Was the board entrenched or just asleep at the wheel?
By Eve Tahmincioglu
The CEO and chairman of Equifax, Richard Smith was ousted soon after a massive cyber breach left nearly 150 million Americans’ personal information exposed, but what about the board of directors?
Some media articles pointed to a “cozy” relationship between Smith and the board, focusing on a higher-than-average director tenure.
From TheStreet.com: Equifax's board, excluding Smith, has an average tenure of 9.2 years, above the average director tenure of 8.7 years. Seven of Equifax's 10 independent directors have exceeded that average tenure. The director with the longest tenure is Phil Humann, who's served on Equifax's board since 1992.
While board entrenchment is a concern, the main problem may have been flat-footed leadership.
“The key issue is not the fact that the breach happened under former CEO and chairman Richard Smith’s watch, but that Equifax’s response demonstrated that the company’s leadership was not prepared to deal with the issue once it occurred,” maintains Matthew Luzadder, partner at Kelley Drye & Warren LLP.
“First,” he continues, “there was a five-week delay between Equifax’s discovery of the breach and the public announcement of the breach. During this time, three executives, including the CFO, sold stock in the company.”
And, Luzadder adds, “There is a significant question as to when the board and the executive team knew about the breach and if Mr. Smith convened an emergency board meeting to address the incident and what response, if any, the board decided to take in response to the breach.”
There were also public blunders.
“There are questions as to why Equifax’s response exacerbated the breach through a series of public missteps, including requiring potentially affected consumers to accept terms and conditions that appeared to limit their redress rights,” he says. “In addition, Equifax’s hotline was reportedly unprepared to deal with the volume of consumer calls and the company mistakenly tweeted the address of a malicious phishing website multiple times before issuing a correction.”
The lessons for boards are many.
Luzadder suggests boards:
- Should ensure they are promptly informed of incidents that present material reputational, legal and operational risks to the company.
- Should require that the company’s executive leadership is prepared to address such incidents, from both an operational and public relations perspective.
While Equifax’s board will likely be more diligent going forward, Smith’s resignation, Luzzader says, “is largely symbolic and will not stem the wave of lawsuits and is unlikely to prevent his public pillorying in congressional hearings.”
Dottie Schindlinger, VP and governance technology evangelist at Diligent, is hopeful the Equifax breach and the subsequent fallout has all directors reassessing cyber-attack preparedness.
Senior leadership and boards must be proactive, she stresses, “starting with reviewing the level of investment they are making in cyber readiness.” But, she adds, “Most directors are in need of better support, training and secure communication tools to ensure they are mitigating cyber risk – not inadvertently adding to it.”
Gone are the days, she notes, when directors could “simply assume cyber risk is being ‘handled’ by IT. Cyber risk is major enterprise-wide risk – it’s right in the board’s wheelhouse.”