Equifax Breach – Lessons for the Credit Reporting Industry

Written by Shivaraj K M

Continuing from our last week’s blog that described the big data breach at Equifax, this blog write-up attempts to shed light on how a data breach in any vendor firm in the service chain affects individual firms and the financial service industry as a whole.

How loss of customer information affects financial services?

One of the most infamous and often referred incidents of data breaches in the financial services industry was the Global Payments data breach reported in March 2012. Global Payments, an intermediary payment solution provider, disclosed that it had lost card details of more than 1.5 million accounts in the US. The incident affected four major card-payment processors and US banks that issue credit card and debit cards, and they had to hire independent data security organizations to evaluate the damage done by the breach. Also, the banks had to issue new cards for the accounts that were affected. The end customers were not affected by the fiasco though, as the losses were shouldered by merchants, card issuers, and Global Payments. These efforts not only affected the bottom line of the banks and payment processors but also their reputation.

Similarly, in the case of Equifax breach, many credit union associations are suing Equifax for the losses they are expecting to undergo. Financial institutions that may or may not be the customers of Equifax have to cancel or re-issue the affected cards. With customer data out in the open, chances of fraudulent activity, be it either the existing debit/credit card accounts or new ones created using fraudulent ID goes up. Financial institutions also will have to reimburse the end customers for any fraudulent activity and increase spending to monitor fraudulent activity.

Public outrage and calls for regulatory changes over the Equifax data breach

With more than 143 million people affected from the data breach, Equifax is facing huge backlash over its handling of sensitive data. This has prompted enquiries from lawmakers, Federal Trade Commission, and state attorneys. There have been calls for a public credit registry to be opened, which will be owned by the US Government, in line with Chinese and Indonesian public registries. A public registry is expected to bring in more balance to credit reporting and provide incentives for private credit reporting agencies to better protect individual’s data.

Some commentators are also asking for complete overhaul of the way credit reporting agencies collect data. Credit reporting agencies rely on social security numbers to collect information on individuals and it is mandatory for all US citizens to provide social security numbers when they are opening bank accounts, applying for loans, and filing tax returns. This over-reliance on social security numbers makes it appealing for hackers to go after credit reporting agencies for highly sensitive information.

Responding to the Equifax data breach, New York Governor has asked the New York Department of Financial Services (DFS) to issue a new regulation making credit reporting agencies register with New York for the first time and comply with New York’s cybersecurity laws. The DFS Superintendent will also have the authority to revoke or deny a credit reporting agency from doing business in New York, if it does not comply with the standards set by the new regulation.

However, more regulation may not be the answer to bring in higher accountability in the credit reporting sector. The credit reporting sector is already dominated by just three major players. Firmer regulation can only create new barriers for disruptors to enter into the centralized sector. The more apt approach would be to liberalize the sector for better competition, thereby providing the existing players an incentive to better protect sensitive information.

How can the financial services industry protect itself from data breaches?

Even with the best cybersecurity policies, companies in the financial services industry may not be completely immune to cybersecurity threats and data breaches. Data breach at a firm that’s not even in its direct service chain also may affect an organization.

Hence, there is a greater need for all financial services companies to continuously evaluate and monitor all the vendors. The companies can insist on the inclusion of early intimation clause in the contract, which makes it compulsory for the suppliers to intimate their clients about any data breaches in their system. They also need to make sure that their suppliers have a breach response plan in place. Apart from this, companies also can vet supplier IT security infrastructure and look at the cybersecurity investments the vendors have made.

For more insights/updates on cybersecurity risks, check out Supply Wisdom AlertsTake a free trial to see how we can help you stay up-to-date on latest trends and be more proactive about monitoring and managing risks across your global locations and suppliers.

Announcing Supply Wisdom® Exuma

The next evolution in Automated Risk Management is here. Now you can automate risk mitigation across the entire risk management lifecycle, from Risk Identification to Risk Decision to Risk Action.