The board of Equifax is an easy target as consumers, investors, regulators, and media outlets look to assign blame for the company’s massive data security breach, which exposed the sensitive information of an estimated 143 million individuals. While further investigation will likely reveal a significant lack of oversight or execution (both on the part of management and possibly the board), we’re focusing now on what little information we have:
- Can we pinpoint any lack of preventative measures or missteps by the board?
- What can other boards learn from the incident at this early stage?
Equifax Board Governance & Composition
On a quick review of the Equifax proxy statement, one will find that most of the prudent governance, risk, and organizational boxes are checked. The board appears to be relatively diverse in age and gender (although lacking in race) with an excellent mix of skill sets; many of the directors spent their careers either in technology-related industries or at companies where data security was paramount.
The Equifax board has a technology committee (which you don’t see on every board) charged with at least some responsibility for data security oversight. Chairing the technology committee is a 51-year-old data and IT executive with an “extensive background in managing complex global technology operations as Chief Technology Officer at a number of leading global companies”. Finally, the company’s enterprise risk management disclosure was enough to put most investors at ease with a program specifically targeting technology, privacy, and data security.
So what happened? At a time when board composition and disclosure are presented as the board’s best safeguards to a range of corporate crises, what lessons can be gleaned from the Equifax debacle—despite the board’s perceived preparedness in these areas?
Disclosure vs. Action
In each annual proxy, boards disclose their governance practices—from director succession planning to risk management—which serves to reassure investors (large and small) that their assets are in safe hands. Yet, the Equifax breach presents us with a scary prospect: How many companies have failed to do what they say?
“I know investors are pushing for more disclosures and having boards go through their thought process to determine how they’re going to tell their story can be a beneficial exercise for both sides,” said TK Kerstetter, former chairman of NYSE Governance Services and host of Inside America’s Boardrooms. “It should also be recognized that companies and their counsel are masters of creating the right disclosure language, and it doesn’t mean they execute the way they infer they do.”
Unless you are in the boardroom to see how business and committee meetings are conducted, said Kerstetter, it will always be difficult to get your arms around how a board executes its responsibilities.
As Equifax investigations and lawsuits continue, we may hear some discoverable facts related to board minutes, emails, and who knew what, when. When that happens, experts or maybe even the courts will make a final judgement on whether the board prudently performed its duties or failed its investors and customers. All companies and boards should be prepared to further demonstrate how their safeguards and oversight programs are being implemented, particularly in any future one-on-one engagements with major investors.
The Questions at Hand
Here are some of the questions that will be asked of Equifax, the board, and its management (especially the three executives that sold stock prior to public announcements):
1. Who knew what, when?
As both internal and external investigators review emails, board minutes, and other related documents, it should establish a timeline of discovery including facts about the actions taken before, during, and after information became public.
2. Did the board and management identify and invest in protecting the company’s most valuable assets as best they could?
This actually may not be released (even after an investigation), but it is one of the foundational tasks of data security. No corporation has an endless budget for cybersecurity, so investments must protect the most important assets, then work down the list.
3. Where was the technology committee and why wasn’t a process or procedure in place to implement patches or issue public disclosure more quickly?
At this point, we don’t know whether the board failed to oversee sufficient policies and data security procedures or if those policies and procedures were instituted and then just ignored by management. Also, did the board have a crisis plan in place for critical situations like what they experienced?
4. Did the executives trade stock with insider information?
Normally executives have a “safe harbor window” to buy or sell stock if they haven’t elected a 10b5-1, which allows insiders of publicly traded corporations to set up a trading plan for stocks they own. Many corporate executives use 10b5-1 plans to avoid accusations of insider trading. The safe harbor time period is usually right after a quarter’s earnings announcement and before they might receive the next monthly internal financial update that is not public to outside investors (hence, “insider information”). Many companies have procedures where a compliance group must approve executives buying or selling company stock. Boards and GCs should consider any program that will prevent top management insider trading accusations.
Cyber crime will only become more rampant, costing companies and consumers an estimated $6 billion by 2021.
“The public and investors better get used to hearing about breaches because they are almost impossible to defend,” said Kerstetter. “That doesn’t mean companies and boards shouldn’t be smart and diligent about how they approach data security.”
In a recent episode, Michael Kaiser (Executive Director of the National Cyber Security Alliance) explains why boards can’t be afraid of cyber risk – and how boards can begin to peel back the layers of an effective oversight strategy (below).
“A lot of people will be harmed by this event,” said Kerstetter. “It’s another lesson that must be both understood and remembered by board members of all companies.”