A C O S O P E R S P E C T I V E

Authors

Ryan Blair, Nicolas Dumont, Michael Egan, and David Navetta.

Acknowledgements

We would like to recognize and thank Nicolas Dumont of Cooley LLP for his
leadership on this project. Additional thank you goes to the COSO Board, and
COSO Board Chair and Executive Director Lucia Wind for providing input,
assistance, and valuable feedback in developing this paper. We also thank
Ryan Blair Partner, Michael Egan, Partner, and David Navetta, Partner, Cooley
LLP for their technical input and advice.

COSO Board Members

Lucia Wind
COSO Board Chair and Executive Director

Douglas F. Prawitt
American Accounting Association

Jennifer Burns
American Institute of CPAs

Daniel C. Murdock
Financial Executives International

Larry R. White
Institute of Management Accountants

Benito Ybarra
The Institute of Internal Auditors

This project was commissioned by the Committee of Sponsoring Organizations

of the Treadway Commission (COSO), which is dedicated to helping
organizations improve performance by developing thought leadership that
enhances internal control, risk management, governance, and fraud deterrence.

COSO is a private-sector initiative jointly sponsored and funded by the

following organizations:

American Accounting Association (AAA)

American Institute of CPAs (AICPA)

Financial Executives International (FEI)

Committee of Sponsoring Organizations

of the Treadway Commission
The Institute of Management Accountants (IMA)
coso.org

The Institute of Internal Auditors (IIA)

Copyright © 2024, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1234567890 PIP 19876
All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or
displayed in any form or by any means without written permission. For information regarding licensing
and reprint permissions please contact the American Institute of Certified Public Accountants’
licensing and permissions agent for COSO copyrighted materials.
Direct all inquiries to copyright@aicpa.org or AICPA,
Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd.,
Durham, NC 27707. Telephone inquiries may be directed to 888-777-7077.
Design and layout: Sergio Analco

2 AltData – A COSO Perspective

Contents

Introduction 4

What is alternative data? 5

Identifying and managing altdata risk using the COSO ERM Framework 6

What risks does altdata pose to the organizations? 7

What specific risk assessment and management steps should organizations consider? 9

Conclusion 11

Footnotes 12

About the authors 13

About COSO 14

AltData – A COSO Perspective 3

 Introduction

Risk management is an integral part of Our publication provides a definition of alternative

strategic planning and financial and operational data, its potential uses, and how COSO’s ERM
success of any organization. The Committee Framework can be applied to the challenge and
of Sponsoring Organizations of the Treadway opportunity of altdata. The ERM framework is
Commission’s (COSO) Enterprise Risk particularly helpful to identify, assess, and address
Management Framework (ERM) is used by risk certain risks relating to altdata, including inadvertent
professionals on their journey to proactively disclosure of sensitive or confidential information,
identify and manage emerging risks. This reporting and compliance issues, and failure to
publication provides organizations with an maximize potentially significant value of altdata.
introduction to the topic of alternative data, As the significance of alternative data grows and
or altdata, as a possible significant risk evolves, both in terms of its value to organizations
factor for consideration. Every organization and its associated risks, boards of directors, senior
needs to be aware that altdata about them management, data compliance, and disclosure
is widely collected, whether internally within personnel should each become familiar with the
an organization or by third parties. Emerging risks and opportunities it presents.
technologies, techniques, and concepts such
as artificial intelligence, data management,
harvesting, and security are all relevant risk
topics that should be considered not only
as they relate to financial and operational
information, but to their potential implications
for an organization’s altdata as well.

4 AltData – A COSO Perspective

What is alternative data?

Altdata generally is understood to include The altdata collection industry ecosystem consists
information about an organization that is available of organizations that are data sources (public
outside of traditional financial and regulatory facing and internal); data aggregators/brokers;
reporting channels, press releases, or other service providers (including those specialized
authorized materials. It includes data about in data integration, enrichment and quality; data
an organization and its operations that the analytics/AI; and compliance); data marketplaces;
organization makes public or otherwise discloses and regulators. Different participants within that
to third parties knowingly or unknowingly. Altdata ecosystem interact with altdata in various ways.
has no standard definition provided by industry Almost all organizations generate altdata (whether
groups or regulators, and as such the definition unknowingly or deliberately), often as a byproduct
remains inherently fluid. Common sources of of their operations. Entities might also consume
altdata include e-mail, information from mobile altdata to develop business strategies and conduct
devices and apps, payment card transactions, research. Altdata is also commonly utilized for
geolocation data, social media information, competitive intelligence and to gain competitive
sensors, web-scraped data, internet traffic, advantage. Other ecosystem participants, such
Internet of Things-based devices, satellite data, as altdata service providers or brokers, specialize
point-of-sale information, and rewards programs. in the collection of altdata primarily for resale
This list is not exhaustive: as the volume of data to organizations and consumers. Finally, other
produced by organizations rises, so too does ecosystem participants are largely consumers of
the volume of altdata, absent operational or altdata, such as trading firms who seek to obtain
definitional reframing. insights, drive trading strategies and evaluate
opportunities.
Every organization needs to be aware that
altdata about them is widely collected. Altdata is Our publication focuses on the first category of
commonly collected and used to identify patterns altdata ecosystem participants, primarily consisting
and obtain insights relevant to or about a target of corporations that generate altdata. For them,
industry, company, or user-base. It is leveraged altdata brings risks that should be identified and
to gain market intelligence and advantage by addressed, as discussed further below, consistent
using multiple available data points to extrapolate with ERM practices within their organizations.
timely and valuable information. But careful assessment of altdata can also lead
to important performance, competitive, financial,
The altdata market has grown significantly in compliance and reporting improvements. As
recent years and is expected to continue to discussed below under Risk 3, altdata also
do so. This increase is in part linked to the represents potential new revenue streams: with
exponential growth of the amount of data proper guardrails, organizations should be able to
resulting from the digitalization of the world and monetize or otherwise leverage altdata by selling or
its economy. As data proliferates, companies’ licensing it.
data ecosystems expand in turn. This trend
likely is to be compounded by the availability
of generative artificial intelligence (AI), which
promises to better synthesize the massive
volume of altdata and extract valuable insights
from it. According to Globe Newswire, the
estimated value of the altdata market could reach
approximately $156.23 billion by the year 2030.

AltData – A COSO Perspective 5

 Identifying and managing altdata
risk using the COSO ERM Framework

The COSO Enterprise Risk Management • Performance, which includes identification

(ERM) Framework is used by risk and other and assessment of risks that may impact
professionals to identify and mitigate a variety of the achievement of strategy and business
organizational risks. COSO defines ERM as “The objectives, prioritization of those risks by severity
culture, capabilities, and practices, integrated in the context of risk appetite, selection of risk
with strategy-setting and its performance, that responses and portfolio view of the amount of
organizations rely on to manage risk in creating, risk it has assumed. As altdata is a fluid topic,
preserving, and realizing value.” Risk is defined organizations should determine what altdata
as “the possibility that events will occur and risks they are exposed to in light of their strategic
affect the achievement of strategy and business objectives, and how best to respond to those
objectives.” Risks considered in this definition risks.
include those relating to business objectives.
• Review and Revision by which an organization
Risks associated with altdata, including can consider how well the enterprise risk
those identified below, linked to identification, management components are functioning over
compliance, valuation, or governance issues may time and in light of substantial changes, and what
constitute business risks. ERM is an ongoing, revisions are needed. As altdata sources and
iterative process, and should be updated uses change and can be expected to do so over
whenever there are significant changes to the time, organizations must continually review their
environment and organization. Organizations altdata profile and revise their approach.
should consider whether the proliferation of
altdata constitutes a change meriting analysis of • Information, Communication, and Reporting,
each of the ERM components as applied to an or a continual process of obtaining and sharing
organization’s data environment. necessary information, from both internal and
external sources, which flows up, down, and
The COSO ERM framework comprises five across the organization. As discussed further
interrelated components, each of which may be below, organizations should pursue information
applied to altdata analysis as follows: reporting and gathering exercises to enhance
their reactivity to altdata and develop proper
• Governance and Culture, which in part reporting channels.
sets the organization’s tone, reinforcing the
importance of, and establishing oversight
responsibilities for, enterprise risk management,
as well as understanding of risk in the entity. As
discussed further below, organizations should
assess how to align their governance structures
to better assess altdata risks and opportunities.

• Strategy and Objective-Setting, which

includes enterprise risk management, strategy,
and objective-setting working together in the
strategic-planning process. Organizations
should determine how best to integrate altdata
into the definition of their strategic objectives
and operational or financial performance.
Altdata may be used to enhance enterprise
value as part of a monetization or licensing
strategy, or identified as an asset to protect in
order to conserve enterprise value. Effective
risk management practices related to altdata
can also safeguard future strategic decisions or
transactions, such as mergers and acquisitions
or dispositions.

6 AltData – A COSO Perspective

What risks does altdata
pose to the organizations?

Because how alternative data is ultimately analyzed

Risk 1 Inadvertent disclosures. and processed by third parties is ultimately
unknowable, the risk of inadvertent disclosure
Organizations incur risk when they are not
through failure to identify altdata is great. As
aware of the existence of altdata they produce
the alternative data industry is evolves rapidly,
and the story it can reveal about them. That
organizations might deploy a “known-unknowns”
failure could lead to the inadvertent disclosure
framework in assessing alternative data.
of sensitive competitive information or strategy
objectives, information that would otherwise
constitute material non-public information (MNPI),
Risk 2 Inaccurate reporting,
intellectual property (IP), or even financial results
and compliance failures.
or operational performance. Any time a company
acts outside its organization or interacts with a
Through a combination of board independence
third party, organizations should consider how
and committee rules and responsibilities, auditors
this behavior could be used or perceived for
who are regulated by the Public Company
alternative data analysis purposes, or how it
Accounting Oversight Board, and lawyers who are
could inadvertently reveal sensitive information.
responsible in part to the SEC, the law endeavors
to ensure that financial transactions and data of
This inadvertent revelatory activity typically
U.S. public companies are reported accurately.
occurs when organizations fail to properly
Similar, though less stringent, controls exist for
identify and assess information that may have
private enterprises that may create audited financial
been identified for public consumption, but not
statements for use by the organization and other
necessarily analysis. For example, company
stakeholders, including investors. To date, these
websites may well be destined for consumption
initiatives appear to have been largely successful
by the public, but their analysis by sophisticated
in avoiding widespread accounting fraud in the
parties could reveal activity, resource deficiency
U.S. capital markets, both private and public. With
or strategic focus. Sales and marketing may
these guardrails in place, the next great source of
publish statistics or stories for thought leadership
informational risk to organizations is likely to come
or branding purposes that can be used by
from elsewhere.
alternative data providers to develop underlying
performance insights. Posts of job opportunities
Alternative data, if not assessed and managed
could likewise grant insights into where and
properly through ERM practices, could very well
how a company is growing, anticipates growth
be that source. Altdata represents a technological
or an area (geographical or technical skill level)
paradigm shift in the nature, volume, accessibility,
where the institution is struggling with resource
connectability, and interpretability of information,
retention. Failure to assess this information
and in particular forward-looking, predictive real-
as altdata at an enterprise risk level could be
time information. Because of these characteristics,
problematic as it could reveal performance data
altdata has the potential to reveal differences
or business strategies that the organization does
between the knowledge that is imputed as a matter
not ultimately intend for analysis (or as to which
of law and custom to organizations, and the actual
the company may not itself be aware). Every
knowledge of that organization, which is effectively
company is potentially an altdata generator if
that of corporate managers, employees, and
material amounts of data about the company are
boards of directors and those they supervise. The
available to third parties; these organizations in
proliferation of altdata suggests that the volume
turn incur the risk of inadvertent disclosure about
of data about an organization may now be larger
a range of information about the organization.
than what current internal control and data analysis
The use of AI solutions by employees that deliver
programs are designed to currently assess or
base data to larger models may exacerbate this
have considered assessing. That characteristic
problem.
represents an epistemological challenge to
organizations, one that could be addressed by
applying the principles embedded in the ERM
Framework: governance structures and information,
communication, and reporting processes may need
to evolve to address altdata from a risk perspective.

AltData – A COSO Perspective 7

 Could this paradigm shift result in operational, Risk 3 Failure to realize value
compliance, or reporting issues corporate and opportunities.
managers and boards of directors themselves
have not identified? An example illustrates this Organizations also can fail to identify value from
potential concern, which lies beyond mere potentially significant altdata, which impedes the
“skeletons in the closet” from vast stores of data. organization’s goal of maximizing shareholder
Imagine, for example, a company that sells value. This failure can occur in two ways. First,
products both in physical stores and over the an organization that generates altdata may also
Internet. The company routinely produces reports acquire third party altdata generated by external
either for regulators or its stockholders regarding sources for competitive analysis or performance
its results of operations, financial conditions, and benchmarking. If the organization misanalyzes
prospects. These periodic reports are the results that external altdata or does not conduct proper
of internal financial controls and processes diligence on the source of that data, it could at a
that are designed to capture past financial minimum fail to realize the intended value of such
performance and translate those results into data, or worse expose itself to regulatory action or
financial statements and disclosures that are litigation. Second, organizations that generate data
guided by reporting rules. But investors operate can fail to properly value, or valuate, the altdata they
based on future performance and prospects, themselves have generated. This failure of valuation
not performance that may be indicative of past can stem from two principal causes: first, a failure
trends but not the future. If the company does to identify valuable altdata as an exploitable asset;
not consider and analyze its altdata, it may not and second, a failure to safely create value from the
properly report the current trajectory of its web- sale or other exploitation of those assets.
based business. The company may not describe
to its investors or regulators future risks or Even if an organization properly identifies altdata
opportunities that may not be evident from past for sale or license and prices that transaction
results, but which may be evident from available correctly, it should not do so without appropriate
real-time altdata data points (or, as discussed reporting and compliance analysis, and governance
above, may inadvertently disclose information). safeguards in place. When analyzing how to deploy
altdata strategically, either for purposes of internal
As a result, altdata generated deliberately or analysis or in the context of an external transaction,
inadvertently by an organization potentially organizations should consider how to apply the
presents compliance risks to that organization ERM at least at the Strategy and Objective Setting
that go beyond the regulatory concerns currently and Performance levels.
associated with data as a class, such as privacy
and intellectual property laws. Corporate Failure to implement the principles embedded in the
sources should be mindful of failing to identify ERM Framework could have consequences. Should
material trends or disclosure issues through an organization fail to conduct proper monetization
lack of analysis of available altdata. In case of procedures on its altdata assets, it is exposed to
discrepancies or compliance deficiencies, failure threat from third parties, who can potentially assess
to so assess could lead to regulatory action or the organization’s prospects and value better than
private litigation. the organization itself and use those information
asymmetries to their advantage. Similarly, the failure
to conduct proper governance and legal analysis
could expose the organization to regulatory or
litigation challenges.

8 AltData – A COSO Perspective

What specific risk assessment
and management steps should
organizations consider?

1 Assess and enhance data controls 2 Leverage analytic tools to achieve

and procedures to help identify consistency between alternative
and analyze altdata. data and regulatory reports.

Companies should consider designing By analyzing altdata, or employing AI native

and implementing policies to facilitate the processes such as natural language processing,
identification and analysis of alternative data, as organizations should strive to identify differences
well as assess and reinforce protective measures between publicly reported data, including
with respect to altdata. Leveraging the principles financial or regulatory reports, and other data
embedded in the ERM Framework can be that is disclosed intentionally or unintentionally.
useful to this task: organizations should evaluate Divergences between the two may yield useful
their governance structures and information, trading advantages when they reveal past
communication, and reporting edifices to the performance or future trends that are otherwise
task of altdata analysis. By assessing the impact undisclosed.
and likelihood to their organizations specifically,
organizations can better develop effective Reporting organizations should strive to diminish
mitigating action plans to combat the short term variability between the result or potential result of
or long-term effect of altdata risk. analyzing alternative data and external reports. For
example, organizations could expose themselves
Effective internal control systems have a proven to liability should financial statements suggest that
record in minimizing organizational risk. Similarly, internet sales have risen from quarter to quarter, yet
data controls and procedures should enable detailed analysis of web traffic suggests otherwise.
a company to understand what information
regarding it is publicly available, and how that The insights altdata offers should prompt
information could be leveraged by others. companies to assess what their own generated
Protective measures for such information may altdata can tell them about their operational posture,
include policies, procedures, software, and legal reporting strength, and compliance status. Since
protections for unintended use cases, such as AI- altdata is growing significantly, its insights and
focused policies and procedures, firewalls, and impact on corporate compliance and risk will
terms-and-conditions. be likely difficult to ignore for most data-centric
companies.
As part of their overall effort to exercise good
data hygiene, organizations should be careful
when selling or giving their own information to
data aggregators who routinely pay and solicit
companies for data. Organizations should
conduct diligence on such parties to assess the
policies and procedures apply to data and their
record of legal compliance.

AltData – A COSO Perspective 9

 Governance enhancement could also include better
3 Adapt governance structures. internal education on the topic of altdata. Creation
of and monitoring an organization-wide strategy to
Failure to adapt governance and risk
identify, manage, document, and address altdata
management processes to the proliferation
risks is recommended, as well as recruiting key
of altdata represents a fundamental risk to
technical experts and advisors that can advise
altdata generative organizations. As altdata
the board on risks and opportunities. Regularly
practices evolve, it will become important that
conducted altdata risk and value assessments
activities spanning risk, compliance, control,
may be useful, including upstream reporting, as
and governance be coordinated to aid in the
well as identification of areas of possible future
assessment of altdata. If an organization’s
risks, including metrics to evaluate how well the
governance infrastructure fails to identify and
organization is addressing those issues. Boards
assess the legal, ethical, competitive, and
could also be charged with evaluating the
financial impacts of collecting and using altdata
ethical and legal considerations relating to the
emanating from other entities, it could face
organization’s own consumption of altdata.
governance and leadership reprimand. Adapting
governance structures serves as a key method
Companies have considerable discretion in crafting
of adapting an organization’s ERM to the risks
policies and procedures that suit their structure
posed by altdata.
and risk profile. They should consider adopting a
principles-based approach to altdata rather than
What is the proper role of an organization’s board
formal rules, since altdata, definitionally, changes
with respect to alternative data in light of these
in scope and nature, and can be expected to
trends? Generally, boards should understand the
continue to do so in the future. In the near future, the
range of alternative data available regarding the
practice of data governance will likely migrate from
organization it oversees and its public use. As
static policies, compliance reviews, security and
financial statements are reviewed and approved
retention to more active and evolutive data asset
by boards of directors (or audit committees in
management: data hygiene management, audits,
the US public company context), boards (or data
data use analysis, AI reviews, valuation, policies,
and risk committees) could work with disclosure
compliance, security, and retention.
committees or other compliance and reporting
structures to review public information and
consider how that output relates to other available
altdata. Similarly, boards could also defensively
monitor controls and protection guidelines for
altdata and monitor and address disinformation
initiatives or other malicious behavior. Boards
should avail themselves of the resources needed
to complete their duty, including outside advisers,
and should exercise their discretion to advise
management to devote additional resources to
alternative data issues.

10 AltData – A COSO Perspective

While certain boards may, after review, conclude Management’s role in managing and monetizing
that altdata does not represent a significant risk altdata and implementing appropriate policies
or opportunity to their particular organization, it and procedures might include identifying and
should still exercise strategic oversight of altdata documenting the following:
matters, including, as applicable:
 Which management positions or committees are
 Identifying whether the full board, a committee responsible for managing altdata risk, and what
and/or specific directors are responsible for is the relevant expertise of those individuals?
oversight.
 Who at the company is best suited to address
 How the board is informed of altdata issues risk and opportunity, what is the relevant
related to disclosure or financial reporting. expertise of the individual and to whom do they
report at the company?
 How frequently the board discusses altdata
issues.  What is the process by which management is
informed of and monitors the company’s altdata?
 Whether and how the board considers altdata
as part of the company’s business strategy,  Does management report to the board of
risk management, operations and financial directors on these issues? If so, how frequently?
oversight.
 Who are the stakeholders at the company
 Staying current on regulatory developments, responsible for managing risk and data policies
best practices and industry trends. and procedures?

 Understanding the company’s measures to  How does management report to the board, in
assess, develop and defend altdata. terms of content and characterization?

 Documenting the committee’s/board’s review Coordination will also be required between key
of policies and its role in oversight. internal stakeholders such as IT departments,
engineers/data input leads, customer experience,
 Appraisal of, and subsequent assessments of, marketing, analytics and data use teams, and
risks. legal and regulatory compliance with external
stakeholders such as third-party data sources, data
 Challenging management and seeking advice aggregators, data consultants and vendors, and
from external advisers, including auditors, data purchasers and users.
lawyers and altdata consultants.

Conclusion
As altdata grows in volume, velocity, and complexity, as well as accessibility, organizations should assess
the impact of this ecosystem on their operations, reporting, compliance, and risk systems. Since the
growth of altdata presents both opportunities and risks, the data infrastructure and related governance
of many institutions may be required to adapt to a complex and evolving environment. The COSO ERM
Framework is well-suited for application to the issues presented by altdata for organizations, and provides
much-needed structure for identification and analysis of altdata within organizations.

AltData – A COSO Perspective 11

 Footnotes

1. A-Guide-to-Alternative-Data_jan2021..pdf (fisd.net)

2. The arrival of altdata should not be viewed in isolation. Certain technologies, terms, and concepts that are directly correlated with
increased availability and utility of altdata include the following:

• Big Data/Open Data: Big data refers to the wide variety of data coming from sources such as IoT, social media, and other data
sources too large or complex to be processed by traditional applications. In a sense, altdata is a manifestation of big data. Open
data is in turn a subset of big data: large, usually structured, data sets, usually made available by governments. Big data, IoT,
and AI may all be used together in the future and, working in conjunction with internal control processes, could become a powerful
toolset to enhance an organization’s operations, reporting, and compliance profile.

• Artificial intelligence (AI): AI is an area of computer science where intelligent machines work and react like people (albeit people
with infinite memories, who never tire, and are constantly improving) for tasks like decision-making, problem-solving, emulating
senses, learning, planning, and activities like visual perception and speech recognition. AI has experienced a renaissance
recently due to the advent of widely available generative AI technologies, such as ChatGPT. At core, AI is particularly useful
at identifying patterns, outliers and non-obvious correlations. AI can be used to augment human involvement or serve as its
replacement. For instance, AI can be used to analyze real-time trade transactional data and other information to simulate
human judgment in classification, recording, analytics, and decision-making. Generative AI can also be used to create new data,
techniques or code, some of which could potentially be used by entities as part of their altdata profile.

• Internet of Things (IoT): Internet of Things is a broad term for the growing list of things that can link to the Internet. With home
automation devices, just about anything that can turn on and off can be Internet-enabled and be part of a network of things
that can monitor, report about, and act upon the environment around it. The promise of data monetization and the drive to obtain
data-based insights is readily apparent in the auto industry now that practically every new car rolling off the lot is connected to the
Internet. IoT devices can potentially write to or act upon information to enhance an altdata profile.
See “Blockchain and Internal Control: The COSO Perspective.”

3. globenewswire.com/news-release/2023/08/30/2734059/0/en/Alternative-Data-Market-worth-156-23-Billion-by-2030.

4. cmr.berkeley.edu/2022/11/harnessing-alternative-data-for-competitive-advantage.

5. public.axsmarine.com/blog/the-rise-of-alternative-data-unveiling-hedge-funds-secret-weapon.

6. The components, principles, and points of focus of COSO’s Internal Control-Integrated Framework (ICIF) may provide a method of
addressing altdata activities and information in response to the risks identified and addressed by the ERM. As defined by COSO,
“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
The COSO Internal Control Integrated Framework (ICIF) outlines the principles and points of focus for effective internal control
programs.

12 AltData – A COSO Perspective

About the authors

Ryan Blair focuses his practice on securities, corporate governance and shareholder litigation, including
the defense of securities class actions, derivative suits and M&A litigation. He also represents companies,
boards and special committees in connection with Securities and Exchange Commission investigations
and civil enforcement actions, as well as internal corporate investigations. Ryan has worked with clients
in the hardware, software, semiconductor, biotechnology, pharmaceutical, internet and digital media
industries. His practice also includes complex commercial litigation. Ryan received his BA from Stanford
University and his JD from University of California at Los Angeles School of Law.

Nicolas Dumont is a member of Cooley LLP’s public companies, capital markets and artificial intelligence
groups, as well as a leader of the firm’s alternative data group. He has represented clients in North
America, Asia and Europe. His transactional practice centers on advising corporate and investment
banking clients in public and private corporate finance transactions, with experience in initial public
offerings (IPOs), special purpose acquisition companies (SPACs), common and preferred stock issuances,
private investment in public equity (PIPE) offerings, and other types of offerings. He has advised in a
wide array of industries, including tech, life sciences, crypto, banking, shipping, natural resources and
insurance. Nicolas’ alt data work lies at the intersection of capital markets regulation and evolving machine
learning and artificial intelligence technologies and techniques. In close collaboration with Cooley’s
cyber/data/privacy and litigation practices, his current focus is on data monetization and controls, public
company reporting, and related governance and corporate systemic risk topics. Nicolas received an
AB from Princeton University (summa cum laude), a JD from Stanford Law School and a diplôme from
Sciences-Po (Paris).

Michael Egan has focused on cyber/data/privacy issues in the areas of technology, innovation, retail
and consumer solutions, life sciences, manufacturing, financial services, and healthcare since 2007. He
advises clients on all legal aspects of global data protection, data privacy, data security, data breaches,
information technology, and related restrictions on data collection, use, and transfer. He has represented
companies before numerous government agencies and bodies, including the US Federal Trade
Commission, the US Department of Justice, and the US Securities and Exchange Commission, as well as
data protection authorities around the world. Michael received his BA from Georgetown (cum laude) and
his JD from Boston College.

David Navetta is a prominent leader in privacy, information security and technology law. He has
extensive experience counseling clients on novel and cutting-edge data protection issues, including data
breach response, cybersecurity risk management, consumer and employee privacy, incident response
planning and preparedness, technology transactions, vendor management, board of director advice
and consultation, regulatory investigations, litigation and due diligence in corporate transactions. David
serves as a “breach coach” on an approved panel for numerous cyber insurance carriers and companies,
and he has helped some of the world’s leading corporations to effectively respond to complex data
security breaches and protect their enterprise. David’s clients range from startups to large Fortune 500
multinationals across a range of industries, including ecommerce, consumer products, name-brand
traditional brick-and-mortar, hotels and hospitality, social media, technology, professional services,
healthcare, financial institutions and energy. David received his BA from Michigan State University and his
JD from DePaul University College of Law.

Each of Ryan, Nicolas, Michael and David are founders of Cooley’s Alternative Data, Monetization and
Governance practice group.

AltData – A COSO Perspective 13

 About COSO

Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated
to helping organizations improve performance by developing thought leadership that enhances internal
control, risk management, governance, and fraud deterrence. COSO’s supporting organizations are the
American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA),
Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute
of Internal Auditors (IIA).

This publication contains general information only and none of COSO, any of its constituent organizations
or any of the authors of this publication is, by means of this publication, rendering accounting, business,
financial, investment, legal, tax or other professional advice or services. Information contained herein is
not a substitute for such professional advice or services, nor should it be used as a basis for any decision
or action that may affect your business. Views, opinions or interpretations expressed herein may differ
from those of relevant regulators, self-regulatory organizations or other authorities and may reflect laws,
regulations or practices that are subject to change over time. Evaluation of the information contained
herein is the sole responsibility of the user. Before making any decision or taking any action that may affect
your business with respect to the matters described herein, you should consult with relevant qualified
professional advisors. COSO, its constituent organizations and the authors expressly disclaim any liability
for any error, omission or inaccuracy contained herein or any loss sustained by any person who relies on
this publication.

14 AltData – A COSO Perspective

AltData – A COSO Perspective 15
T H E C O S O P E R S P E C T I V E

Committee of Sponsoring Organizations

of the Treadway Commission

coso.org