NEW YORK (Reuters Breakingviews) - When Americans are hacked, they turn to three big consumer-credit agencies for help with identity theft. What happens when one of them, Equifax, is hit by hackers who steal sensitive personal information on 143 million people?
One answer was quickly made clear: investors get spooked. Shares in Equifax, with a market value of $17 billion at Thursday’s close, tumbled 15 percent when they started trading on Friday. That’s a bigger hit than was suffered by retailer Target after it revealed a huge security breach in 2013, or Yahoo, where over 1 billion users were potentially affected. And so it should be. The theft of Social Security numbers and other information over a period of more than two months is a direct hit to Equifax’s primary business.
The company said its core databases weren’t affected, presumably avoiding even more damage. Chief Executive Rick Smith sounded apologetic on video, and Equifax set up the now-standard free – if slightly ironic here – credit monitoring for anyone possibly affected.
Committed hackers can get into almost anything, but the best possible defenses, detection systems and response plans minimize break-ins and their consequences. In this case, it’s worrisome that consumers had to wait six weeks for Equifax to go public. It’s also not the first warning for the industry. Rival Experian experienced a smaller intrusion two years ago.
Boards are not yet paying enough direct attention. According to its 2017 proxy statement, an Equifax technology committee made up of five non-executive directors is responsible for cyber security. In this case, there’s also the unseemly spectacle of insiders, including the finance chief, selling stock days after the hack was discovered. The company says the individuals weren’t aware of it at the time.
As more details emerge, Smith’s job could be on the line. It also may be time to shake up the mix of directors and committees at Equifax. The scale of the breach just might be enough to startle laggard boards – and investors – elsewhere into more aggressive action.
A broader question is whether cyber rules should be tightened for companies stewarding confidential information. After the Enron scandal, lawmakers required better disclosure and internal processes, as well as greater accountability in the form of the controversial Sarbanes-Oxley law. And the Exxon Valdez oil spill spurred anti-pollution legislation. Equifax provides a similar opportunity for important change.
Reuters Breakingviews is the world's leading source of agenda-setting financial insight. As the Reuters brand for financial commentary, we dissect the big business and economic stories as they break around the world every day. A global team of about 30 correspondents in New York, London, Hong Kong and other major cities provides expert analysis in real time.
Sign up for a free trial of our full service at https://www.breakingviews.com/trial and follow us on Twitter @Breakingviews and at www.breakingviews.com. All opinions expressed are those of the authors.