In September of 2017, Equifax, the largest of the three main credit reporting agencies, announced a data breach that exposed the personal information of 147 million consumers – almost 50% of the U.S. population. Due to a known, unpatched security vulnerability, hackers were able to gain access to a magnitude of unencrypted private consumer information, including names, Social Security numbers, dates of birth, credit card numbers, addresses, and even driver’s license numbers.
More than two years after the breach was reported, Equifax has now reached a $575 million global settlement (with the potential to reach $700 million) with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the 50 U.S. states and territories. Based on the agreement, Equifax will allocate $175 million to the 50 U.S. states and territories, $100 million to the CFPB, $300 million to a fund that will provide credit monitoring services for affected consumers, and an additional $125 million fund in the event the initial $300 million is not enough to compensate consumers for their losses.
In addition to paying restitution to the millions of victims of the data breach, Equifax also agreed to provide seven years of free assisted identity restoration services and six free credit reports each year for seven years.
However, financial remedies are only part of the Equifax settlement agreement. Since the FTC alleges that Equifax violated the FTC Act and the Gramm-Leach-Bliley Safeguards Rule (GLBA) by failing to defend sensitive consumer data, the company is required to implement a comprehensive information security program. The program must be maintained for 20 years and protect the security, confidentiality, and integrity of consumers’ sensitive personal information
This court ruling by the FTC against Equifax is only the beginning of the increased “Standards of Care” required for an organization’s cybersecurity program. As more organizations fall victim to a data breach and become involved in lawsuits or face regulatory actions, the courts will turn to this care benchmark to measure the organization’s practices to determine liability, fault, and punishment. Implementing these minimum Standards of Care set out by the FTC and updating your cyber insurance policies to include some, if not all, of these requirements, will help protect your organization in the wake of an incident.
In Part 1 of our series tracking popular settlement actions and court cases, we’ll take a closer look at the specifics of the information security program required for Equifax and how these requirements may enhance your company’s security program as well.
Increasing Board Responsibility for Information Security
As one of the nation’s largest credit bureaus, Equifax is a treasure trove of sensitive personal data. Their entire business model is founded on collecting large amounts of financial information about consumers from lenders. Yet, despite having compromised the personal information of over 147 million people, Equifax and its Board of Directors have not been held accountable for their mistakes.
After the initial discovery of the data breach, Equifax concealed the news for roughly a month, which gave executives time to sell their $2 million in shares. Only the agency’s Chief Information Officer, Jun Ying, and a single software developer were found guilty of this insider trading offense.
Richard Smith, the CEO of Equifax at the time, retired with his full $90 million retirement package 20 days after announcing the data breach. Although he was retired at the time, he was the only Equifax executive required to testify before Congress. In each of his hearings, Smith blamed the large-scale breach on a single employee who failed to update the software on the server, even though in the complaint filed by the FTC, Equifax did not alert the staff members responsible for resolving that vulnerability. No further legal action has been sought by a U.S. federal agency.
Solution: Make Cybersecurity a Board-Level Conversation
While board members might not have the expertise nor the time to uncover potential threats in their organization, they are still responsible for promoting and enforcing the organization’s security health and cyber hygiene. Blame should not fall on outdated software, expired certifications, or “incompetent” employees when a breach occurs. Board members must take the same fiduciary oversight role and responsibility for cyber protection as their IT and security personnel. As part of the Equifax settlement, the Board of Directors must now deliver annual certifications that attest to the company’s compliance requirements for an effective information security program.
Furthermore, CISOs need to be part of these board-level discussions, providing an evaluation of the company’s IS program, current threats, and potential solutions for mitigating them. At the same time, board members need to consider cybersecurity when making decisions and provide the necessary investments and direction to meet the needs of the security program. Board members must be proactive in upholding the organization’s cybersecurity best practices.
Implement Sufficient Safeguards and Controls
The source of the Equifax data breach was their elementary failure to patch a known critical vulnerability that left a key system at risk for nearly 5 months. During this timeframe, hackers had unrestricted access to one of the largest consumer databases in the world. Had Equifax implemented basic security controls that addressed these security issues, the data breach could have been prevented.
This data breach is fundamental proof of the importance of designing, implementing, and maintaining proper information security safeguards and controls to protect sensitive data. These controls must be commensurate with the volume and sensitivity of the personal information at risk and a combination of compensating controls (i.e., data classification program). A few examples of proper controls include:
- Patch management policies and procedures, including timelines for addressing vulnerabilities
- Network protection and monitoring appliances for all systems, including legacy systems
- Password and authentication controls
- Segregation of networks
- Annual security awareness training for all employees
- Secure code training for all software developers
Solution: Adopt a Cybersecurity Framework
While no organization is immune to cyberattacks or data breaches, organizations that lack an adequate security policy are at an elevated risk. Adopting a security framework, such as NIST CSF or ISO 27001/02, can provide a foundation for modeling your organization’s security controls and help develop a well-structured approach to addressing and managing potential threats.
According to Gartner, over 50% of U.S.-based organizations will use the NIST Cybersecurity Framework as the core component of their enterprise risk management strategy by 2020. The NIST CSF details the standard measurements for assessing risk, breaking them down into five key functions:
This information can then be shared with senior management, such as board members, CISOs, and senior executives, to provide insight into the current security posture of the organization.
Although there might not be a single, perfect solution for building policies and procedures to avoid a potential attack or breach, a cybersecurity framework can provide a solid starting point.
Designate a Qualified CISO
Just one week after the Equifax breach in 2017, Susan Mauldin, the Chief Security Officer, stepped down from her position following widespread criticism of the company’s security program. Mauldin had previously worked as the CSO at two other large companies prior to Equifax, but made a major mistake allowing a patch in a critical software to go unresolved for so long. The Ponemon Instititute cites that 57% of all breaches are caused by basic vulnerabilities (e.g., patching), yet only 32% of CISOs would put their focus on these basic security functions if they had the time.
Furthermore, due to personnel conflicts 10 years prior, the CSO position at Equifax reported to legal instead of the CIO, leading to a communication divide. Since the breach, the CSO position has now transformed into a CISO role and that individual, Jamil Farshchi as of February 2019, reports directly to the Equifax CEO. This direct relationship between the CISO and CEO allows for clearer, more frequent communication around key risks, better equipping the CEO to make enterprise-wide security decisions.
Solution: Understand the Role of the CISO
CISOs are an incredibly important resource responsible for executing and overseeing a company’s cybersecurity strategy. Having a strategic leader in place to guide your Information Security program can help prevent a future data breach or set the path to success in the aftermath of one. In addition, boards and executive leadership are demanding more insight into information security, and CISOs have the technical and management acumen to translate security program objectives into business terms for the board to make strong investment decisions.
CISOs typically lead and oversee the following responsibilities:
- Security Architecture: Planning, buying, and implementing security hardware and software, and ensuring existing infrastructure is updated
- Incident Response and Disaster Recovery: Developing a response strategy to security threats and breaches, including response to executives, customers, and the public, and taking the necessary steps to avoid a future breach
- Program Management: Developing policies and procedures that protects business functions without interrupting daily operations
- Identity and Access Management (IAM): Ensuring only authorized personnel have access to specific networks and systems
- Security Operations: Monitoring the IT environment for vulnerabilities and outdated certifications, and implementing the necessary solutions to mitigate and prevent potential risks and threats
- Cybersecurity Liaison: Presenting potential security problems and solutions to the Board of Directors to ensure proper communication and awareness of the organization’s cybersecurity posture
Conduct a Periodic Risk Assessment
Detailed in the 96-page Congressional report released in December of 2018, Equifax failed to implement routine security updates, which prevented the company from discovering the breach until attackers had access to the database for 76 days. During the Congressional hearing in October 2018, Equifax’s former CEO, Richard Smith, even said that he only met with the company’s security and IT executives quarterly to discuss their cybersecurity strategy and admitted that the company’s software patching operation was insufficient.
As a result, Equifax is now required to conduct annual assessments of their internal and external security risks and must implement safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections. These annual risk assessments detect the threats and vulnerabilities to the security, confidentiality, and integrity of consumers’ personal information. A proper security risk assessment will help answer these important questions:
- What are the organization’s most important critical information technology assets and which business processes utilize this information?
- What cyberattacks, cyber threats, or security incidents could affect the ability of the business to function?
- What are the organization’s internal and external vulnerabilities and what would be the impact if those were exploited?
- What is the level of risk the organization is comfortable taking?
Once your organization understands the critical information that needs to be protected, a risk assessment policy can be created to define what the organization must do periodically (annually, or within 45 days of a covered incident), how risk is to be addressed and mitigated, and how the organization must carry out risk assessments for the IT infrastructure.
Solution: Implement a GRC Tool
As the epidemic of cyber threats and data breaches continue to grow, organizations need a solution to help manage risks and controls and reduce the burden of compliance on internal security teams. The best way to manage governance, risk, and compliance (GRC) at an organization is by establishing a GRC program to streamline the current tasks to all work toward the same goal.
GRC ensures the right people get the right information at the right time, that the right objectives are established, and that the right controls are in place to address any uncertainty. A well-configured GRC tool should offer the following capabilities:
- Content management
- Document management
- User event input/output, distribution, and communication
- Risk analytics
- Risk and control management
- Workflow management
- Audit management
- Dashboards and reporting
- Regulatory change management
An effective GRC program will integrate processes and technology that were once in silos, and reduce costs, duplication of activities, and impact on business operations.
Perform a Bi-Annual Assessment with an Independent Third Party
Six months before the Equifax breach went public, the credit agency hired a third-party consulting firm to assess their systems after they faced an initial security incident. The consulting firm had warned Equifax about multiple unpatched and misconfigured systems, but after disregarding their advice, Equifax suffered a catastrophic breach months later.
Now, Equifax is required to obtain a third-party assessment of its information security program every two years and the FTC is authorized to approve or reject the assessor that Equifax selects for each two-year assessment period. Under this order, the third-party assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document reviews. Equifax must also assure that the third party is fulfilling their obligations to protect the personal information they handle and that all practices are thoroughly documented. In addition, Equifax is required to provide an annual update to the FTC regarding the status of the consumer claims process.
Solution: Contract a Third Party to Perform a Regular Independent Assessment
Third-party security assessments are independent evaluations performed by a security vendor to learn more about how and where an organization’s data is being used or stored, who has access to it, and whether the data is encrypted. These assessments provide an outside opinion of an organization’s security processes, sometimes assessed against a framework like NIST or ISO, or regulations like HIPAA.
In the case with Equifax, certain vulnerabilities were detected by the third-party assessor, but action was not taken to remediate those issues. Having a third-party assessment completed on a regular basis will ensure your organization’s critical data is protected and your key security systems are operating effectively.
Complete an Annual Evaluation of the Information Security Program
Based on the requirements specified by the FTC, Equifax is required to test and monitor the effectiveness of their information security program and update the policies on an annual basis. This update should be based on the results of management reviews, information security policy compliance, recent trends related to current threats and vulnerabilities, reported information security incidents, and recommendations provided by relevant authorities.
Solution: Engage an Internal Audit or Compliance Group
Any company in any industry can be a target of a data breach. Applying the appropriate administrative, technical, and physical safeguards through an information security program can help reduce this risk and ensure the confidentiality, integrity, and availability of your consumer’s sensitive personal information and your organization’s important data. Although an information security program provides a holistic roadmap for effective security management practices, these policies should also be formally reviewed annually for effectiveness by your internal audit or compliance group.
This assessment will ensure the continued suitability, adequacy, and effectiveness of the information security management approach and ensure it aligns with the rest of your risk management program. It will also certify that any new information security controls that have changed to meet the business needs still align with the information security principles.
Because of Equifax’s lax and negligent information security standards, 147 million consumers are at risk of identity theft. Equifax overlooked basic security processes and learned firsthand how devastating those consequences can be for both the organization and the consumers whose information they store. Only when organizations make information security a serious priority can they protect their critical data and reduce the risk of being hacked.
Although organizations will always be at risk of a data breach, applying basic cyber hygiene and incorporating recognized security standards can help prevent your organization from becoming the next Equifax.
Want more risk management insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.