Equifax Board Needs a Security Dream Team
When a company's primary mission is to collect the most sensitive financial information of more than a hundred million consumers, it goes without saying that protecting that data from digital predators should be a top priority of the board.
The disclosure by the credit-reporting agency Equifax earlier this month that it may have exposed the personal information of 143 million people naturally throws a spotlight on how the board approached security issues. While it's hard to accuse the board of gross laxness, its relatively infrequent meetings, the tenure of its members and the composition of the five-member committee responsible for cybersecurity suggest weak spots and the need for more effective leadership on data protection if the company is to recover from the scandal and restore confidence in its systems.
Much of the fault for the data breach, such as why the company failed to implement what appears to be a key security patch recommended by Cisco earlier this year, most likely lies beyond the board's responsibility. It's not clear when the board learned about the hack and whether it made the decision to wait more than a month to alert the public. A previous hack, suffered five months earlier, which Bloomberg first reported on Tuesday, was never previously disclosed. Neither Equifax nor any of the directors contacted for this column returned calls for comment.
Equifax's board seemed more prepared than most to address cybersecurity. Unlike the other two main credit-reporting agencies, it has a separate technology committee, which in the past year was specifically given the mandate to "focus on technology-related risks and opportunities, including data security," according to updated language in the company's most recent proxy statement. At least one of its members, Mark Templeton, most likely had considerable experience thinking about cybersecurity. He stepped down as CEO of networking software company Citrix Systems Inc. in 2015.
The expertise of the other members, however, lay elsewhere. The head of the committee, John McKinley, had been a top technology executive at News Corp. but spent much of the past five years in in the senior-care services industry. Another was a retired accountant, and yet another was a paper-products executive. The company's proxy statement listed the expertise of all the members of its board. Technology was listed as an expertise of three of the five technology committee board members (all five would seem like a no-brainer, right?). Risk management was listed as an expertise for nearly all of Equifax's 11 board members except for three. Where did they serve? You got it, the technology committee.
In addition, Equifax's board failed to meet as regularly as most. Last year, it met just six times, or two times less than the average S&P 500 company, based a survey by search firm Spenser Stuart. Equifax didn't disclose how many board meetings it had in 2015. In 2014, the company's board met just four times. Worse, the board's executive committee hasn't held a single separate meeting since at least 2010. The proxy materials say the committee meets as part of the regular board meetings.
Another problem could have been the tenure of some of Equifax's board members. Corporate governance experts warn entrenched boards may no longer question management. In 2016, the average board tenure of S&P 500 companies was 8.2 years. At Equifax, it's 9.3 years. One member, L. Phillip Humann, joined Equifax's board in 1992. Templeton, the technology CEO, has been on the board since 2008.
It is always hard to pin blame on boards, and there were no gaping holes at Equifax after the fact, only small ones, which makes the data breach so frustrating. In the digital age, that's all it takes for a disaster. Equifax's board needs a cybersecurity dream team. When your company's business is collecting everyone's most vital information, the board's top business should be making sure it stays safe.
To contact the editor responsible for this story:
Daniel Niemi at firstname.lastname@example.org