In a consent order signed with eight states, credit reporting agency Equifax agreed to adopt several measures to shore up weaknesses across a wide spectrum of its IT and data security operations.
The order includes a provision to beef up its internal audit program. It requires better assessments of internal IT controls, with frequent scans of high- and medium-risk systems. It also requires audit committee monitoring of all findings identified by internal audit. The board also must bolster oversight of the audit function and approve a written risk assessment identifying foreseeable threats to the confidentiality of personally identifiable information. The company must also report back to banking regulators in the states that signed the order: California, Texas, New York, Georgia, North Carolina, Massachusetts, Alabama, and Maine.
Last summer, Equifax suffered a massive data breach, which exposed names, dates of birth, Social Security numbers, and other identifying information of 148 million people. The incident prompted several states’ regulators and attorneys general to tighten rules on the companies that report Americans’ credit ratings.
“Equifax’s failure to properly secure confidential personal data caused widespread harm to California consumers,” said California Department of Business Oversight Commissioner Jan Lynn Owen. “The breach never should have happened. This order will help ensure it doesn’t happen again.”
The increased internal audit requirements could become a compliance standard for companies that deal with sensitive data, such as consumer financial information. The following provisions related to internal audit are required by the consent order:
AUDIT
2) Within 30 days from the effective date of this ORDER, the Board or Audit Committee shall improve the oversight of the Audit function. Accordingly, the Audit Committee must oversee the establishment of a formal and documented Internal Audit Program that is capable of effectively evaluating IT controls and that complies with the Internal Audit Charter, which requires compliance with International Standards for the Professional Practice of Internal Auditing. The program must document and include:
(a) A defined audit universe, covering all auditable areas, and formal risk analysis process that is used to set the scope and frequency of the IT audits;
(b) An audit schedule that is prepared on a multi-year basis to ensure that critical, high- and medium-risk areas are audited with an appropriate frequency;
(c) Audit of critical and high-risk areas at least annually;
(d) Presentation of an issue tracking report and an issue aging report, containing all open issues, to the Audit Committee on at least a quarterly basis;
(e) Audit Committee monitoring of all findings identified by Internal Audit, regulators, and third party consultants that the Company retained to advise on breach remediation efforts until the issues are resolved;
(f) Validation by Internal Audit that critical, high-risk and medium-risk issues have been resolved on a timely basis; and
(g) Guidelines for ensuring that Internal Audit is not involved in the daily operations of the Enterprise Risk Management process.
Once the Equifax board has approved the new procedures, the company has until Dec. 31 to carry them out, according to the consent order. The document also requires Equifax to submit regular written updates on implementation of the new data security plans. The Consumer Financial Protection Bureau and the Federal Trade Commission are still conducting separate investigations of the Equifax data breach, although some concerns have emerged from consumer groups lately that the CFPB has put its Equifax investigation on hold. 