

information18. Qualitative metric TC0102-10 asks companies to discuss their strategy to identify and address data

security risks. Company approach to ensuring cyber preparedness of its operations may include various strategies. One

strategy, the use of third-party cybersecurity standards, can help companies in the Software & IT Services industry

identify vulnerabilities in its information systems that may pose a data security risk. Therefore, company disclosure on

its use of third-party cybersecurity risk management standards and frameworks, of which use is rapidly growing,

would yield relevant and decision-useful information to investors assessing performance on the Data Security topic.

The SASB evaluated the potential addition of a stand-alone quantitative metric “Percentage of operations, by revenue,

independently certified to a suitable third-party cybersecurity management standard” to measure companies’

approach to managing data security risks via aligning their cybersecurity practices with external standards. This metric

was proposed in the 2017-18 public comment period. However, additional research and stakeholder feedback

highlighted concerns that such metric may not be viable to implement nor sufficiently representative of performance.

Based on the above, the SASB revised existing provisional metric TC0102-10 to expand its scope by including a

description of company use of third-party cybersecurity standards. The resulting metric is, “Description of approach to

identifying and addressing data security risks, including use of third-party cybersecurity standards.” The revision

enhances completeness of the information requested by the provisional metric, which will likely improve its decision-

usefulness.

Supporting Analysis

The SASB revised the provisional metric TC0102-10 to improve its completeness and decision-usefulness. Specifically,

the revised metric asks companies to discuss how they identify relevant cybersecurity standards to implement, the

extent of their implementation (i.e., operations, business unit, geography, product, or information system), approach

                                                             18 Please see Revision TC-SI:05 for an update to provisional metric TC0201-09.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 20

to third-party verification of the use of the standards, as well as ongoing activities and initiatives related to increasing

the use of cybersecurity risk management standards.

The revision reverses the SASB’s earlier proposal in the 2017-18 public comment period to include an additional

quantitative metric that would measure the percentage of company’s operations independently certified to a suitable

third-party cybersecurity management standard. Additional research and input from subject matter experts suggested

that the format of the proposed quantitative metric was not viable and inadequate. The metric was found to neither

generate information representative of company performance on managing the topic nor be decision-useful to

investors.

Specifically, the proposed metric required companies to calculate the percentage as revenue generated from products

that are certified to a suitable third-party cybersecurity management standard divided by the total revenue generated

from all products that are eligible for such certifications. Such guidance was neither applicable nor feasible to follow

since products of companies in the Software & IT Services industry are not generally covered by third-party

cybersecurity standards. Rather, cybersecurity risk management standards address security of companies’ operations,

processes, and information systems. Furthermore, it should be noted that the proposed quantitative metric relied on a

measure of "certifications," which is an inaccurate (or oversimplified) characterization of the implementation of third-

party frameworks or standards concerning data security across information technology systems. Therefore, the SASB

withdrew the initial proposal and instead incorporated the use of third-party cybersecurity certifications by expanding

the scope of the existent qualitative provisional metric TC0102-10.

The revision improves representativeness, completeness, and usefulness of the provisional metric by requesting

discussion of companies’ use of third-party cybersecurity standards as one of the strategies to manage data security

risk exposure. The technical protocol of the metric references several cybersecurity standards that are commonly used

by companies in the industry, such as ISO 27000 series, AICPA’s System and Organizational Controls (SOC), and

ISACA’s COBIT 5, which ensures alignment of the SASB standard with existent corporate reporting. An example of a

company’s use of third-party standards includes a major technology company’s use of ISO 27001 for its cloud

platform, which it refers to as “one of the most widely recognized, internationally accepted independent security

standards.”19 This company constitutes 40 percent of the market capitalization of the industry.

Market Input

Investors: Multiple investors agreed that this topic deserves increased attention and that a focus on management

systems is the best approach to ensure completeness of information generated by the standard. Investors noted that

companies should have an externally verified cybersecurity framework, and understanding how companies use third-

party cybersecurity standards to manage risk exposure of their operations is crucial to being able to understand the

magnitude of the related risk.

Companies: Companies have communicated views on the importance of this topic but did not provide input on the

quantitative metric that was proposed in the 2017-18 public comment period. However, this revision is designed to

ensure the metric associated with the topic is pragmatic to implement.

                                                             19 “Google Cloud Platform and the EU Data Protection Directive,” Google, accessed July 20, 2017,

https://cloud.google.com/security/compliance/eu-data-protection/.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 21

Others: The inclusion of a measure on the use of third-party cybersecurity standards was suggested by and discussed

with multiple subject matter experts who believe it to be representative of corporate data security performance. The

SASB received feedback that a quantitative measure of performance through a percentage of revenue generated from

products that are certified to a suitable third-party cybersecurity management standard is not appropriate due to the

calculation guidance being neither applicable nor feasible for companies to follow.

Benefits

Improves the SASB Standard: This revision enhances completeness of the information generated by the requested

discussion, which further improves decision-usefulness of information regarding a company’s cybersecurity.

Improves alignment: By referencing third-party cybersecurity risk management standards that are already being used

by leading companies in the industry, the revision ensures the metric’s alignment and comparability of the information

it provides to investors.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 22

Revision TC-SI:07 – Industry: Software & IT Services; Topic Name: Recruiting & Managing a Global, Diverse & Skilled Workforce

Summary of Change – Revise Metric

The SASB revised the technical protocol for provisional metric TC0102-13 “Percentage of gender and racial/ethnic

group representation for: (1) executives and (2) all others” to “Percentage of gender and racial/ethnic group

representation for (1) management (2) technical staff and (3) all other employees.” Further, the SASB updated the

reporting guidance to require gender breakdown globally but racial/ethnic breakdown only in the United States per

the U.S. Equal Employment Opportunity Commission (EEOC)’s EEO-1 Job Classification Guide categories. The technical

protocol was revised to specify that companies should describe their policies for promoting inclusivity and fostering

equitable employee representation across their global operations.

Adherence to Attributes of Technical Protocols

The Software & IT Services Industry Provisional Standard includes a topic, Recruiting & Managing a Global, Diverse &

Skilled Workforce, with associated metrics to describe a company’s management of risks and opportunities associated

with hiring and retaining diverse candidates. The SASB replaced the term “executives” with “management,” which is

defined in the technical protocol as both executive and non-executive management, consistent with the original intent

of the metric. Further, the addition of the category for technical staff improves alignment between the SASB

standards and current reporting practices and made the standards more useful for investors. Provisional metric

TC0102-13 requires global disclosure of gender and racial/ethnic breakdown according to the U.S. Equal Employment

Opportunity Commission (EEOC)’s EEO-1 Job Classification Guide.

This revision to the technical protocol of provisional metric TC0102-13 recognizes that the U.S. EEOC racial/ethnic

classification can only be consistently applied to a company’s U.S. workforce and may not be applicable to its global

workforce. In addition, the revised technical protocol includes a discussion of company policies for promoting

inclusivity and fostering equitable employee representation across global operations. While the technical protocol

specifies that companies may report racial/ethnic breakdown outside of the U.S. by country or region, the SASB

clarified that the U.S. EEOC’s EEO-1 Job Classification Guide shall be used for classifying employees only for a U.S.

workforce. For a non-U.S. workforce, companies shall use occupational classifications systems adopted in countries

where the workforce is employed. For non-U.S. employees, the registrant shall categorize the employees in a manner

generally consistent with the definitions provided above, though in accordance with, and further facilitated by, any

applicable local regulations, guidance, or generally accepted definitions. These revisions enhance the global

applicability of the technical guidance associated with the metric to companies with a global workforce.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 23

Supporting Analysis

Companies with transparent hiring, promotion, and wage practices to promote workforce diversity and inclusion can

benefit from improvements in productivity,20 revenues,21 and market share22 over the medium to long term. Widely-

accepted diversity metrics, such as those required by the U.S. EEOC, include the gender and racial/ethnic breakdown

of employees and managers.

Identifying diversity figures for technical employees gives greater insight into the diversity of the highly paid and

sought-after group of workers tasked with creating a company’s products. Further, this change ensures that company

diversity figures aren't skewed by the sometimes-different ethnic makeup among different departments or teams. This

type of disclosure is already common practice in company diversity reports.23,24,25,26

There are also several challenges related to reporting regional racial/ethnic data. First, classification categories vary

significantly country-by-country and region-by-region; therefore, it would not be practical or necessarily representative

of racial/ethnic diversity for companies to aggregate their global number of employees by EEO-1 categories, which are

designed for U.S.-based reporting. Second, such data are typically only available in some countries (e.g., Canada,

Brazil) due to privacy laws preventing disclosure. Finally, some countries also look at age, disability, gender identity,

sexual orientation, or other aspects of diversity, which may be defined differently by each country.

The revision to provisional metric TC0102-13 addresses these concerns and brings the metric into alignment with

existing industry disclosure by requiring gender breakdown globally but racial/ethnic breakdown per the EEO-1

categories only in the U.S. Companies shall describe their policies for promoting inclusivity and preventing the

development of a globally homogenous workforce outside of the U.S. that is not representative of the local

population. The technical protocol additionally allows companies the opportunity to disclose racial/ethnic or other

breakdown by region or country-specific categories, if they choose. This update recognizes that a perfectly

representative workforce would mirror population demographics, but that regional demographics and ideal

racial/ethnic representation may vary widely by region. Thus, the revision improves the usefulness of the metric and its

alignment with existing industry disclosures.

Market Input

Investors: Multiple investors across sectors consistently communicated during SASB’s consultation period that while a

gender breakdown is relevant globally, a racial/ethnic group breakdown by EEO-1 categories is feasible only in the

U.S.

                                                             20 A. Garnero, S. Kampelmann, and F. Rycx, “The Heterogeneous Effects of Workforce Diversity on Productivity, Wages, and Profits,” Centre

Pour La Recherche Economique et Ses Applications Document de travail no 1304, September 2013, pp. 4-5, accessed June 5, 2018, http://www.cepremap.fr/depot/docweb/docweb1304.pdf.

21 "Global Diversity and Inclusion: Fostering Innovation Through a Diverse Workforce,” Forbes Insights, last modified July 2011, accessed June 5, 2018, http://images.forbes.com/forbesinsights/StudyPDFs/Innovation_Through_Diversity.pdf.

22 "Kelly Services: Diversity must help bottom line to be sustainable," Crain's Detroit Business, last modified November 14, 2013, accessed June 5, 2018, http://www.crainsdetroit.com/article/20131103/NEWS/311039959/kelly-services-diversity-must-help-bottom-line-to-be- sustainable.

23 “HP Global Diversity & Inclusion,”, HP, accessed May, 24th, 2018, http://www8.hp.com/us/en/hp-information/about- hp/diversity/index.html.

24 “Diversity,” Google, accessed May 24th, 2018, https://diversity.google/commitments/. 25 “Inclusion & Diversity,” Apple, accessed May 24th, 2018, https://www.apple.com/diversity/. 26 “Facebook Diversity Update: Building a more diverse, inclusive workforce,” Facebook, accessed May 24th, 2018,

https://fbnewsroomus.files.wordpress.com/2017/08/fb_diversity_2017_final.pdf.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 24

Companies: Companies noted that they currently break out technical employees and that SASB standards would be

more useful if they did the same. In addition, a limited number of companies stated that the provisional metric was

U.S.-centric and would not result in meaningful information for large, multinational companies that operate in

different countries.

Benefits

Improves the SASB Standard: This change improves cost-effectiveness by limiting the required quantitative disclosure

on race/ethnicity to U.S. operations, which are measurable and complete. It also improves decision-usefulness by only

requiring the aggregation of gender data, which is more likely to be comparable across companies in different

industries and geographies.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 25

Revision TC-SI:08 – Industry: Software & IT Services; Topic Name: Intellectual Property Protection & Competitive Behavior

Summary of Change – Remove Metric

The SASB removed provisional metric TC0102-16 “Number of patent litigation cases, number successful, and number

as patent holder.”

Adherence to Criteria for Accounting Metrics

The Software & IT Services Industry Provisional Standard includes a topic, Intellectual Property Protection &

Competitive Behavior, with an associated metric to describe how companies balance protection of their intellectual

property (IP) with ensuring fair use. Related to this, provisional metric TC0102-16 asked companies to disclose the

number of patent litigation cases they were involved in, if they were the patent holder in the case, and their

subsequent number of “successful” legal proceedings.

The number of cases a company is currently involved in is only an approximate indicator of a company’s litigation

strategy. Provisional metric TC0102-16 did not fairly represent company performance, nor is it likely to be useful for

investors. The removal of this metric increases the cost-effectiveness of the standard.  

Supporting Analysis

While IP protection is inherent to the business model of companies in the Software & IT Services industry, companies’

IP practices can sometimes conflict with the best interests of society. IP protection, on the one hand, is an important

driver of innovation; on the other hand, companies could use it to restrict access to the benefits from innovation,

particularly if they are dominant market players. This metric was meant to give analysts insight into how companies

were protecting their IP while respecting fair use.

Virtually all companies in the industry provide disclosures on the topic, indicating its potential to significantly impact

companies. Generally, companies already disclose on major patent litigation cases currently affecting them and a few

companies disclose the amount of fines or potential fines resulting from the most significant cases, but there are no

companies who disclose information in the format of the provisional metric in their financial filings.

It is unclear how an analyst would use the raw number of patent litigation cases to compare one company’s

performance on protecting its intellectual property and promoting fair use to another’s. The existence of patent trolls

also complicates this kind of ratio, as companies ultimately don’t have power over having lawsuits, whether merited or

frivolous, brought against them.27 It is also unlikely to be an accurate measure of performance on the topic as the

concept of defining a “successful” patent litigation is fraught. For example, a company could “settle” a patent lawsuit

but admit no fault. A company could also have many frivolous lawsuits brought against it and “win;” in this case it is

still unclear how this relates to performance on promoting fair use. This could be the best outcome for the company

and its shareholders but would not be counted as “successful” under the provisional metric framework. An issue as

complex as IP protection likely cannot be usefully captured by a quantitative measure.

                                                             27 “Patent Trolls,” Electronic Frontier Foundation, accessed June 13, 2018, https://www.eff.org/issues/resources-patent-troll-victims.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 26

Market Input

Investors: SASB did not receive significant support from investors on this metric.

Companies: A large company in another industry in this sector provided a comment during SASB’s 2017-18 public

comment period noting that disclosure on provisional metric TC0102-16 would reveal competitively sensitive

information, and that its peers likely feel similarly. SASB received comments from a large company in another industry

with similar metrics stating that developing a useful quantitative metric for the topic would likely not be possible.

Benefits

Improves cost-effectiveness: The removal of this metric reduces the costs to companies of reporting on the SASB

Standard.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 27

Appendix A. Standards Board – Sector Committee Assignments

STANDARDS BOARD MEMBER SECTOR CHAIR OTHER COMMITTEES

Jeffrey Hales, PhD (Chair)

Professor, Georgia Institute of Technology – Ernest Scheller Jr. College of Business

Financials, Renewable Resources & Alternative Energy

Transportation, Services, Resource Transformation

Verity Chegar (Vice Chair)

Vice President, BlackRock Extractives & Minerals Processing

Financials, Technology & Communications, Infrastructure

Robert B. Hirth Jr. (Vice Chair)

Senior Managing Director, Protiviti; Chairman Emeritus, COSO

Technology & Communications Health Care, Extractives & Minerals Processing, Services

Daniel L. Goelzer, JD

Senior Counsel, Baker & McKenzie LLP Services

Financials, Resource Transformation, Infrastructure

Kurt Kuehn

Former CFO, United Parcel Service Transportation, Infrastructure

Consumer Goods, Renewable Resources & Alternative Energy

Lloyd Kurtz, CFA

Senior Portfolio Manager, Head of Social Impact Investing, Wells Fargo Private Bank

Health Care, Resource Transformation Technology & Communications, Food & Beverage

Elizabeth Seeger

Head of Sustainable Investing, KKR Consumer Goods

Health Care, Extractives & Minerals Processing, Food & Beverage

Stephanie Tang, JD

Director of Legal, Corporate Securities, Stitch Fix Food & Beverage

Transportation, Consumer Goods, Renewable Resources & Alternative Energy

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 28

Appendix B. Redline Metric Tables Redline tables are provided below for all sustainability accounting metrics (Table 1) and activity metrics (Table 2). All

significant revisions to topics and metrics between the provisional standard and the codified standard are shown in

redline; however, such redlines are not intended to communicate the full scope of such revisions, for which readers

should refer to the codified Standard and accompanying content elsewhere in the Basis for Conclusions.

All redlines presented in these tables are associated with a revision number in the Revision Number column. Significant revisions to the technical protocol associated with a given metric will not necessarily be apparent in redline in the

tables; however, the associated revision number will be noted in the Revision Number column of each table.

Any redlines that depict revisions to metrics but that are not accompanied by a revision number (i.e., “n/a”) are not

addressed in the Basis for Conclusions as these revisions have not altered the scope or content of metrics, such as those that are intended to improve the consistency, clarity, and accuracy of the standard. Similarly, if a metric is not accompanied by a revision number, the technical protocol may have been revised to improve the consistency, clarity,

and accuracy of the standard.

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 29

Software & IT Services Industry

Table 1.

TOPIC ACCOUNTING METRIC CATEGORY UNIT OF MEASURE

PROVISIONAL METRIC CODE

CODIFIED METRIC CODE28

REVISION NUMBER

Environmental Footprint of Hardware Infrastructure

(1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable energy

Quantitative Gigajoules (GJ), Percentage (%)

TC0102-01 TC-SI-130a.1 TC-SI:01

(1) Total water withdrawn, (2) total water consumed, percentage recycled, percentage of each in regions with High or Extremely High Baseline Water Stress

Quantitative

Thousand cCubic meters (m3), Percentage (%)

TC0102-02 TC-SI-130a.2 TC-SI:02

Discussionescription of the integration of environmental considerations to strategic planning for data center needs

Discussion and Analysis

n/a TC0102-03 TC-SI-130a.3 n/a

Data Privacy & Freedom of Expression

Discussion Description of policies and practices relating behavioral advertising and user privacyto collection, usage, and retention of customers’ information and personally identifiable information

Discussion and Analysis

n/a TC0102-04 TC-SI-220a.1 n/a

Percentage Number of users whose customer information is collected for secondary purposes, percentage who have opted-in

Quantitative Percentage (%)Number

TC0102-05 TC-SI-220a.2 TC-SI:03

Amount of legal and regulatory fines and settlementsTotal amount of monetary losses as a result of legal proceedings associated with customer user privacy

Quantitative U.S. dollars ($)Reporting currency

TC0102-06 TC-SI-220a.3 n/a

                                                             28 The Provisional Metric Code column provides the metric code that appeared in the Provisional Standard. The Codified Metric Code column provides the revised metric code that appears in the Codified Standard. The revised metric code is structured as follows: [Sector Code]-[Industry Code]-[Topic Code].[Metric Number].

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 30

TOPIC ACCOUNTING METRIC CATEGORY UNIT OF MEASURE

PROVISIONAL METRIC CODE

CODIFIED METRIC CODE28

REVISION NUMBER

(1) Number of government or law enforcement requests for customer user information, (2) number of users whose information was requested, (3) percentage resulting in disclosure

Quantitative Number, Percentage (%)

TC0102-07 TC-SI-220a.4 TC-SI:04

List of countries where core products or services are subject to government-required monitoring, blocking, content filtering, or censoring

Discussion and Analysis

n/a TC0102-08 TC-SI-220a.5 n/a

Data Security (1) Number of data security breaches, and (2) percentage involving customers’ personally identifiable information (PII), (3) number of users affected

Quantitative Number, Percentage (%)

TC0102-09 TC-SI-230a.1 TC-SI:05

Discussion Description of management approach to identifying and addressing data security risks, including use of third-party cybersecurity standards

Discussion and Analysis

n/a TC0102-10 TC-SI-230a.2 TC-SI:06

Recruiting & Managing a Global, Diverse & Skilled Workforce

Percentage of employees that are (1) foreign nationals and (2) located offshore

Quantitative Percentage (%) TC0102-11 TC-SI-330a.1 n/a

Employee engagement as a percentage Quantitative Percentage (%) TC0102-12 TC-SI-330a.2 n/a

Percentage of gender and racial/ethnic group representation for: (1) executives management (2) technical staff and (2) all other employeess

Quantitative Percentage (%) TC0102-13 TC-SI-330a.3 TC-SI:07

Intellectual Property Protection & Competitive Behavior

Number of patent litigation cases, number successful, and number as patent holder

Quantitative Number TC0102-16 n/a TC-SI:08

Total amount of monetary losses as a result of legal proceedings Amount of legal and regulatory fines and settlements associated with anti-competitive practicesregulations

Quantitative U.S. dollars ($)Reporting currency

TC0102-17 TC-SI-520a.1 n/a

BASIS FOR CONCLUSIONS | SOFTWARE & IT SERVICES INDUSTRY | 31

TOPIC ACCOUNTING METRIC CATEGORY UNIT OF MEASURE

PROVISIONAL METRIC CODE

CODIFIED METRIC CODE28

REVISION NUMBER

Managing Systemic Risks from Technology Disruptions

Number of (1) performance issues and (2) service disruptions; (3) total customer downtime

Quantitative Number, Days TC0102-14 TC-SI-550a.1 n/a

Discussion Description of business continuity risks related to disruptions of operations

Discussion and Analysis

n/a TC0102-15 TC-SI-550a.2 n/a

Table 2.

ACTIVITY METRIC CATEGORY UNIT OF MEASURE PROVISIONAL METRIC CODE

CODIFIED METRIC CODE29

REVISION NUMBER

(1) Number of licenses or subscriptions, (2) percentage cloud-based Quantitative Number, Percentage (%) TC0102-A TC-SI-000.A n/a

(1) Data processing capacity, (2) percentage outsourced Quantitative See note TC0102-B TC-SI-000.B n/a

(1) Petabytes Amount of data storage, (2) percentage outsourced

Quantitative Petabytes, Percentage (%) TC0102-C TC-SI-000.C n/a

                                                             29 The Provisional Metric Code column provides the metric code that appeared in the Provisional Standard. The Codified Metric Code column provides the revised metric code that appears in the Codified Standard. The revised metric code is structured as follows: [Sector Code]-[Industry Code]-[Topic Code].[Metric Number].

SUSTAINABILITY ACCOUNTING STANDARDS BOARD

1045 Sansome Street, Suite 450 San Francisco, CA 94111 415.830.9220 [email protected] sasb.org