It was a good news, bad news day at Equifax when they recently announced the breaking news of a steady rise in their most recent quarterly profits. However, another announcement the same day revealed that the ongoing investigation of the cyber breach Equifax had announced in September 2017 produced evidence that millions more consumer records were exposed to hackers than had already been discovered. This elevates the Equifax breach to one of the largest cyber breaches ever.
Generally, corporations are working hard to learn about best practices for strengthening security and putting measures in place to prevent data from being stolen. While it’s ultra-important to have the best possible security measures in place, no security measures are 100% foolproof. That doesn’t relieve boards of the responsibility to disclose breaches and to take responsible action if a hacker breaks through their barriers.
Large cyber breaches make headlines. What makes bigger headlines is how boards and top executives handle disclosures and mitigate the damage, for better or for worse.
Equifax Reveals Breach Is Larger Than Initially Announced
Equifax reported having a 40% rise in profits for the fourth quarter of 2017 as compared with the same time period the prior year. The boost comes in sharp contrast to new reports of the revelation of millions more records that were exposed to hackers in the September 2017 cyber breach.
An ongoing analysis by an external data provider produced new information that an additional 2.4 million records were exposed in the breach. The total of the records affected rose from 145.5 million to 147.9 million. The 2.4 million difference may not sound like much on the surface, until you compare it to the population of Chicago (the third-largest city in the nation), which is 2.7 million.
Equifax agreed to notify those affected and to offer them identity theft protection and credit-monitoring services. The news about compensation came surprisingly quickly considering that Equifax waited weeks before notifying the public about the original breach.
A recent report of insider trading by an Equifax executive reveals an even greater impact to Equifax’s reputation. Jun Ying, former CIO of Equifax in Atlanta, dumped all of his Equifax stock the day before Equifax announced the breach. Ying received $950,000 of the proceeds, which yielded a gain of $480,000. Ying has been charged with violating anti-fraud provisions by the SEC and Georgia federal prosecutors.
Earlier Accounts of Boards That Were Too Slow to Disclose
Uber, the popular ride-share company, became a victim in 2016 when 57 million driver and rider accounts got hacked. Uber is guilty of making the two main blunders in not protecting their contractors and clients.
First, they were extremely lax in their security, as they stored their data on an unsecured third-party server, making their data an easy target for hackers. Second, Uber executives worked diligently behind the scenes to hide the breach while they cut a $100,000 ransomware deal to protect their data and their reputation. Uber waited a year before they disclosed the breach to the public. As if that was not bad enough on its own, executives lied about the breach, saying that it was a set-up to test their system for security. Clearly, Uber didn’t have a strong security plan in place, and they were even less prepared about how to respond after a breach occurrence.
Uber board directors might have taken some cues from mistakes that Yahoo made following two 2016 breaches. Yahoo disclosed in December 2016 that a billion of their accounts had gotten hacked three years earlier. Later accounts revealed that all 3 billion Yahoo accounts got hacked. Yahoo finally took steps to protect their users, such as resetting passwords and encrypting security questions, in December 2016. The news took Verizon by surprise, as they were deep in negotiations to purchase Yahoo. The breaches and how Yahoo handled them drastically reduced the price of the Yahoo sale, by $350 million. The breach also prompted changes in the Verizon sales contract to require additional provisions for appropriate handling of any forthcoming issues as a result of the breaches.
What Cyber Breaches Teach Boards About Best Practices for Security
The best thing that comes from cyber breaches is that they teach corporations how they can better protect themselves. It’s through these trials that we develop best practices for cybersecurity.
The Equifax breach taught us that we shouldn’t be using Social Security numbers and people’s names as key data elements. This is why most banks require multiple forms of data for identification purposes.
Additional security issues developed with the increasing popularity of cloud storage. Boards learned from Uber and other companies that they needed to make sure third-party servers were highly secure.
Yahoo wasn’t even aware that their accounts had been hacked for a long time, which partially led to the delay in disclosing the breach. Yahoo discovered the breach when they discovered that their customers’ accounts were being sold by the hundreds. Boards learned from Yahoo that they need to monitor client activity, continually looking for inconsistencies.
From all of them, boards learned that not being prepared with a basic disclosure notice can cause even further delays as companies wait in a holding pattern for the legal department to give their stamp of approval.
From the top to the bottom, cybersecurity is everyone’s responsibility. Best practices include making cybersecurity part of the corporate culture. Employees in management, development, production, accounting, customer service and every other part of the organization need to be willing to look for potential issues and to be willing to report them immediately. If something doesn’t look right, it probably isn’t.
What Cyber Breaches Teach and Regulations Demand About Board Practices for Disclosure
It’s vital for companies to have a robust cybersecurity system that they monitor and test using third parties as part of a cyber risk avoidance plan. It’s equally important for them to form a cyber response plan that they can implement without delay in the event of a breach.
In some cases, companies may be forced to delay a public announcement because law enforcement officials don’t want to alert the offenders before they’re ready to act. In some states, laws support delaying public announcements while a law enforcement investigation is in process.
Another reason for delaying disclosure has to do with learning about whether the information stolen was financial, medical or personally identifiable, and whether it poses harm to consumers. Most states have laws that cover when and how companies must report a breach.
These issues may pose challenges in reporting a breach as quickly as a board of directors, executives or spokespeople would like. Nevertheless, companies must take these issues into consideration when forming their cyber risk response plans. Boards also need to be aware of any regulations and legal reporting requirements. Companies that aren’t subject to regulations should hold themselves accountable by making their own policies about breach disclosures.
Board directors need to get in front of their message as quickly as they can to preserve the company’s reputation and prevent additional harm. But how?
The best plan is for companies to develop an elevator speech of sorts — a predetermined speech that meets regulations and passes their legal department’s approval so that it stands ready if the company ever needs it.
Finally, it’s important for boards to learn from the mistakes of others. If a breach happens, remember all the important “don’ts.” Don’t lie. Don’t sugarcoat the problem or try to cover it up. Don’t withhold information. And don’t delay making a public announcement any longer than is absolutely necessary.