On July 22, 2019, Equifax agreed to pay around $700 million to settle with the Federal Trade Commission (FTC) and New York State Department of financial services (DFS) for the 2017 data breach that jeopardized sensitive information from nearly 150 million Americans. This will be the largest settlement ever paid for a data breach, almost twice the cost of the Target Breach in 2013.
- The DFS Investigation Found Credit Rating Agency Had Inadequate Information Security Practices, Failed to Ensure Safety of Consumer Data and Provided Insufficient Customer Service Following the Breach.
- Equifax to Pay up to $425 Million in Restitution, Provide New York Consumers Credit Monitoring Services, Free Annual Credit Reports for Five Years.
What's the Issue?
"Many organization’s say via a survey that cybersecurity is a primary concern for their businesses, but the continual failure of basic cyber hygiene due to business’ lack of understanding the risk is a constant statistic (Verizon Data Breach). The fines enforced on the credit monitoring agency Equifax are not at all excessive compared to the fraud that will occur over the next twenty years due to the information stolen (No one is changing their SSN, Dates of Birth, Driver’s License Number, etc.). Additionally, I am sure if we were able to look at both their cybersecurity program budget and the amount of spend on their system patch program compared to the amount being settled, all the executives and directors of the company, in hindsight wished they could have predicted the extra loss in capital, as well as fixing that patch faster."
-Rich Moore, Former Chief Information Security Officer at New York Life Insurance Company
Although, a great deal of technology has been purchased to protect an organization over the past decade, organizations still lack the right intelligence or information being passed to business leaders for decisions. This lack of information to the right stakeholders has made poor risk/reward calculations, poor risk appetite statements without cybersecurity information, incorrect capital reserve calculations, and poor technology management.
What Needs to be Changed?
Organizations will need to change the hierarchy of technology and cybersecurity; they will need to be led from the business and not technology leading business. Providing business stakeholders with the right information to make decisions allows them the ability to agree to take a key system off-line based on risk for patches, whether to move to a new platform based on risk, and the right program allows them to respond and recover correctly. Changing this dynamic holds business accountable for risks, not technology, or the single CISO helps create better contracts with vendors and gives cybersecurity the ability to work collaboratively with operational risk management.
Don't Feel Hopeless!
The recent news with Equifax can leave many feeling there is no prevention against a data breach, but not everyone becomes a victim. It's highly important to gain proper insight into your organizations security and be proactive, before you become the victim. However, JustProtect is here to help! We help enterprises identify risks and make better business decisions. Feel free to reach out for any questions you may have.