Two months after revelations that an Equifax breach had exposed information on 145.5 million U.S. consumers, the company has added Scott A. McGregor, former CEO of Broadcom Corp. to the board and to its technology committee.
Noting McGregor’s “broad executive management experience and extensive data security, cybersecurity, information technology and risk management experience,” non-Executive Chairman Mark L. Feidler said in a release that he “will be an invaluable resource for the Board as it continues its focus on strengthening the Company’s data protection systems and cybersecurity defenses and rebuilding the trust of consumers, customers, shareholders and other stakeholders.”
McGregor, whose appointment brings the board up to 11 independent members, has had stints at Philips Semiconductor, where he served as president and CEO, and at Santa Cruz Operation Inc., Digital Equipment Corporation, Xerox PARC and Microsoft. At Microsoft he architected Windows 1.0 and led its development team.
Equifax had pledged to bolster its cybersecurity posture post-breach. Former company CEO and Chairman Richard Smith recently told the House Energy and Commerce Committee Subcommittee on Digital Commerce and Consumer Protection surrounded the fact that Equifax learned of the Apache Struts vulnerability from U.S. CERT and then twice searched for any issues in its networks coming up empty each time and thus allowing the flaw to remain unpatched in its Consumer Dispute Portal. Smith also claimed to have no knowledge of the total extent of the problem until July 31 when the issue was brought to him by his cybersecurity team.
The company also had to take a customer help page offline after Independent Security Analyst Randy Abrams discovered evidence of a second breach, just a month after the company said the information on 145.5 million U.S. consumers had been exposed.
“Equifax’s appointment of a cybersecurity expert to their board of directors sends a strong signal to their shareholders and to the marketplace about the depth and breadth of the impact their recent breach has had on the company, and the recognition that they must chart a new path forward in shoring up their security and data protection program,” said Dana Simberkoff, chief risk, privacy and information security officer at AvePoint. “If there’s one bright side from this entire episode, it’s a strong sign that cybersecurity and privacy issues must in fact be a board of directors-level issue, and cannot be delegated into the background.”