When It Comes to Cyber Breaches, Just Stop Digging

The iconic American humorist Will Rogers once said, “If you find yourself in a hole, stop digging.” It is a timeless expression that is as applicable today as it would have been decades ago when Rogers first uttered those words. In the age of social media and endless news cycles, politicians, other public figures, and well-known companies can find themselves in a hole without warning. Too often, their instincts are to just keep digging.

The latest company that’s failing to heed Will Rogers’ sage advice is Equifax. At a time when announcements about a new cyberattack have become almost routine, Equifax’s disclosure of a breach that compromised information relating to about 143 million of its customers was shocking. In a single, massive hack, names, Social Security numbers, and other personal data were exposed for more than 40 percent of the U.S. population.

The response to the breach by the Atlanta-based credit-reporting agency has been less than stellar. The company took the expected steps of setting up a website, offering free credit monitoring and identity-theft protection for affected customers, and offering apologies with a promise to do better.

However, Equifax has struggled to manage the fallout, with seemingly new revelations compounding its woes on a daily basis.

• Shortly after Equifax publicly announced the breach on Sept. 7, allegations emerged that three Equifax executives sold company stock not long after the breach was discovered, which if true, raises questions about possible violations of insider trading laws.
• On Sept. 8, the company came under fire for requiring arbitration — or a waiver of the right to join a class action suit — for anyone accepting their credit monitoring and identity theft protection offer.
• On Sept. 11, the company backed off the requirement.
• That same day, the U.S. Senate Finance Committee sent a letter to Equifax Chairman and CEO Richard F. Smith seeking information on the breach and Equifax’s reaction to it. Significantly, the Senate committee also is asking what the company did in advance of the breach to test its vulnerability to cyberattacks, and how it responded to the theft of W-2 tax data from one of its subsidiaries, TALX, earlier this year.
• On Sept. 12, Smith wrote an op-ed in USA Today where he apologized and promised to do better. “We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again. We will make changes and continue to strengthen our defenses against cybercrimes,” Smith wrote.
• On Sept. 15, a letter signed by 36 senators urged the U.S. Justice Department, Securities and Exchange Commission, and Federal Trade Commission to “spare no effort in your investigations and in enforcing the law to the fullest extent.”

It’s hard to imagine a more damaging week for Equifax’s reputation. While nothing could undo the damage resulting from the massive breach, the company’s response has seemingly been to break out the shovels. As Information Age has observed, “When a breach is discovered, it is essential to act comprehensively and quickly, or it may expose the business to greater liability.” The publication offers 6 Critical Steps to Deal with a Cyberattack:

• Mobilize an incident response team.
• Stop the breach and focus on business continuity.
• Launch a thorough investigation and get answers.
• Manage public relations.
• Address legal and regulatory requirements.
• Prepare to incur liability.

It is important to understand that these steps are interrelated, and doing one or more poorly can affect the others.

There are many unanswered questions about the multiple Equifax hacks, the company’s response to them, the company’s commitment to protecting personally identifiable information (PII), and the suspect sale of stock by its executives.

One thing that is clear is that Equifax has failed to manage the fallout well. The message that the company is accountable and diligently working to address the problems is falling on deaf ears. It is being drowned out by suspicion that company leaders profited from the data breach and questions about the company’s commitment to protect its customers.

As internal auditors, we have obligations that extend far beyond assurance that our companies’ cyber controls are effective. No one can provide absolute assurance that a cyberattack will not hit their organization. So, we must also assess the organization’s readiness to address a cyber breach when it inevitably occurs. Otherwise, company executives may be prone to just keep digging.

We should help our organizations to learn from the mistakes that plague so many others when it comes to responding to cyber breaches or any other 21^st century crisis. For as Will Rogers also noted, “Good judgment comes from experience, and a lot of that comes from bad judgment.”

As always, I look forward to your comments.