Five simple questions for Equifax’s CEO

The most recent corporate drama to play out on our various screens is Equifax’s catastrophic data breach, which saw 143 million confidential consumer records hacked. Let’s put that in context: that’s the names, Social Security numbers, birth dates and addresses of close to 45 percent of the entire population of the United States.

What I find profoundly depressing is the tired choreography of how the company has reacted in terms of its response. In this case, sorry really isn’t enough. There are dozens of prior hack cases Equifax could have learned from, to at least be better prepared. Yahoo’s several hacks were one example—and one of those involved a billion users.

So, we now have the trite, dull, predictable playbook that Equifax is rolling out. CEO says sorry. Check. Company “working closely” with FBI. Check. Senior executives fired—or in this case, conveniently “retired”—check. Cybersecurity firm (Mandiant) appointed to undertake “comprehensive forensic review”. Check.

So far, so predictable. But hold on. Let’s dig a bit deeper. Shareholders have seen their EFX stock plummet 35 percent from US$142 to US$92 in the days since the news became public, with Morgan Stanley, on September 15, forecasting a potential “bear case” price of just US$50.

Don’t get me wrong, bad things happen, and I am very sympathetic to Equifax’s predicament. But the big question is, as well as being “sorry”, did Equifax really, genuinely and properly prepare for a breach scenario that a first grader could have forecast? What’s the point in “appointing” Mandiant after the breach? (Stable door, horse, bolt, field etc.)

These five simple questions will throw some welcome daylight onto how a) prepared Equifax was and b) how seriously it took what, in 2017, is a no-brainer risk. I encourage all consumers, shareholders and others affected to present these five questions to the Equifax CEO:

1. Does Equifax have a risk committee? Who has/had responsibility for cyber risk?
2. Do you, or a colleague, have a proposal dated prior to the current hack from a high-quality cybersecurity company (such as Mandiant) to undertake a complete audit and breach test of Equifax’s data and system security?
3. Did you proceed with this proposal? If no, why not? If yes, what recommendations were made?
4. When did you last undertake a multi-stakeholder data hack/breach simulation, including the authorities you are now “working closely” with, and with the personal involvement of your CFO, COO and yourself?
5. Do you have any emails and/or other communications in your possession from colleagues in your IT (or related) departments that express their concern about Equifax’s preparedness for a large-scale data hack, or cyber-security threat?

I sincerely hope these questions are easily answered, and Equifax will be able to demonstrate it had done everything in its power to mitigate and avoid the data breach 143 million people have just suffered. But my suspicion is this will not be the case. [In fact, it's been reported that the breach exploited a known vulnerability which was publicised as early as March, but for which Equifax allegedly failed to apply an available 'patch'. -Ed.]

Was management warned, but did not find the time, money or genuine interest to act on those warnings? Did those who work at the sharp end of business share security concerns with the bosses for months before the breach? 

But it’s all OK! Equifax is “sorry”, the people in charge have “retired” and “lessons will be learned”. Here is a crazy idea though: isn’t it about time we ask corporations to focus more on “we’re ready” rather than “we’re sorry”?

I am realist. It’s likely nothing will change. But maybe the Equifax case might just surface some questions that make other corporations think—what if this was us?

Because the chances are increasingly likely that one day it will be.

Charles Lankester is global EVP, reputation & risk management at Ruder Finn