In a consent order with financial regulators from eight states, Equifax Inc. yesterday agreed to put in place a number of basic data security safeguards – apparently lacking until now – to prevent another massive breach. The order lists specific actions that Equifax must take to improve its data security environment including conducting a comprehensive risk assessment that considers “foreseeable threats and vulnerabilities” to sensitive information and the way the company plans on defending against those threats.
Other specific areas that Equifax is required to address is board and management oversight of cybersecurity risk. The order requires the board to approve an annual information security plan and step up “the level of detail” in board minutes documenting the steps taken to ensure a clear record of board action.
In addition, Equifax is required to more closely oversee vendor management – that is, outside vendors with access to the company’s network or sensitive information – including putting in place policies and controls for the use of cloud-based services.
Equifax must also “improve” its software patch management controls to reduce the number of unpatched systems. When Equifax was hacked last year and information about nearly 150 million people was stolen, the hackers accessed its network through a software flaw that went months without being patched.
The Equifax board must provide the financial regulators – from New York, California, Massachusetts, Alabama, Georgia, North Carolina and Texas – with written reports each quarter outlining its compliance with the order.