Five simple questions for Equifax’s CEO. Forget the “sorry”. Were you prepared?

By Charles Lankester, EVP, Global Risk & Reputation Management, Ruder Finn

The most recent corporate drama to play out on our various screens is Equifax’s catastrophic data breach, which saw 143 million confidential consumer records hacked.

Let’s put that in context: the names, Social Security numbers, birth dates and addresses of close to 45 percent of the entire population of the United States have been compromised.

If this wasn't bad enough, we are now being subjected to the usual depressing, predictable corporate playbook in terms of Equifax's response. Company “working closely” with FBI. Check. Senior executives fired—or in this case, conveniently “retired”—check. Cybersecurity firm (Mandiant) appointed to undertake “comprehensive forensic review”. Check. CEO says sorry. Check.

But in this case, sorry really isn’t enough.

Equifax allegedly knew about their vulnerability months ago but "apparently didn't apply an available patch quickly enough". Shareholders have seen their EFX stock plummet 35 percent from US$142 to US$94 in the days since the news became public. Morgan Stanley forecast (September 15) a potential “bear case” share price of just US$50. And there are dozens of prior hack cases Equifax could have learned from to at least be better prepared. Yahoo’s billion user hack is just one example.

Don’t get me wrong, bad things happen. I am sympathetic to Equifax’s predicament.

But the big question is, as well as being “sorry”, did Equifax really, genuinely and properly prepare for a breach scenario that a first-grader could have forecast? What’s the point in “appointing” Mandiant after the breach? (Stable door, horse, bolt, field etc.)

The following simple questions will throw some welcome daylight onto how a) prepared Equifax was and b) how seriously it took what, in 2017, is a no-brainer risk.

I encourage all consumers, shareholders and others affected to present these five questions to the Equifax CEO:

1. Does Equifax have a risk committee? Who has/had responsibility for cyber risk?
2. Do you, or a colleague, have a proposal dated prior to the current hack from a recognised cybersecurity company (such as Mandiant) to undertake a complete audit and breach test of Equifax’s data and system security?
3. Did you proceed with this proposal? If no, why not? If yes, what recommendations were made?
4. When did you last undertake a multi-stakeholder data hack/breach simulation? Did this include the authorities you are now “working closely” with? Did it see the personal involvement of Equifax's CEO, CFO and COO?
5. Did any colleagues in your IT (or related) departments express their concern about Equifax’s preparedness for a future large-scale data hack, or cyber-security threat, either verbally or in writing in the weeks, months or years prior to the attack?

I sincerely hope these questions are easily answered and Equifax will be able to demonstrate it had done everything in its power to mitigate and avoid the data breach 143 million people have just suffered. But my suspicion is that this will not be the case. 

But it’s all OK! Equifax is “sorry”, the people responsible have “retired” and “lessons will be learned”.

Here's a crazy idea though: isn’t it about time we ask corporations to focus more on “we’re ready” rather than “we’re sorry”?

I am realist. It’s likely nothing will change. But maybe the Equifax case just might surface some questions that make other corporations think—what if this was us?

Because the chances are increasingly likely that, one day, it will be.

(This article originally appeared on 19 September, 2017 in Campaign Asia.)