Memo to Congress: Five Key Questions for Upcoming Equifax Hearings
Richard F. Smith – who presided over Equifax Inc. as CEO during one of the largest data breaches in a generation – will testify before two congressional committees next week.
Smith will appear Tuesday before the House Energy and Commerce Committee and on Wednesday before the Senate Committee on Banking, Housing, & Urban Affairs. Both hearings will be webcast live. The House hearing is available here and the Senate hearing here.
While lawmakers will be eager to use the hearings to vent, grill, grandstand or some combination of the foregoing, there should be little public patience for the usual Washington dysfunction.
Congress is keenly aware that the Equifax hack has unleashed a near populist revolt – with tens of millions of American consumers scrambling to protect their credit profile and online identities.
Yet, with Smith’s candor, there is an opportunity, if Congress cares to take it, to use the hearings to advance our collective understanding of cybercrime and what it will take to create the impetus for change.
Here are the questions that should be asked:
Specifically, what data did the criminals obtain from the typical file? What's the best case and what's the worst case scenario?
How much of the company’s time, energy and resources were spent on cybersecurity preparedness, defense and protection before the breach? And what was the company’s strategy and key areas of emphasis? How did this fail?
Walk us through the day you learned about the breach. Looking back, were there early warning signs that could have helped you identify it sooner? If so, what were the warning signs and how did you respond to them? Could there have been a different result?
Knowing what you know now, what specifically could – or should – have been done differently? What five things would you have done to enhance the company’s cybersecurity posture?
If you had it to do over with public and private resources, and collaborate with the best and brightest in technology, cyber, government and the private sector, what would your ultimate cyber defense system and processes look like and how would it continuously protect Equifax’s systems in a constantly changing threat environment?
With new threats looming and the world almost completely inter-connected, the House and Senate committees will have an opportunity next week to help us all better understand the challenges that companies face in protecting vast stockpiles of sensitive information.
Let’s hope they make the most of it.