Equifax, one of the 3 major credit bureaus in the U.S., recently revealed a cyber breach resulting in the exfiltration of more than 143 million personally identifiable records – these are the veritable “crown jewels” in cybersecurity parlance, including social security numbers, addresses, birthdates and credit card information (albeit for a subset of the total). This corresponds to nearly half of the U.S. population and virtually 100% of the labor force. While the sheer number makes this one of the largest and most damaging cyber-attacks of its kind, the real long-range damage to Equifax may be the ill-timed stock sale by 3 of its executives, including its CFO, just days after the breach was originally discovered and nearly 2 months before it was disclosed. This seemingly deliberate move by these executives to de-risk their exposure to Equifax’s almost certain market loss, reveals how cyber risk cannot be treated in isolation of reputational harm. Similarly, this massive breach is yet another reminder that there is no technological panacea to cybersecurity, but rather a holistic approach to cyber resilience is needed.
Compounding the company’s challenges, reports that Equifax’s remediation measures would in fact limit consumer rights while boosting enrollment in their own subsidiary that provides identity monitoring services, have only added to management and governance headaches. Not to mention very legitimate consumer concerns as 143 million people grapple with a lifetime of vulnerability. Many of these affected consumers are already organizing a massive class-action lawsuit, seeking damages of $70 billion. Equifax’s heartfelt apology from their chairman and CEO, offers people the opportunity to enroll in their subsidiary’s identity monitoring services at no cost for a period of one year. Herein a host of new consumer challenges emerge, especially with the latency of cyber threats, the vast secondary black market where personal data are sold, the lifelong nature of social security numbers and our performance-based credit system. Sadly, low levels of financial literacy and awareness among many consumers means that those who can least afford this unwanted disclosure will bear the brunt of its long-term consequences. Others can take matters into their own hands to monitor their identities, guard against financial fraud and credit theft by following some straightforward, if noisome, steps.
People who take Equifax’s one year identify monitoring offer may be concerned with being locked into the service after the year elapses or preyed on by cyber-criminals (who have the benefit of patience and Equifax’s announcement to time their moves) the very day the service expires. Compounding these issues, Equifax’s service to provide customer notification of whether they have been exposed or not, provides a blanket message no matter what information was entered on their breach response website. Here too there is a lag of a few days when customers can return, subject to their own memories, to enroll in the identify monitoring service. This created an impression of granularity, that was in fact not there. This is not surprising given the massive size of the breach, but it does say something about the state play inside the firm. The delayed public notice, by nearly 2 months, the stock sale, the fumbled response (that neglected the reality that bad news does not improve with time) and using their own identity monitoring company to provide the market comfort, all conspire to erode customer trust and will be met with reasonable cynicism. This cyber breach is a teachable moment not only for firms of Equifax’s size and financial wherewithal, but for all market participants. In short, cyber risk is truly a systemic threat and if firms like Equifax can bleed their very life blood with such reckless abandon at the hands of cyber criminals, what does it say about the rest of the market?
Beyond these short-term questions, which are surely weighing on the minds of Equifax’s executives and board, the real long-range issues raised by this breach are much bigger. Needless to say, a company of Equifax’s size likely employed what might be considered best demonstrated practices in cybersecurity. This would include cutting edge threat detection technology, data encryption and obfuscation, onerous compliance standards and a wide range of internal controls and data segregation that were supposed to make these types of breaches a thing of the past. To draw a comparison, for a major credit bureau like Equifax, which is essentially a data privacy firm, cybersecurity is a zero-failure mission in the same way passenger safety is paramount to an airline. With the scope of this breach, it is the equivalent of all an airline’s planes falling out of the sky at the same time.
Troublingly if Equifax is exposed in this way, the rest of the market may very well be sitting ducks in the sights of patient, complex, and deeply interconnected cyber threats. The number of affected people is so staggering that in some respects these large-scale breaches, like Target’s, Yahoo!’s or the Office of Personnel Management breach, have made the public somewhat indifferent to these events. The Equifax breach, however, is different because unlike other events of this nature, it reveals that there are many systemically important firms that are not on the regulatory radar, and it creates potential lifelong externalities for 143 million people. This begs one final question, was Equifax sufficiently “risk-aware” to adequately guard our crown jewels?
For publicly-held companies, annual reports are often our closest proxy for an in-depth management conversation. Against this measure, in reviewing the last 5 years of Equifax annual reports, there is surprisingly little mention of risk management, cybersecurity, customer privacy, cyber risk and information security – let alone the governance and accountability for these areas. In fact, in the 2016 annual report the word cyber does not appear once. Given the rapidly evolving cyber risk landscape and the fact that these risks are industry agnostic, this is troublingly for any organization, but especially so for 1 of 3 national data providers that wield so much power over consumer financial outcomes. Structurally, there appears to be no Chief Risk Officer on Equifax’s executive team and no independent risk management committee on the company’s board. And while there are reports that Equifax has up to $150 million in cyber liability insurance, a breach of this magnitude will quickly exhaust this coverage and likely lead to a “hardening” of cyber insurance rates. In short, the Equifax breach, which has the dubious distinction of being in the top 5 in terms of exposed data, along with the stratospheric damages being sought is another costly reminder that we need systemic solutions to confront systemic risk.