Dun & Bradstreet

Privacy, Data Transparency, and AI Trust Centre

A Transparency Tapestry for Responsible Data Processing

Our Approach to Digital Operational Resilience

Resilience is one of the 5 Points of our Ethical North Star that guides how we operate and grow our business at Dun & Bradstreet (D&B). With a history of nearly two centuries, our Resilience is demonstrated through our track record of focusing beyond just the immediate task at hand to strategies that drive outcomes for continued long-term success.

Download our D&B ICT Risk and Digital Operational Resilience Position Statement

The 5 Rs of our Ethical North Star. Resilience, Regulatory, Reputation, Responsibility, and Risk

To demonstrate our digital operational Resilience in support of our clients who are subject to digital operational resilience and other information and communications technology (ICT) risk regulation, such as the European Union Digital Operational Resilience Act (DORA), D&B has implemented comprehensive policies and processes to ensure that the ICT services provided to clients through our products and solutions are designed in accordance with the requirements of applicable data and technology laws and regulations, including without limitation laws related to privacy, data protection, cybersecurity, data security, network security, digital operational resilience, and responsible artificial intelligence that apply directly to D&B or to the clients and users of its products and solutions. Our commitments to our clients are set forth in our Global Data Protection Exhibit

While DORA is not directly applicable to D&B, we support our clients’ compliance through the components of our cybersecurity and technology risk (Cyber) program, which is led by our Chief Cybersecurity & Technology Risk Officer, and our global compliance and ethics (GCE) program, including our data protection policies, processes, and standards, which is led by our Chief Ethics & Compliance Officer.  The key components of our programs supporting digital operational resilience are aligned with the five pillars of DORA: ICT Risk Management, ICT-Related Incident Management, Digital Operational Resilience Testing, ICT Third Party Risk Management, and Information Sharing.

ICT Risk Management

Our approach to ICT Risk Management is underpinned by the principles and operating standards of our Enterprise Risk Management program.  Our risk management is a competitive advantage for deepening the long-standing trust we have held with our clients and other stakeholders for decades. We continuously evolve risk management consistent with changes in our business and the regulatory environment. 

Dun & Bradstreet’s Enterprise Risk Management (ERM) program prioritizes the identification, assessment, and control of identified corporate risks. Our Chief Risk Officer leads our ERM program, reports to our Chief Executive Officer, and provides quarterly updates to the Audit Committee of the Board of Directors. The Chief Risk Officer also leads the Enterprise Risk Committee, which comprises senior executives from our business and control functions, with representation covering all functions. The committee is responsible for the oversight of risk management across the enterprise. This includes identifying risks; assessing risk management practices and the control environment; reinforcing business accountability for risk management, supervisory controls, and regulatory compliance; supporting resource prioritization across the organization; and escalating significant issues to the Board. Dun & Bradstreet’s internal global Enterprise Risk Policy guides how we address and respond to risks inherent in our business activities.  More information is available in our Environment, Social & Governance (ESG) Report.

The Chief Cybersecurity & Technology Risk Officer and our Chief Ethics & Compliance Officer serve as members of the Enterprise Risk Committee, and report regularly to the Committee on respective program updates, including new risks, evolving risks, and risk mitigations.  They also join the Chief Risk Officer and other members of D&B Executive Leadership in providing quarterly updates to the Audit Committee of the Board of Directors.

Our Cyber program and our GCE program support our Information Security Management System (ISMS) Controls and our Privacy Information Management System (PIMS) controls, which have been independently audited for compliance with ISO 27001 and ISO 27701 and are reviewed at least annually.  In markets in which we are certified as compliant with ISO 27001, we also hold an ISO 27701 certification. These certifications are designated on our global ISO certifications page, where applicable.

Dun & Bradstreet supports more than 240,000 clients globally. We understand the responsibility this holds. We are diligent about maintaining, updating, and testing our Business Continuity Program (BCP), which is designed to minimize the impact of any reasonably foreseeable service interruption event. Our program prioritizes critical business processes, identifies significant threats to normal operations, and plans mitigation strategies to ensure effective organizational response to significant business interruptions. We emphasize business continuity planning and readiness to minimize potential impacts to our team members, clients, alliances, and overall ongoing operations. 

Our BCP continues to evolve and enables an appropriate level of preparedness for a disruptive incident. The program aligns with key elements of the ISO 22301 Business Continuity and our internal governing standard as outlined in the Dun & Bradstreet BCP Policy Statement. Our Executive Leadership team oversees our BCP by reviewing performance, program improvements, and emerging stakeholder needs. While no BCP can be failsafe, Dun & Bradstreet is committed to ensuring that its program is tested, comprehensive, and up to date, particularly considering rapidly changing information, techniques, and technologies. More information is available in our Environment, Social & Governance (ESG) Report.

ICT-Related Incident Management Process

At Dun & Bradstreet (D&B), we recognize that timely detection and management of incidents is a key component of mitigating regulatory, compliance, cybersecurity, fraud, and other risks. We are committed to effectively managing these risks as part of our commitment to responsible data processing. We extend this commitment to our customers and users of our solutions and services through contracts and other written agreements. As part of this commitment, we maintain a comprehensive Global Compliance and Ethics Program and a Cybersecurity Program, for which our incident response standards and processes are a key component of preventing, managing, and mitigating regulatory, compliance, and cyber risks. We align our Incident and Breach Response standards with our Corporate Policy Statement on Speak Up and Non-Retaliation to support our commitment to a speak up and non-retaliation culture, and where applicable, to our Crisis Management processes.  More information is available in our Incident and Breach Response Policy Statement.

Digital Operational Resilience Testing

Consistent with our approach to ICT Risk Management and ICT-Related Incident Management, D&B utilizes a risk-based approach to Digital Operational Resilience Testing. Tests are conducted both internally as well as by independent third parties at least annually, and remediation and opportunities continuous improvement are prioritized based on potential impact and likelihood.  Our team conducts internal and external tests in a series of identified risk areas, such as:

  • SOC 2 Type 2 and 3 internal controls for security, confidentiality, processing integrity, privacy, and availability of customer data 
  • ISO 27001: Information Security, Cybersecurity and Privacy Protection
  • ISO 27701: Privacy Information Management 
  • PCI Data Security Standard 
  • U.S. Health Insurance Portability and Accountability (HIPAA) Compliance 
  • FTC Consent Order Compliance
  • Customer audits
  • Penetration tests
  • Purple team/adversary emulation exercises
  • Phishing and security tests with our team members
  • Disaster recovery/business continuity plan testing
  • Executive tabletop exercises

More information is available in our Environment, Social & Governance (ESG) Report.

Management of ICT Third-Party Risk

As part of our commitment to responsible supply chain management, we expect others who work on our behalf to demonstrate the same commitment that we have made to high ethical standards.  Our “third parties” that support the ICT services provided to our clients through our products and solutions include processors, subprocessors, and subcontractors.  We consider our third parties to be an extension of D&B, and we expect them to conduct business honestly, with integrity, and in accordance with our Code of Conduct and Ethics for Third Parties.  More information about our third parties is available in our Subprocessor list and our Responsible Data Processing Sheets for specific products and solutions.

Evaluation of third party risk is a core process embedded into our Cyber program and our GCE program and is aligned with our overall approach to enterprise risk management and ICT risk management.  Third party engagements are reviewed through a common global intake process to determine the inherent risk associated with each engagement.  We leverage our own data-driven Risk Solutions to evaluate and monitor certain third party risks, and we supplement those insights with comprehensive risk assessments tailored to the applicable third party risks, including conflict of interest risks in accordance with our Conflict of Interest Policy Statement.  

Certain of the ICT services provided to D&B financial entity clients through our products and services may support certain critical or important functions for some of our clients based on their own ICT risk management framework and policies.  D&B will cooperate with our financial entity clients and our Worldwide Network to determine whether specific D&B products and services support their critical or important functions in accordance with applicable laws, to document the legal basis for such determination, and to ensure that the products and services provided are configured to support the clients’ ICT risk management and compliance needs.  

More information is available in our Environment, Social & Governance (ESG) Report.

Information Sharing 

D&B is committed to responsible cooperation with its clients, regulators, and other stakeholders to support ICT risk management and digital operational resilience accountability as set forth in this position statement.

There are multiple Contact Forms popups in the page. Only one Contact Form popup could be present on single page. Please reconfigure Contact Forms and refresh the page.