The Sustainability Accounting Standards Board (SASB) is a nonprofit focused on helping companies identify and publicly disclose the financially material sustainability topics that matter most to their investors. SASB has developed industry-specific reporting recommendations, including accounting and activity metrics, to guide businesses’ public reporting.
This SASB report includes our responses to SASB’s reporting recommendations for Professional Commercial Services, Nielsen’s industry classification according to SASB’s Sustainable Industry Classification System®. SASB has identified three topics as most material to our industry—data security, workforce diversity and engagement and professional integrity—as well as specific quantitative and qualitative indicators for each topic. We report detailed information on all of these topics in the Data Privacy and Security, Diversity and Inclusion, Human Capital and Governance sections of this Global Responsibility Report, and on SASB’s specific indicators in the table below.
|SASB Code & ACCOUNTING METRIC
Description of approach to identifying and addressing data security risks
Nielsen is committed to protecting the security of all client and consumer information. Our Cyber Security Program is grounded in internationally recognized data protection principles, and we use a variety of security technologies and procedures to protect client and consumer information. We deploy and utilize innovative custom-built and commercial solutions at a global scale. Nielsen’s Cyber Security Program aligns with the National Institute of Standards and Technology’s Cyber Security Framework, which includes five core functions: identify, protect, detect, respond and recover.
Identifying Data Security Threats and Vulnerabilities
We use a Threat and Vulnerability Management and Penetration Testing program to detect new vulnerabilities and help assign priority to remediation. This program leverages a combination of appliance-based and software agent-based scanners to detect vulnerabilities across our operations. Where possible, we integrate tools for automation and to facilitate CI/CD (Continuous Integration/Continuous Delivery) processes. We have defined remediation periods based on the severity of findings, which in turn drives prioritization and the implementation of remediation actions.
Nielsen contracts with leading security firms to provide penetration testing services for identified high-risk applications, which we supplement with our own internal penetration tests. We also conduct targeted Red Team exercises, utilizing third-party vendors and internal teams, to test the security of our environment holistically and ensure the safety of our applications and information.
We operate a 24/7 Cyber Security Operations Center to respond to malicious behavior and identify incidents through monitoring, alerts and analysis of network activity, as well as through cyber intelligence findings.
We continue to invest in technology and enhanced processes to assist us to stay on top of threats facing our environment. Continual improvement of these capabilities includes periodic Red Team testing conducted by a third party. This testing provides visibility to improve technology capabilities, processes and procedures within the Cyber Security Operations Center.
Addressing Data Security Threats and Vulnerabilities
Policy and governance: Nielsen uses a principles-based approach to deliver specific control areas within the Nielsen Cyber Security Policy. This policy defines the minimum set of controls that are necessary to uphold the company’s reputation and protect sensitive information. The policy is reviewed annually to ensure appropriate controls and implementation across the company. Controls within the policy are tiered, to ensure that appropriate protection is provided for every level of information classification. Nielsen’s information classifications are: public, internal, confidential and confidential-restricted.
Governance for this policy includes:
We have a defined exception process in place for deviation from data security controls. The process requires a review of business justifications and impacts while considering additional or alternative mitigating controls before approval is considered.
Risk management: The Cyber Security team focuses on identifying cyber security risks throughout business streams, educating the business owners of risks and providing consultation regarding requirements for alternative mitigations. Control attestations are completed to determine how implementation has occurred across specific services, products or business processes. The Cyber Security team maintains a constant feedback loop with our Chief Legal Officer and other members of our senior leadership team to ensure we are continually testing the security of our environment and addressing any potential issues in a timely manner. We also undertake additional risk management procedures in the following special circumstances:
Assessments of third parties who collect, process or store Nielsen confidential or confidential-restricted information: The Cyber Security, Legal and Procurement teams perform in-depth cyber security assessments on third-party security implementations and technology prior to adopting third-party solutions. Reassessments are conducted on a recurring basis.
See the Data Privacy and Security section for more on our approach.
Description of policies and practices relating to collection, usage and retention of customer information
We take seriously our commitment to keeping all personal and confidential data private. We follow an approach of “privacy by design” to ensure that our privacy principles—which align with globally accepted fair information practices—are embedded in the design of our products and services during the development stage. Our Global Privacy and Data Use Policy addresses Nielsen’s collection, use, disclosure and retention of data about unique individuals. The policy is generally applied to all Nielsen services, processes and technologies—whether client-facing or internal—that utilize individual-level data, including during the development or assessment of new processes or technology, as well as by all Nielsen affiliates, subsidiaries, majority-owned joint ventures, associates and contractors.
(1) Number of data breaches; (2) percentage involving customers’ confidential business information or personally identifiable information; and (3) number of customers affected
In 2018 and 2019, Nielsen received a small number of complaints, all of which were either unsubstantiated or resolved directly with data subjects to their satisfaction.
|SASB Code & Accounting Metric
Percentage of gender and racial/ethnic group representation for (1) executive management and (2) all other employees
Percentages may not sum to 100 due to rounding. Please note that for the purposes of our 10-K reporting, we use full-time equivalents, whereas for this more detailed reporting on our workforce, we have used total headcount. See the Diversity and Inclusion section for more details and additional metrics.
(1) Voluntary and (2) involuntary turnover rate for employees
Percentages may not sum to 100 due to rounding. Absolute turnover rate includes voluntary and involuntary exits divided by December 2018 and December 2019 headcount. Please see the Human Capital section for more details and additional metrics.
Employee engagement as a percentage of total employees
Employee engagement—the emotional and psychological connection our associates feel about their workplace and the work we do—is central to both individual and business success. We are committed to strengthening employee engagement at Nielsen, because engagement isn’t just a Human Resources (HR) priority—it’s one of Nielsen’s key strategic priorities.
We aim to engage all of our associates through the Nielsen Employee Experience, which focuses on the three aspects of our employee value proposition:
We also foster engagement through:
To track our progress, we maintain open communication channels and feedback mechanisms that help to deepen connections between leaders and their teams and ensure that associates feel connected no matter where they work within the company.
Since 2017, we have enlisted Gallup to gauge employees’ level of engagement through an annual, companywide survey. The survey, which is available in multiple languages, includes questions that tie to measurable performance outcomes proven to demonstrate effective employee engagement. We share detailed survey results with senior leaders and managers, and overall performance with all associates through our company newsletter, global town halls and manager-led team discussions. Managers are expected to develop team-specific action plans based on the survey results, focusing on areas important to the team and where they can make meaningful progress.
For more on our approach to employee engagement and other human capital issues, see the Human Capital section of this report.
|SASB Code & Accounting Metric
Description of approach to ensuring professional integrity
Our global Compliance & Integrity program is dedicated to ensuring ethical behavior across Nielsen. Our Code of Conduct is a core element of this program. The Code establishes clear expectations and guidelines for all associates prohibiting corruption, bribery, facilitation payments, fraud, discrimination, antitrust/anti-competitive practices, money laundering, insider trading and more; it also requires associates to avoid and disclose conflicts of interest. The Code also sets forth expectations and guidelines for positive behaviors, including treating everyone with respect, valuing diversity, protecting human rights and speaking up to report Code violations without fear of retaliation.
See the Governance section for more detail.
Total amount of monetary losses as a result of legal proceedings associated with professional integrity
There were no cases or fines associated with ethics, corruption, lack of professional integrity or other environmental, social or governance issues during the reporting period, including incidents related to false or misleading advertising; misleading communications; breach of customers’ data privacy; any other privacy violations; product quality and safety; or anti-competitive practices. Whether an incident is a confirmed case of corruption involves legal determinations and privileged and confidential legal advice. We also did not have any instances of noncompliance with environmental laws or regulations, and we did not receive any fines from the Federal Trade Commission during the reporting period. No business partners’ contracts were terminated for corruption violations during the reporting period.
|SASB Code & Activity Metric
Number of employees by type: (1) full-time and part-time; (2) temporary; and (3) contract
Please note that for the purposes of our 10-K reporting, we use full-time equivalents, whereas for this more detailed reporting on our workforce, we have used total headcount. Percentages may not sum to 100 due to rounding. Total headcount includes full-time and part-time headcount. Temporary headcount includes consultants and interns. See the Diversity & Inclusion and Human Capital sections for additional data.
Employee hours worked, percentage billable
|Not applicable. We do not track employee time through a single, centralized system.