Last September Equifax disclosed that attackers had used a flaw in its website software to extract the personal information of as many as 145.5 million Americans. The stolen data included names, Social Security numbers, birth dates, addresses and driver’s license numbers. As a result of the breach, the credit reporting company incurred $87.5 million of expenses and faces dozens of government investigations.
In the aftermath of this breach, corporate boards are seeking greater insight into cyber security risks. According to an article in the Wall Street Journal, more boards are increasing cyber security oversight, weighing how to delegate responsibilities among directors, and pushing for more meetings with corporate security chiefs as they see the fallout from a cyber breach, which includes reputational damage and payment of tens of millions in remediation and legal costs.
“Equifax triggered a reactive review of the thoroughness of our [cyber security] oversight and compliance and of our gaps, and we acted,” said Betsy Atkins, independent director of HD Supply Holdings Inc., in the WSJ article. HD Supply’s board and management devised a response plan, including creation of a bitcoin account from which to pay ransoms, she said. The company had no prior formal procedure for dealing with ransomware attacks, in which hackers stymie computers or freeze access to data and then demand payment for release.
Options Clearing Corp (OCC), upon Equifax’ breach disclosure, prompted an analysis of its cyber security, according to Mark Morrison, chief information security officer at the clearinghouse operator. Findings were sent to the company’s chairman and CEO as well as to the members of the board’s technology committee. “The board wanted to know whether OCC was vulnerable to a similar attack,” said Mr. Morrison.
According to a survey conducted by the National Association of Corporate Directors, more than one in five directors say they are dissatisfied with the quality of cyber risk information that the board gets from management. The survey also indicated that those feeling confident the company they serve is properly secured against a cyber attack fell to 37% last year from 42% in 2016.
In the wake of the Equifax’ breach, Chairman and CEO Richard Smith resigned. In addition, Equifax’s board recently made changes to the membership of some of its committees, including its technology committee.
Boards must better prepare for crisis, said David DeWalt, former CEO of cyber security firm FireEye Inc., and now vice chairman of the board safety and security committee at Delta Air Lines, to the WSJ. They need to be “prepared with proper talent, proper technology and proper process. Most boards fail on most or all of these components.”
RPS specializes in providing businesses with Cyber insurance and risk management solutions. We can assist you in securing coverage for your clients.
Sources: Wall Street Journal, New York Times