DFS Takes Additional Action to Hold Equifax Accountable for Massive 2017 Data Breach
Consent Order Requires Equifax to Undertake Proper Risk Assessment and Board Oversight of Information Security Program, Audit, Information Technology Operations, Vendor Management, and Other Functions
Action Follows DFS Final Regulation Requiring Credit Reporting Agencies to Register with DFS and Comply with New York's First-in-the-Nation Cybersecurity Regulation and Empowers DFS Superintendent to Deny, Revoke or Suspend Agencies' Authorization to Do Business with New York's Regulated Financial Institutions and Consumers
Financial Services Superintendent Maria T. Vullo today announced that Equifax Inc. has agreed to take corrective actions following the company’s massive 2017 data breach under a consent order with the New York State Department of Financial Services (DFS) and the commissioners of seven other state banking regulators. Under the consent order, Equifax must take corrective actions that include developing a proper risk assessment and improving the Board's oversight of information security information, audit, patch management, information technology operations, vendor management, and other functions. Equifax must also submit to the multi-state regulatory agencies for review a list of all remediation projects planned, in process or implemented in response to the 2017 breach, along with the company’s prioritization of those projects, as well as provide written reports to DFS and the other state regulators outlining its progress toward complying with each provision of the consent order. DFS led the multi-state examination team on matters related to cybersecurity and internal audit functions.
“DFS continues to take aggressive action in holding Equifax Inc. accountable for the massive data breach that exposed the sensitive and private information of millions of Americans,” said Financial Services Superintendent Vullo. “The consent order announced today between Equifax and the commissioners of eight state banking departments demonstrates the necessity of continued state oversight of financial services companies, through measures such as examinations and actions such as DFS’s recently finalized credit reporting agency registration regulation. In an era of weakened federal government oversight, strong state regulation is essential in order to safeguard our markets, ensure strong consumer protections and hold regulated entities accountable for their actions. New York will continue to lead in supporting a robust state financial services regulatory regime. New York will also continue in its efforts to obtain relief for consumers who were harmed by the Equifax breach.”
Today’s announcement by DFS follows a final regulation to protect New Yorkers from the threat of data breaches at credit reporting agencies. The new regulation requires credit reporting agencies with significant operations in New York to register with DFS for the first time and to comply with New York's first-in-the-nation cybersecurity standard. The annual reporting obligation also provides the DFS Superintendent with the authority to deny, suspend and potentially revoke a consumer credit reporting agency's authorization to do business with New York's regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.
In addition to DFS, the multi-state team of regulators was comprised of the Alabama State Banking Department, the California Department of Business Oversight, the Georgia Department of Banking and Finance, the Maine Bureau of Consumer Credit Protection, the Massachusetts Division of Banks, the North Carolina Office of Commissioner of Banks, and the Texas Department of Banking.
The consent order announced today includes the following corrective actions:
- Information Technology: The Equifax board must review and approve a written risk assessment that identifies foreseeable threats and vulnerabilities to the confidentiality of personally identifiable information; the likelihood of threats; the potential damage to the company’s business operations; and the safeguards and mitigating controls that address each threat and vulnerability.
- Audit: The Equifax board or Audit Committee must improve the oversight of the audit function. Accordingly, the Audit Committee must oversee the establishment of a formal and documented internal audit program that is capable of effectively evaluating IT controls and that complies with the internal audit charter.
- Board and Management Oversight: The company shall improve the oversight of the Information Security Program. Accordingly, the board or, if appropriately authorized, the Technology Committee of the board shall:
- Approve a consolidated written Information Security Program and Information Security Policy and annually thereafter;
- Review an annual report from management on the adequacy of the company’s Information Security Program;
- Enhance the level of detail within the Technology Committee and board minutes, or respective meeting package, by documenting relevant internal management reports (i.e. approval of a formal, written information security risk assessment).
- Review and approve IT and information security policies and ensure they are up-to-date and applicable;
- Ensure that the company’s Security Incident Handling Procedure Guide includes up-to-date incident-related procedures and clarifies the roles and relationships of the groups involved in the incident response.
- Vendor Management: The company must improve oversight and documentation of critical vendors and ensure that sufficient controls are developed to safeguard information.
- Patch Management: The company must improve standards and controls for supporting the patch management function. An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames.
- Information Technology Operations: The company must enhance oversight of IT operations as it relates to disaster recovery and business continuity function.
A copy of the consent order can be found here.