Amid a growing number of corporate cyberattacks, almost every public company can learn from the trials and tribulations that the Equifax Inc. (EFX) board of directors and management endured following a massive security breach that compromised the personal information of 143 million Americans.
A recent study by PwC found that the number of security incidents across all industries rose by 38% in 2015, marking the biggest increase in more than a decade. In 2016, the U.S. Department of Justice, LinkedIn, the Democratic National Committee, Yahoo and others were hacked.
With the understanding that cyberattacks are a risk that every company faces, C-suite executives and the board of directors need have a plan in place to deal with such an incident.
"[Cybersecurity] needs to be a regular topic of discussion, particularly for an industry with sensitive information," David Finke, who leads the global technology sector at the executive search firm Russell Reynolds Associates, told TheStreet in a recent interview.
According to the 2017 BDO Cyber Governance Survey, about 79% of public company directors report that their board is more involved with cybersecurity than it was 12 months ago.
"The continuing year-over-year increases in board involvement and investments in cybersecurity is extremely positive, but the percentage of businesses with breach response plans in place - although much improved from two years ago - is still far below where it needs to be," Eric Chuang, managing director of cyber incident response at BDO USA, said in a statement.
As companies develop strategies surrounding its cybersecurity, TheStreet examines some of the biggest issues Equifax dealt with following its most recent cyberattack.
Equifax disclosed on Sept. 7 that the names, addresses, birthdays and Social Security numbers of 143 million U.S. customers were compromised in a cyberattack that the Atlanta-based credit-reporting company discovered on July 29. Equifax said hackers accessed the information starting on May 13, but the Wall Street Journal reported that the first "interaction" with hackers happened on March 10. The company registered the domain name equifaxsecurity2017.com, the website Equifax directed customers toward to learn more about the breach, on Aug. 22, more than two weeks before the hack was publicly disclosed, according to the Wall Street Journal.
"Once Equifax discovered [the cyberattack], why did it take so long to become public?" asked Warren Zafrin, a management and technology consultant at UHY Advisors.
Zafrin said that when the now-retired Chairman and Chief Executive Officer Richard Smith goes before Congress on Oct. 4 that the company's transparency to consumers and shareholders will be the primary line of questioning. He said that the delayed disclosure of the incident just "doesn't make sense" and demonstrates a level of incompetence.
"It just doesn't sound kosher," Zafrin said.
In his statement disclosing the cyberattack, Smith, 57, acknowledged that while the company had made "significant" investments in data security, it still needs to do more.
"We recognize we must do more. And we will," Smith said in a statement.
The company also said it has engaged an independent cybersecurity firm to "conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again." It didn't name the company.
TheStreet asked Equifax about what investments the company has made on data security, how much it has spent or what changes they are planning on making. Equifax didn't respond to our investment questions.
According to the BDO Cyber Governance Survey, about 78% of directors say they have increased company investments to defend against cyberattacks, up from 55% in 2014.
Even U.S. Securities and Exchange Commission Chair Jay Clayton told a Senate panel on Tuesday that the agency will "need more money in the area of cybersecurity and IT generally," after hackers breached its system in 2016.
RELATIONSHIP WITH CISO
Shortly after the cyberattack, the company announced that Susan Mauldin, Equifax's chief security officer when the data breach occurred, would be retiring, effective immediately. But since Mauldin left, "chaos has ensued," Edward Amoroso, a distinguished research professor at New York University's Tandon School of Engineering, said in a recent interview with TheStreet.
"When somebody get hacked like [Equifax], wouldn't it stand to reason that having someone with some real insight may be worth keeping?" asked Amoroso. Russ Ayres, who served as vice president in the IT organization, was appointed interim chief security officer.
Amoroso, who served as chief security officer for AT&T Inc. (T) between 2005 and 2016, said that chief information security officer (CISO) is often viewed as an appendage to the executive team, a "hired gun" that may be more likely to leave.
"The solution is that the CEO needs to build a better, more trusting relationship with the CISO," said Amoroso.
Watch: Jim Cramer Talks Apple, Nucor, and Comcast
More of What's Trending on TheStreet:
- PayPal's Stock Has Blown Away Facebook and Google This Year for One Big Reason
- Microsoft's New Xbox One X Shows It's Done Trying to Please Everyone
- How to Invest Like Billionaire Warren Buffett
- A 401(k) Loan Is a Terrible Idea Until It Isn't
Editors' pick: Originally published Sept. 26.