Equifax Inc.'s (EFX) - Get Report decision to replace CEO Richard Smith was probably inevitable, given the credit-scoring firm's poor response to a cyber-attack that exposed the personal data of 143 million consumers.
Seeking an outsider to fill the job isn't -- but it's much more likely than not, Wall Street analysts say.
While interim CEO Paulino do Rego Barros, who took over from Smith on Tuesday, Sept. 26, is making the right moves with a detailed apology and the introduction of a free service that will let consumers block their credit files for life, the Atlanta-based company's board will probably still look for an external finance veteran to regain market trust, said Keith Snyder, an analyst with CFRA Research.
"I believe it will be someone with a strong cyber-security background, or at least someone who has a good understanding of cybersecurity," he said in a telephone interview. "That will send a message to consumers that they're really taking steps to protect data in the future. That's what they need to do regain consumer confidence."
Regaining its credibility is crucial for a firm facing a growing backlash from consumers, regulators and lawmakers. Equifax, which competes with TransUnion (TRU) - Get Report and Experian Plc (EXPGF) in gathering data used to determine whether would-be borrowers qualify for loans from credit cards to mortgages, has been berated not only for failing to prevent the breach but for insufficient efforts to help victims afterward.
Equifax shares have tumbled 25% to $106.06 since the hack was disclosed as lawsuits mounted, the U.S. Department of Justice began an investigation and lawmakers proposed tightening regulations on the firm and its rivals.
Hearings before both the House Financial Services Committee and the Senate Banking Committee have been planned, and Sen. Elizabeth Warren, a Massachusetts Democrat, joined Brian Schatz of Hawaii in introducing a bill that would require the credit-reporting giant and its two biggest rivals to freeze credit files whenever consumers make a request -- for free.
The Equifax hack, which involved personal data including Social Security and driver's license numbers as a well as birth dates -- all common proofs of identity sought by lenders, "is a nightmare," Warren wrote Wednesday in a column for Fortune magazine.
"At best, it's a giant hassle -- time on hold with the credit-reporting agencies, fees for this service and that service, confusion about what's been stolen and what to do about it," she said. "At worst, it could be ruinous -- a lifetime of responsible spending and borrowing wiped out by identity theft and fraud. People are outraged."
Equifax's initial response, rather than alerting affected consumers individually, was to request that people log onto its website, where many were told only that their data might have been involved and offered a free year of the company's credit-monitoring service. Opting for the service, initially, required giving up the right to sue the company and agreeing to an automatic renewal of the service at its regular price.
Although Equifax later removed those conditions, the fallout led to Smith's departure and his agreement to give up an annual bonus payment this year that had totaled more than $3 million each of the past two years.
Smith, 58, also agreed to wait for the conclusion of the board's review of the data theft and the company's response to determine what, if any, severance payment he might receive, according to a regulatory filing.
The former CEO will serve as an unpaid adviser to Equifax as its board evaluates candidates for his old job from inside and outside the company.
"We would not be surprised if Equifax leans toward an external candidate" with a fresh perspective, Manav Patnaik, an analyst with Barclays Plc (BCS) - Get Report , said in a note to clients after Smith's departure. "A well-respected financial services veteran (and former Equifax customer) could give Equifax some credibility in helping re-establish the brand with all key constituents."
While Equifax's market value increased four-fold in the 12 years that Smith ran the company, it's no surprise "that the board and Mr. Smith agreed to the change in leadership post this major negative event," Toni Kaplan, a Morgan Stanley (MS) - Get Report analyst, said in a note to clients.
"Equifax's stock performance in the near-term will be tied to how it responds and comes back from the breach -- i.e., reassuring corporate clients that its security is sound, mending its reputation with consumers, etc. -- as well as factors outside of its control -- i.e., regulation, legislation," Kaplan wrote. "We believe these questions are better off answered by a new CEO who was not at the helm for the original breach -- and the company response that has received significant backlash in the days since."
The interim CEO, whom Barclays had viewed as a likely successor to Smith before the cyber-attack, conceded in a column in the Wall Street Journal on Thursday that his company had failed to live up to expectations.
"We were hacked," he wrote. "That's the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldn't manage the volume of calls we received. Answers to key consumer questions were too often delayed, incomplete or both."
Barros promised to correct both problems as quickly as possible.
"I've told our team we have to do whatever it takes to upgrade the website and improve the call centers," he wrote. "We will make this site right or we will build another one from scratch. You have my word. The same goes for the call centers. There is no excuse for delayed calls or agents who can't answer key questions. We will add agents and expand training until calls are answered promptly and knowledgeably."
The free service that Barros also promised in the column, slated to begin on Jan. 31, is something the company badly needed to do, said CFRA's Snyder.
"Unlike other breaches, in this case, the cat's out of the bag," he said. "In past breaches, it has been credit card numbers. Credit cards, obviously, are easy to replace. Social Security numbers, not so much."
While there's a chance that regulation of credit bureaus will be tightened in the aftermath, Snyder added, Congressional gridlock makes that less likely. More immediate repercussions might be decreased earnings, particularly if creditors who purchase Equifax data push the company to accept financial responsibility for fraud claims.
"Everyone's got to protect themselves" from cyber-crime, said JPMorgan Chase & Co. (JPM) - Get Report CEO Jamie Dimon, whose company -- the largest U.S. lender -- contacted the credit-scoring firm about the theft's impact.
"My view is always, 'Let's work with the customer first and make sure they're protected,'" he said at a New York conference earlier this month. "And, you know, with the Equifax thing, JPMorgan is going to be fine. You know, it may cost a little bit of money, but it's not going to be anything material."
More of What's Trending on TheStreet:
- PayPal's Stock Has Blown Away Facebook and Google This Year for One Big Reason
- Microsoft's New Xbox One X Shows It's Done Trying to Please Everyone
- How to Invest Like Billionaire Warren Buffett
- A 401(k) Loan Is a Terrible Idea Until It Isn't
Editors' pick: Originally published Sept. 29.