Why the Equifax hack was not a surprise

Although details surrounding the hack remain vague, to many it comes as no big shock

Why the Equifax hack was not a surprise

Cyber

By Joe Rosengarten

Although the details surrounding how hackers infiltrated Equifax remain vague, to many it comes as no surprise that the credit reporting firm was hacked.

Just over a year before last week’s cyberattack, Equifax was dealt a different kind of blow: a downgrade in its environmental, social and governance ratings by MSCI, an investment research firm that provides indices, portfolio risk and performance analytics and governance tools.

“[I]n August 2016, MSCI ESG Research downgraded Equifax to CCC – our lowest possible rating,” MSCI said in an emailed statement. The company’s rating has not changed since then.

According to a recent factsheet prepared by the ratings firm, Equifax’s security and privacy measures had proven “insufficient in mitigating data breach events.” It cited the exposure of tax and salary data of 431,000 people employed by grocery chain Kroger’s, its key client, in 2016.

“The company’s data and privacy policies are limited in scope and Equifax shows no evidence of data breach plans or regular audits of its information security policies and systems,” the factsheet said.

An ESG-rating report the firm published in April also cited Equifax’s vulnerability to “reputational damage, loss of customers, litigation, and possibly regulatory action” given its involvement in credit reporting. “Credit reporting services represent all of Equifax’s revenues, generated predominantly in the US and UK markets, [where] increasingly stringent data protection laws apply,” MSCI said in the report.

In terms of privacy and data security, one of the key issues for service companies rated through the MSCI ESG Ratings methodology, Equifax was assigned a zero out of 10.

Although Equifax may find it difficult to recover from the reputational damage of the hack, its cyber liability policy will cover its for any financial or business interruption costs. However, the vast majority of people whose details were exposed do not carry any cyber coverage and will not, therefore, be covered if they suffer financial losses.

“Those people are going to have to deal with the potential for identify theft, fraud issues, and attacks on their own systems or devices,” says Jeremy Barnett, senior vice president of marketing at NAS Insurance. “That is the downstream impact: 143 million people had their data exposed, and it’s safe to assume some of those are going to get violated.”

Barnett believes that the increased regularity of such invasive hacks could lead to a rise in the number of regular Americans purchasing individual cyber policies.

“We launched a product in the spring called Personal Cyber plus,” Barnett says. “An individual cannot buy it directly, but we are making it available to personal lines insurers who sell home, life and auto insurance and want to add a cyber endorsement to those policies.”


Related stories:
Cyber insurance startup outlines its hackers’ point of view when assessing risk
Is your company’s data safe from a rogue employee

Keep up with the latest news and events

Join our mailing list, it’s free!