Equifax’ Cyber Breach & Leadership Cracks

September 29, 2017

Was the board entrenched or just asleep at the cyber wheel?

By Eve Tahmincioglu

The CEO and chairman of Equifax, Richard Smith was ousted soon after a massive cyber breach left nearly 150 million Americans’ personal information exposed, but what about the board of directors?

Some media articles pointed to a “cozy” relationship between Smith and the board, focusing on a higher-than-average director tenure.

From TheStreet.com: Equifax's board, excluding Smith, has an average tenure of 9.2 years, above the average director tenure of 8.7 years. Seven of Equifax's 10 independent directors have exceeded that average tenure. The director with the longest tenure is Phil Humann, who's served on Equifax's board since 1992.

While board entrenchment is a concern, the main problem may have been flat-footed leadership.

“The key issue is not the fact that the breach happened under former CEO and chairman Richard Smith’s watch, but that Equifax’s response demonstrated that the company’s leadership was not prepared to deal with the issue once it occurred,” maintains Matthew Luzadder, partner at Kelley Drye & Warren LLP.

“First,” he continues, “there was a five-week delay between Equifax’s discovery of the breach and the public announcement of the breach. During this time, three executives, including the CFO, sold stock in the company.”

And, Luzadder adds,  “There is a significant question as to when the board and the executive team knew about the breach and if Mr. Smith convened an emergency board meeting to address the incident and what response, if any, the board decided to take in response to the breach.”

It's unclear how prepared the board was to even know what to do.

Indeed, most board members and top executive have a lack of confidence in their company’s cyber-security readiness, according to EY’s 19th Global Information Security Survey 2016-17.

The survey found:

  • 87% of board members and C-level executives have said they lack confidence in their organization’s level of cybersecurity
  • 57% of responders have had a recent significant cybersecurity incident, which shows that there is still more work to do to strengthen the corporate shield
  • Due to the low quality of reporting on information security, 52% of respondents think their boards are not fully knowledgeable about the risks the organization is taking and the measures that are in place

And PwC’s recently released 2017 Annual Corporate Directors Survey found that 25% of directors say they have no idea who might even attack their company’s assets, up from five percentage points from last year.

“We have to raise the existing boards members’ digital competency,” says Bob Zukis, a technology consultant, senior fellow with The Conference Board Governance Center and adjunct professor of Management and Organization, Marshall School of Business, University of Southern California. “It demands regular board attention from a risk standpoint, but more importantly, from the strategic opportunity standpoint – how technology creates and captures value.”

(Directors & Boards' 3rd quarter issue focuses on how any existing director can get on the road to "Becoming a High-Tech Director.")

In the Equifax situation, there were also public blunders.

“There are questions as to why Equifax’s response exacerbated the breach through a series of public missteps, including requiring potentially affected consumers to accept terms and conditions that appeared to limit their redress rights,” Luzadder says.  “In addition, Equifax’s hotline was reportedly unprepared to deal with the volume of consumer calls and the company mistakenly tweeted the address of a malicious phishing website multiple times before issuing a correction.”

The lessons for boards are many.

Luzadder suggests boards:

  • Should ensure they are promptly informed of incidents that present material reputational, legal and operational risks to the company. 
  • Should require that the company’s executive leadership is prepared to address such incidents, from both an operational and public relations perspective. 

While Equifax’s board will likely be more diligent going forward, Smith’s resignation, Luzzader says, “is largely symbolic and will not stem the wave of lawsuits and is unlikely to prevent his public pillorying in congressional hearings.”

Dottie Schindlinger, VP and governance technology evangelist at Diligent, is hopeful the Equifax breach and the subsequent fallout has all directors reassessing cyber-attack preparedness.

Senior leadership and boards must be proactive, she stresses, “starting with reviewing the level of investment they are making in cyber readiness.” But, she adds, “Most directors are in need of better support, training and secure communication tools to ensure they are mitigating cyber risk – not inadvertently adding to it.”

Gone are the days, she notes, when directors could “simply assume cyber risk is being ‘handled’ by IT. Cyber risk is major enterprise-wide risk – it’s right in the board’s wheelhouse.”