EQUIFAX INC - (EFX)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We are a global data, analytics and technology company. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personal information of consumers, employees and strategic partners. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy.
Equifax has invested significantly to develop and maintain an information security program with processes, technology and controls to protect the information, systems and resources of the Company. We have a Security team operating under the leadership of our Chief Information Security Officer (“CISO”), including approximately 400 cybersecurity professionals. The key elements of our information security program, including our cybersecurity risk management strategy, are described below.
Security Controls Framework
Equifax has implemented a unified security and privacy controls framework as our primary mechanism to establish strategic priorities related to cybersecurity, assess cybersecurity risk across the enterprise, comply with regulatory requirements and enhance security program maturity. Our unified security and privacy controls framework is based upon the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) and Privacy Framework (NIST PF).
Cybersecurity Incident Detection and Response Process
Our information security program is based on five key functions as set forth in the NIST CSF: (i) identify; (ii) protect; (iii) detect; (iv) respond; and (v) recover. As part of that program, we maintain an incident detection and response process that is designed to ensure we appropriately identify, investigate, respond to, and recover from, cybersecurity incidents in order to protect our information, systems and resources. As part of our process, we maintain operational plans for incident response and recovery activities. We regularly review our incident response process and conduct multiple incident response exercises each year, including sessions with management, to test and assess our preparedness to respond to a cybersecurity incident.
As part of our incident detection and response process, we have established internal teams to investigate and escalate notification of cybersecurity incidents. Pursuant to this process, cybersecurity incidents are reported to appropriate personnel within Equifax (including the CISO and the CEO) and to the Board of Directors based on incident severity. We track incidents through resolution, conduct post-incident analysis and update our processes and procedures if areas for improvement are identified. On a monthly basis, a summary of prior period cybersecurity investigation escalations is reviewed by management, including our head of Internal Audit, our CISO, our Chief Financial Officer and our Chief Legal Officer.
To inform our incident detection and response process, our cyber intelligence operations team regularly performs exercises to simulate real threat scenarios that would be carried out by a perpetrator by utilizing the actual tools and methodologies that would be deployed in such an attack (so called “red team” activities).
Risk Management
•Cybersecurity Incorporated into Enterprise Risk Management Program. We have implemented an enterprise risk management (“ERM”) program that operates under the leadership of our Chief Privacy and Compliance Officer. Each business unit and corporate support unit has primary responsibility for assessing and mitigating risks within its respective areas of responsibility, and the ERM team is responsible for oversight and reporting to management and the Board.
Under our ERM program, we conduct an annual enterprise risk assessment, which produces an enterprise risk scorecard. Cybersecurity is one of nine primary risk categories identified within the scorecard. The cybersecurity risk rating is based on a detailed enterprise security risk assessment performed by the Security team. The enterprise risk scorecard is reviewed with management and the Board of Directors on an annual basis.
26
•Security Risk Assessment. The Security team performs an annual enterprise security risk assessment of the information security program that is provided to management, the Board of Directors and other relevant parties. The security risk assessment provides a detailed understanding of the information security program in order to inform decisions and support risk response. The security risk assessment process evaluates the program’s control domains through various analyses and testing methods to determine the overall level of risk present within the environment over the period evaluated. The risk assessment identifies risks and considers observations from multiple business process- and system-level assessments.
We leverage NIST guidance to inform our process for conducting the security risk assessment. The risk management program and processes can be described in four steps: (i) frame risk; (ii) assess risk; (iii) respond to risk; and (iv) monitor risk.
•Third Party Risk Management. We have a governance process in place to oversee our third-party vendors who have access to our network or who hold or store personal information on our behalf (“risk vendors”). Our risk vendor contracts contain provisions requiring our suppliers to maintain a program that meets our information security standards. We periodically assess risk vendor compliance with our information security program requirements. One such requirement is the obligation that our risk vendors must notify Equifax within a designated time period upon identifying certain cybersecurity events.
•M&A Due Diligence and Integration Process. Our Security team has implemented a due diligence and integration process for entities we acquire through mergers and acquisitions (“M&A”). This process is designed to protect our information systems, align acquired entities with our security controls, and comply with applicable legal and regulatory requirements, without interrupting critical business processes. Our M&A security integration status is reported regularly to management and the Technology Committee and annually to the Board of Directors.
•Employee Training and Awareness. In order to help bolster our cybersecurity defenses and mitigate the risk presented by insider or employee cyber and security threats, Equifax has incorporated employee training into our security program. On an annual basis, all employees are required to complete mandatory security training. In addition, each Equifax employee receives training customized to his or her role or function, and has visibility into his or her individual security performance. We continually measure and assess key employee behaviors, including secure browsing and sensitive data handling. In order to promote a Company-wide focus on data security and reinforce overall security program goals, Equifax includes an individual security performance measure as one of the metrics used to evaluate the performance of all bonus-eligible employees under our annual incentive compensation program.
•Cybersecurity Insurance. We maintain cybersecurity insurance under our errors and omissions/professional liability policy, which provides coverage for certain costs related to cybersecurity incidents.
Review and Assessment of Information Security Program
We conduct regular audits of our information security program, including third party assessments and review by our internal audit department.
•Third Party Assessments of Security Program Maturity. Equifax has a formal process in place to annually assess our security program maturity, which is a measure of our ability to adapt to cyber threats and manage risk over time. Under the oversight of the Technology Committee of the Board of Directors, Equifax engages a third party research and advisory firm to conduct an annual analysis of the maturity of our security program and identify potential initiatives to enhance maturity. On an annual basis, the Technology Committee reviews the results of this analysis with management, including a review of Company performance against relevant benchmarks.
•Controls Testing. Equifax has a formal process in place to periodically assess the effectiveness of controls in our security controls framework. These controls assessments are performed by the Security team. Results are regularly reported to management and the Technology Committee and annually to the Board of Directors.
•Internal Audit Review. Our internal audit department is responsible for providing the Audit and Technology Committees and management with an independent assessment and assurance regarding the design and effectiveness of the risk management framework related to cybersecurity. As part of the assessment of our cybersecurity program, the internal audit department has a “red team” that regularly performs testing to simulate real threat scenarios that would be carried out by a perpetrator. On a quarterly basis, our head of Internal Audit provides an update to management and the Audit and Technology Committees of the Board on audit activities pursuant to the IT and security portions of the
27
internal audit plan. Our head of Internal Audit reviews the IT and security audit reports issued, including a summary of IT and security audit findings by inherent risk and residual risk rating.
Cybersecurity Risks to our Business
As a global data, analytics and technology company, our products and services involve the storage and transmission of personal information of consumers. As a result, we are routinely the target of attempted cyber and other security threats presented by outside third parties, as well as security threats presented by employees and other insiders.
In 2017, we experienced a material cybersecurity incident following a criminal attack on our systems that involved the theft of personal information of U.S., Canadian and U.K. consumers. If we experience additional significant compromises of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed, altered or lost. Any such access, disclosure, alteration or other loss of information could subject us to significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations.
Cybersecurity incidents, and the adverse publicity that may follow, can have a negative impact on our reputation and our relationship with our customers. For example, our reputation with consumers and other stakeholders and our customer relationships were damaged following the cybersecurity incident in 2017, resulting in a negative impact on our revenue for a period of time. If we experience another material cybersecurity incident or are otherwise unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business.
For additional information related to the cybersecurity-related risks relevant to our business, see “Risk Factors—Technology and Data Security Risks—Security breaches and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation” in Part I, Item 1A. of this annual report on Form 10-K.
Governance
Board Oversight of Cybersecurity
The Equifax Board of Directors monitors our “tone at the top” and risk culture and oversees principal risks facing the Company. On an annual basis, the Board reviews an enterprise risk assessment prepared by management that describes the principal risks and monitors the steps management is taking to map and mitigate these risks. The Board then sets the general level of risk appropriate for the Company through business strategy reviews. Risks are assessed throughout the business, focusing on nine primary risk categories, including cybersecurity.
In addition, the Audit and Technology Committees of the Board coordinate on risk management oversight with respect to cybersecurity, including through quarterly joint meetings that cover the following topics:
•Regular reports from the internal audit department regarding the security and technology portions of the internal audit plan
•Regular reports from our CISO and Chief Technology Officer regarding the cybersecurity control environment, including remediation updates, control posture analyses and other recurring items
•Regular reports from our Chief Privacy and Compliance Officer regarding our global privacy, risk management and compliance programs, including matters related to cybersecurity
The Technology Committee of the Board oversees our information security program, including:
•Reviewing with management our technology investments and infrastructure associated with risk management, including policies relating to information security, disaster recovery and business continuity
•Receiving quarterly reports directly from our CISO, including updates on our enterprise cybersecurity threat level
•Overseeing the engagement of outside advisors to review our cybersecurity program
•Reviewing the results of our annual information security program maturity assessment performed by a third party
•Reviewing the results of our annual security program risk assessment prepared by management
28
Management Oversight of Cybersecurity Risk
Our information security program is managed through implementation, monitoring and continuous improvement of the security program with active participation of management as described below.
•Senior Leadership Team. The Equifax senior leadership team, consisting of our CEO and his direct reports (“SLT”), sets the tone for strategic growth, effective operations and risk mitigation at the management level. The SLT supports the management of the information security program through proper resource allocation and decision-making involving high risk issues. The SLT has overall managerial responsibility for confirming that the information security program functions in a manner that meets the needs of Equifax.
•Chief Information Security Officer. Equifax has a CISO who is a member of the SLT and reports directly to our CEO. Our CISO has more than two decades of experience in cybersecurity-related roles, including serving as CISO at other large, multinational companies. Our CISO is responsible for oversight of the global Security team and the implementation and execution of the information security program. Our CISO helps ensure that the program is strategically aligned to Equifax’s business strategy and is responsible for reporting on the effectiveness of the program to the SLT and the Board of Directors.
•Global Security Team. The Equifax global Security team is responsible for supporting the CISO in the execution of the information security program to meet the program’s objectives. The Security team is directly responsible for the day to day program activities such as planning, implementation, monitoring and reporting on operational capabilities.