By Kim S. Nash, Joann S. Lublin and Anna Maria Andriotis

Equifax breach triggered broad reassessment of cybersecurity oversight, experts say

Corporate boards are seeking greater insight into cybersecurity risks in the aftermath of the recent breach at Equifax Inc.

The hacking attack on the credit-reporting firm last summer was a defining moment for directors, say technology and corporate-governance experts. As cyber criminals damage company reputations and cause tens of millions in remediation and legal costs, some boards are increasing cybersecurity oversight and weighing how to delegate responsibilities among directors. Others are pushing for more meetings with corporate security chiefs.

Directors at HD Supply Holdings Inc. reviewed the company’s entire cybersecurity program after learning of Equifax’s breach—and discovered a glaring hole, said Betsy Atkins, lead independent director of the industrial products distributor. She said the company had no formal procedure for dealing with ransom ware attacks, in which hackers stymie computers or freeze access to data and then demand payment for release.  “Equifax triggered a reactive review of the thoroughness of our oversight and compliance and of our gaps, and we acted,” Ms. Atkins said. HD Supply’s board and management devised a response plan, including creation of a bitcoin account from which to pay ransoms, she said.

The boards of Volvo Car AB and Schneider Electric SE, on which Ms. Atkins also serves, are considering reallocating cybersecurity oversight duties among board committees this year, she said. Currently, the audit committees of both boards are mainly responsible for cybersecurity, she said. The topic could get more attention if it is also assigned to the governance committee or a new digital committee, she said. Ms. Atkins said she plans to push her boards to request two comprehensive cybersecurity reviews a year instead of one.

Disclosure of the Equifax breach kicked off “an immediate analysis” of the attack by management at Options Clearing Corp., said Mark Morrison, chief information security officer at the clearinghouse operator. Findings were sent to Craig Donohue, board chairman.  Members of the board’s technology committee also received the report, Mr. Morrison said. The board wanted to know whether OCC was vulnerable to a similar attack, he said, adding that he also provided a more detailed analysis in October at OCC’s quarterly board meeting.

More than one in five directors say they are dissatisfied with the quality of cyber risk information that the board gets from management, according to a 2017 survey of 583 directors and executives with governance duties by the National Association of Corporate Directors. Those who feel confident the company they serve is properly secured against a cyber attack fell to 37% last year from 42% in 2016.

Equifax said in its third-quarter earnings call in November that it incurred $87.5 million in expenses tied to the breach it revealed in September. The incident involved personal information of potentially 145.5 million Americans.  Richard Smith, Equifax’s chairman and chief executive, resigned in late September.  Equifax’s board recently made changes to the membership of some of its committees. Scott McGregor, former CEO of networking vendor Broadcom Corp., joined the board in October and was added to its technology committee, which has duties that include oversight of cybersecurity. Mark L. Feidler, a private-equity executive, was a member of the committee at the time of the breach but is no longer on it. He succeeded Mr. Smith as Equifax chairman and joined the board’s compensation committee. Board committees dedicated to information technology risks and strategy are still rare.  Just four Fortune 100 companies operate one, according to a review of the latest proxy statements by The Wall Street Journal. Many boards monitor cybersecurity issues in risk or audit committees, with some discussion in general board meetings, said Gerry Czarnecki, principal of Deltennium Group, a governance consulting firm. He works with the NACD to train directors in cybersecurity.

It isn’t clear how closely Equifax directors oversaw cybersecurity. According to congressional testimony from Mr. Smith, the board didn’t know about the hack for more than three weeks after suspicious activity was discovered by Equifax and well after the company hired a cyber investigations firm and contacted the Federal Bureau of Investigation. An Equifax spokeswoman said the company wouldn’t comment on the length of time that passed before the board was informed. She said the board receives regular updates from management on issues facing the company. Boards must better prepare for crisis, said David DeWalt, former CEO of cybersecurity firm FireEye Inc.  Equifax hired FireEye’s cyber investigations unit to look into previous incidents.  Boards need to be “prepared with proper talent, proper technology and proper process,” said Mr. DeWalt, who is vice chairman of the board safety and security committee at Delta Air Lines. “Most boards fail on most or all of these components.”