Reports that Equifax’s chief information officer along with their chief security officer were retiring should alleviate few concerns and not divert scrutiny from the company’s risk governance standards. While this is not the largest data breach in history, it is quite possibly the most damaging. This data breach is different in kind and much more harmful than anything before it, primarily because it reveals personally identifiable information on nearly 100% of the U.S. workforce, as well as private information on consumers from other countries. Had Europe’s General Data Protection Regulation (GDPR) been in force, Equifax would not only face the raft of litigation in the U.S., alongside a growing number of government investigations, it would also be in breach of the world’s most stringent privacy standards – resulting in hefty fines of up to 4% of the company’s worldwide sales or €20 million. While the company’s technology leaders were quick to fall on their own swords, this case reveals that cyber security is an executive level priority inconveniently cutting across the c-suite and not a risk that conforms to clean organizational siloes. The Equifax breach is another painful example teaching us that cyber resilience begins and ends with the board and senior executives. What Equifax’s annual reports tell us about their attentiveness to risk, readiness and resilience is alarming.
While Equifax is undergoing a mounting barrage of regulatory, legal, consumer and investor scrutiny, including from the Federal Trade Commission, the firm’s demonstrated risk awareness in its annual reports leaves little room for doubt. It would appear that at Equifax, customers (banks and lenders that want to gauge people’s credit worthiness), growth, shareholders and investors mattered more than managing cyber risk, privacy or information security. In a keyword search through 5 years’ worth of Equifax annual reports, terms that would suggest adequate risk awareness, such as risk management, cyber risk, privacy, data security, data breach or information security, barely appear at all. In fact, the term cyber risk does not appear once in any of the credit bureaus’ annual reports in the last 5 years. This certainly should give all market participants pause as companies that quite literally hold the “crown jewels” on hundreds of millions of people are nothing more than data and information technology firms for which cyber threats can be existential. But how does Equifax stand up to its peers by this measure?
Against the same measure, in looking at the annual reports of the 3 major credit bureaus for a 5-year period conducting the same keyword searches reveals a general lack of risk awareness when it comes to information security and privacy. Of the 3 firms in question, arguably Experian is the best of the worst alternatives, in part because of its headquarters in Ireland, wherein the EU has more stringent privacy and cyber security standards. Of the 2 major U.S. credit bureaus, TransUnion and Equifax, TransUnion would score higher through this somewhat crude measure of risk awareness and risk governance. Up until now the business models of major credit bureaus relied in part on a moral hazard, which is risk taking without bearing the consequences. This is so because these are largely business-to-business firms and they typically do not trade with retail customers, whose data their store and analyze. The Equifax breach and its massive fallout will likely resolve this moral hazard as regulators are sure to change laws on consumer privacy and protection following this case.
It should be no surprise then that Equifax comes at the bottom of this benchmarking analysis, where keywords demonstrate a general lack of awareness and appreciation for how cyber threats prey on firms of this nature. It is also telling to watch the evolutionary property of risk awareness over the 5-year period across all 3 firms. What is clear across the spectrum, and this is certainly not uncommon for large enterprises, is that growth, shareholders, investors and profitability are key priorities that often trump adequate risk management, which is all too often consigned to a loss prevention or decision avoidance function. In short, risk management is treated like a cost center. This much rings true in this cursory analysis of the 3 major credit bureaus. Adjusting for a more than 30% decline in Equifax’s share price, or $6 billion in market value, however, the often intangible value derived from risk management is made clear. Similarly the need for a universally accepted measure of the enterprise value of data is made all the more urgent due to this breach.
Confronting risks head on and certainly disclosing them in annual reports should not be a regulatory requirement, but rather something executives provide in the spirit of transparency, trust building, and as a source of competitive advantage. Risks are complex, but over the 5-year period of this analysis one would be hard-pressed to find a senior executive that was not concerned with the growing rise and interdependency of technology and with it cyber threats. Over the same timeframe there have been many major breaches, which if nothing else should signal to information technology companies that these risks should be taken seriously.
Facing massive legal battles and regulatory scrutiny, which will soon see Equifax’s CEO called before Congress for the usual indignation that follows these large scale corporate lapses, key questions need to be asked of how the world can mitigate such a systemic threat. The first and last line of defense against complex risks is to have strong corporate value systems and governance standards. Aside from the fact that many systemic firms are hiding in plain sight, perhaps the most enduring management lesson from the Equifax breach is that board members and executives should not wait for regulatory pressure before they begin disclosing a true risk-adjusted picture of their enterprise. For companies that own cyber risk in this manner they can gain risk agility instead of being caught flat-footed by so-called surprise events.