Equifax can’t even oust its hapless chairman and chief executive effectively. Rick Smith is “retiring,” as the corporate euphemism goes, after failing to prevent a massive cyber attack and fumbling the response – and with little financial penalty to boot. An interim management plan makes clear the board hadn’t planned succession adequately either. Equifax needs regime change at every level.
The $12 billion consumer credit-score provider’s focus on selling information resulted in profits, but it forgot protecting this data was of equal importance. Consumers don’t really exert much choice over whether their data is provided to Equifax and its rivals. This makes these firms especially vulnerable to legislation if consumer outrage turns to pressure on politicians.
Allowing hackers access to an internal system with vital personal information on 143 million U.S. consumers for 10 weeks before being discovered was an abject failure. But the company’s poor preparation and ad hoc response enabled a conflagration that engulfed its reputation and incinerated a quarter of shareholders’ wealth.
Various details illustrate Equifax’s poor preparation and handling of the crisis. The former security chief’s degrees were in music. Consumers weren’t notified for six weeks. Some were directed to a spam site. Those that took up free credit monitoring offered by the company were initially forced to waive their right to sue the firm. And several insiders sold stock in the period between the intrusion and notification of the public.
Tuesday’s announcement is similarly ad hoc and unconvincing. Smith is allowed to save face by retiring with his $18 million pension intact. Director Mark Feidler has been appointed chairman. And Paulino do Rego Barros, president of Asia Pacific, has been appointed interim CEO.
Harsher measures are needed to ensure accountability. The upcoming review of Smith’s benefits shouldn’t allow remuneration beyond minimal contractual obligations. Six of the board’s 10 members have served a decade or more, and the average tenure is nine years. Feidler’s 10 years, and position on its technology committee, should offer insight.
The right prescription is an overhaul, and appointment of new blood that understands and advocates for a culture in which security is of paramount concern. Equifax’s ability to spot and promote worthy talent is also questionable, with its CEO, chief information officer and chief security officer all leaving. Naming a successor to Smith is just the first of multiple replacements needing to be made.
Commentary by Robert Cyran, a columnist at Breakingviews. Follow him on Twitter @rob_cyran.
For more insight from CNBC contributors, follow