Equifax did not fix known problems with the shared security software it was using. Those problems were known in March. However, no one on the Equifax board or management team seemed concerned about index provider MSCI cautioning that Equifax was not prepared for “increasing frequency and sophistication of data breaches.” That caution was published in August 2016. MSCI removed Equifax from its index, citing the high risk factor of the lack of security. The list of items MSCI found as flags:
-no regular cyber security audits
-no employee training to recognize risks
-no emergency plans for handling a breach
Those are the kinds of findings, as well as a score of zero by MSCI, that should have motivated the board to action. Or the CEO, or the CIO. Someone, anyone. Or, perhaps at least refute the claims. Equifax continued on its merry, albeit risky way.
Sometimes these indexes, with which many find fault, have a point. They are worth looking at for their sheer detail.