Equifax CEO Richard Smith has become the latest executive to abruptly retire from the company following a massive breach that exposed the data of 143 million U.S. consumers and cast the company's security practices into question.
“The Board will undertake a search for a new permanent Chief Executive Officer, considering candidates both from within and outside the company,” the credit reporting firm said in a statement, which named board member Mark Feidler as non-executive chairman and Equifax's president, Asia Pacific, Paulino do Rego Barros, Jr., as interim CEO. “Mr. Smith has agreed to serve as an unpaid adviser to Equifax to assist in the transition.”
Apologizing for the breach and its impact, Feidler noted that “the Board remains deeply concerned about and totally focused on the cybersecurity incident” and is “working intensely” to provide consumer support and make the changes “to minimize the risk” of a future incident. “We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken,” Feidler said.
Equifax's CSO and CIO retired earlier in the month after the company disclosed that hackers exploited a vulnerability in Apache Struts.
At the time Sen. Chuck Schumer, D-N.Y., suggested that Smith and the company's board should resign if they don't quickly take the initiative - including notifying customers and allowing credit freezes for 10 years - to protect consumers.
"We need to get to the bottom of this - the very bottom, the murky bottom, the dirty bottom," the senator was quoted as saying. The Federal Trade Commission, the Securities Exchange Commission and a pair of congressional committees, including the House Energy and Commerce Committee, where Smith will testify on October 3, intend to do just that.
Saying he has “been completely dedicated to making this right,” Smith contended in a statement that “at this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”
Equifax and its leadership have been roundly skewered for both sub-par security practices and delays in discovering and disclosing breaches. Viewpost CSO and General Counsel Chris Pierson noted that while hackers could penetrate any company and exfiltrate data, it "appears" that Equifax "had their head in the sand from a cybersecurity perspective, but also from a governance and breach response perspective as well."
That's why Smith "had to go," Pierson said. "Sometimes you must play the cards you are dealt and what you do with them is what matters."
Smith and both external and internal members of his team "bungled every step of the response: messaging, PR, consumer protection communications and offers, and everything else imaginable," he said. "The breach is a shining example of what happens when you do not prepare for data breach response ahead of time, do not adequately table top your responses, and do not have that single incident commander leading the charge."
Calling cybersecurity "a board-level matter" dependent "upon a strong cybersecurity culture" that starts at the top, Pierson advised, "If the current technology professionals are unable to have a seat at the business table, then companies must find the business and risk person who is a cybersecurity expert and give them the seat at the table."Mike Kail, CTO at CYBRIC, said it was "sad" that it took "a breach of this magnitude and the subsequent gross incompetence of handling it after the fact" to prompt the board to take notice of security. "I hope this shot across the bow wakes up other CEOs and Board members to start providing security assurance to their customers," he said.