A Model CIO: Equifax CIO Keeps Showing Us How *Not* to Respond to a Breach
The big news out of Equifax this week is its $700 million settlement, including up to $425 million in consumer restitution, as a result of its 2017 data breach, which exposed the private financial data of over 145 million Americans. It’s the most expensive breach settlement ever.
While the settlement really drives home the point that data breaches can be extremely expensive, I think the latest news about the company’s former chief information officer (CIO) is just as important because it helps illustrate how this breach can happen when there isn’t a strong culture of compliance and risk management.
We’ve already talked about how the credit reporting agency’s CIO, Jun Ying, was phoning it in when it came to IT security. He told a Senate investigations committee that patching was a “lower level responsibility that was six levels down” from him.
This attitude of being above the basics seemed to trickle down. According to the Senate report, senior managers, including those in IT or security, rarely attended monthly meetings to discuss cyber threats and vulnerabilities. None could specifically remember the March 2017 meeting where the vulnerability was discussed.
The CIO also told the committee he doesn’t think Equifax could have done anything differently—though he promptly “retired” after the breach became public knowledge.
I bet the CIO wishes he had done something differently. He’s been sentenced to four months in a federal prison followed by one year of supervised release as a result of his illegal post-breach actions, according to the U.S. Justice Department.
CIO Insider Trading Leads to Federal Prison Sentence
When a CIO finds out about a data breach, his first thought shouldn’t be asking how he can profit from it. Yet that’s the route Ying took when he concluded the company had been breached before the news became public.
According to the Justice Department:
“On Friday, August 25, 2017, Ying texted a co-worker that the breach they were working on 'sounds bad. We may be the one breached.'
The following Monday, Ying conducted web searches on the impact of Experian's 2015 data breach on its stock price. Later that morning, Ying exercised all of his stock options, resulting in him receiving 6,815 shares of Equifax stock, which he then sold.
He received proceeds of over $950,000, and realized a gain of over $480,000, thereby avoiding a loss of over $117,000. On September 7, 2017, Equifax publicly announced its data breach, which resulted in its stock price falling.”
Ying wasn’t the only Equifax employee found guilty of insider trading as a result of the breach. Former software product developer Sudhakar Reddy Bonthu was tasked with helping develop an application to help consumers determine if they were impacted by a breach. Realizing it was a large-scale Equifax breach and knowing the deadline for public disclosure, Bonthu placed a “put” option on Equifax stocks that let him make a profit if the stock dropped before it expired on September 15. When the stock dropped after the public announcement September 7, he made $75,000 in profit. He forfeited the money and spent eight months in home confinement after pleading guilty last June.
CIO Poisons Compliance Culture from the Top
Equifax is a huge company and the blame for the breach can’t be placed on any single person’s shoulders. A lot of things had to go wrong for a breach like this to happen. This includes poor patch management, failure to conduct or maintain a thorough IT asset inventory, leaving data unencrypted, no findings follow up, and no audit trail.
That many oversights aren't just a coincidence. They're the result of a systemic failure in culture. The concept of a risk management or compliance culture isn’t just lip service. It’s about having strong leadership that creates value by demonstrating a top-down commitment to the core values of an institution.
In this case, it looks like the CIO thought he was too important to care about what was going on in the trenches. Since he didn’t care, employees didn’t see the importance or urgency of protecting data even though data breaches are exceedingly common. And I doubt the CIO was encouraging staff to hire people with judgement skills and risk management experience to help nurture the culture. In fact, at least two employees thought to profit from the breach.
Was this the CIO’s general approach to management or did this laissez-faire culture stem from someone even further up the chain, seeing as Ying didn’t seem particularly incentivized to do his job properly. Was no one holding him accountable or encouraging him to address risk management?
If the Justice Department, Securities and Exchange Commission (SEC), and FBI hadn’t investigated the issue, Ying would have actually profited from neglecting his job duties. Now he just has a bunch of legal bills. That makes me wonder: Is he eligible for his piece of the Equifax settlement ($125) if his identity was breached?
I don’t think he deserves it.
What Are You Doing to Promote Culture?
Now is the time to ask what management and the board are doing to promote a culture of risk management and compliance. If you can’t give a specific answer with measurable outcomes, the answer is you aren’t doing enough.