Reports that Equifax’s chief information officer along with their chief security officer were retiring should alleviate few concerns and not divert scrutiny from the company’s risk governance standards. While this is not the largest data breach in history, it is quite possibly the most damaging. This data breach is different in kind and much more harmful than anything before it, primarily because it reveals personally identifiable information on nearly 100% of the U.S. workforce, as well as private information on consumers from other countries. Had Europe’s General Data Protection Regulation (GDPR) been in force, Equifax would not only face the raft of litigation in the U.S., alongside a growing number of government investigations, it would also be in breach of the world’s most stringent privacy standards – resulting in hefty fines of up to 4% of the company’s worldwide sales or €20 million. While the company’s technology leaders were quick to fall on their own swords, this case reveals that cyber security is an executive level priority inconveniently cutting across the c-suite and not a risk that conforms to clean organizational siloes. The Equifax breach is another painful example teaching us that cyber resilience begins and ends with the board and senior executives. What Equifax’s annual reports tell us about their attentiveness to risk, readiness and resilience is alarming.
While Equifax is undergoing a mounting barrage of regulatory, legal, consumer and investor scrutiny, including from the Federal Trade Commission, the firm’s demonstrated risk awareness in its annual reports leaves little room for doubt. It would appear that at Equifax, customers (banks and lenders that want to gauge people’s credit worthiness), growth, shareholders and investors mattered more than managing cyber risk, privacy or information security. In a keyword search through 5 years’ worth of Equifax annual reports, terms that would suggest adequate risk awareness, such as risk management, cyber risk, privacy, data security, data breach or information security, barely appear at all. In fact, the term cyber risk does not appear once in any of the credit bureaus’ annual reports in the last 5 years. This certainly should give all market participants pause as companies that quite literally hold the “crown jewels” on hundreds of millions of people are nothing more than data and information technology firms for which cyber threats can be existential. But how does Equifax stand up to its peers by this measure?