Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Something weird is going on at Equifax

Bill Coffin | September 11, 2017

On July 29, the Atlanta-based credit monitoring agency Equifax experienced a data breach that had exposed the personally identifiable information of some 143 million consumers mostly in the United States (but also Canada and the United Kingdom). Hackers potentially gained access to names, Social Security numbers, birth dates, addresses, and even some driver’s license numbers. Equifax immediately engaged a cyber-security firm to address the data vulnerability, and alerted law enforcement, but the company waited almost two months before telling the public on September 9. Not surprisingly, Equifax’s stock price dove nearly 14 percent in a single day, against what had been a 20 percent year-over-year climb. Not something that would destroy the company, for sure, but still a nasty wound for investors no matter one approached it.

The Equifax breach is hardly the largest in history, but it could prove especially costly because of the nature of Equifax’s business of harvesting personally identifiable information and using that to allow third parties to make credit evaluations from it. Ask anyone who has ever paid a credit card bill a few days late in their early 20s, and they’ll have an unkind story to say about credit monitoring in general, and about Equifax in particular, being one of the reigning kings of the credit monitoring business. Like insurance or certain aspects of Wall Street, the nature of its business lends its own consumers to tell villain stories about the company; nobody is ever happy to review their credit monitoring report, even when it’s good news. These things are, at best, seen as a necessary evil, and a lot of folks don’t even add on the “necessary” part.

This matters because not long after Equifax’s September 9 breach disclosure, media outlets reported some strange trading activity with the company’s stock during that limbo period between when the company discovered the breach and when it made an official announcement. The first bit is that three Equifax executives, including its chief financial officer, sold off some 13 million shares worth about $2 million dollars. These were discretionary transactions that were not automated or scheduled, which immediately raised some eyebrows. Equifax’s explanation was that these executives did not know about the breach, and so would have had no incentive to sell off stock, fearing a drop in its price. And yet, one of the biggest sellers here was the CFO. It seems difficult to believe that a C-level executive of that importance would have had no knowledge of what the company must surely consider to be a critical security crisis.

But there is more: On August 21, Equifax’s stock was trading at about $140 a share. Somebody bought about $160,000 worth of $135 put options which jumped in value to about $4 million on the news of Equifax’s stock drop. Those are some very interesting option trades.

Already, the State of New York is investigating Equifax over the timing of its breach announcement, in accordance with its tough new cyber-security law, which requires companies to disclose in a timely fashion any compromise of customer data. The news of these interesting trades may yet spark further investigation. But in the court of public opinion, they are already damaging Equifax’s brand further to those who do not have the finer details on the trades, just that Equifax suffered a breach, they waited two months to tell anybody in the markets, people bought and sold stock in a way that seemed to take advantage of this information, and then the stock dropped and folks made a bundle of cash. It doesn’t look good.

Compliance is often brought into cyber-security and crisis management because both are functions that require an all-hands-on-deck approach. In this particular breach, there doesn’t seem like there is a lot compliance could have done to protect Equifax here, as the breach seems to be the work of a Website application exploit, rather than a human error like leaving a laptop on a subway. But compliance most definitely has a role to play in the internal sale of stock under unusual circumstances, and if anything, it could have—and should have—been the point of the spear in informing the public about all trading activity in the company, just as it was also disclosing the news about the breach itself.

Equifax is a very profitable company that is over 100 years old. One can imagine any number of ways in which the organization will endure this crisis and continue for many more successful years to come. But right now, it is a villain story. That story is hurting shareholders. And in a situation like this, compliance has a role to play in informing the public and managing the company’s reputation during a crisis. If compliance had such a role to play here, it certainly does not look like it from outside the Equifax campus.