The Equifax Breach Is a Reputational Crisis that Will Linger
Blog Post12 Jun, 2019
No doubt, the Equifax data breach that exposed the personal information of over 140 million U.S. consumers will have significant impact on the reputation of the company. The crisis is likely to be debilitating for the business over the short-term, and over the long-term it is going to diminish the potential for Equifax to engender any depth of positive support among its core stakeholders.
Equifax was already challenged pre-crisis, and it did not have much of an emotional buffer or reputational equity to trade off. Based on the U.S. RepTrak® study fielded in early in 2017, Equifax only had an average reputation with a pulse score of 66.5. But according to more recent studies conducted by The RepTrak Company based on the risk exposure to data privacy issues, it’s highly likely that Equifax could lose more than 10-pulse points—which would put the company in the realm of having a weak to vulnerable reputation.
What that translates into is a significant loss of support on key behavioral measures that underscore the economic viability and prosperity of the organization, including declines in willingness to invest in, license to operate, and benefit of the doubt. However, what’s perhaps most surprising is not that it happened, but how unprepared Equifax was in dealing with the data breach—and the far-reaching implications of what this crisis might mean for the Financial Services industry.
Lessons learned from Equifax for the financial services industry
With 20/20 hindsight, here are the five key observations and lessons learned that financial services companies need to consider:
Prioritize and mitigate for reputation risks related to Governance
As a key component of Corporate Social Responsibility, Governance is a critical dimension of reputation among Financial Services companies accounting for 15% of the total weight of importance. It means that risks related to Governance such as data privacy breaches, cyber-attacks by hacktivists, or egregious attempts to steal customer information by partner companies should be keeping Financial Services companies up at night. Being proactive in developing mitigation strategies for avoidance of such risks is clearly important—as is establishing a play book for knowing how to respond to a crisis as and when it happens.
Lesson: Equifax did not seem to have a risk management playbook.
If compromised by a data breach be open and transparent in managing the issue
It took over a month for Equifax to disclose the data breach, and in handling the matter, it has been less than fully open and transparent in divulging the exact details of what happened. Ethics and honesty are key components of good Governance, and therefore in not immediately announcing the breach it served to exacerbate the crisis. Lack of transparency, not only put the company at greater levels of company risk, it also served to unknowingly expose millions of consumers to higher levels of personal risk. This in turn makes the General Public less forgiving of Equifax in how it handled the issue. Even before the data security crisis, Equifax only had an average reputation score of 63.8 on the attributes of “open and transparent in the way it operates.” What has since transpired, will likely result in a significant decline on that measure.
Lesson: Delaying disclosure and opacity makes a crisis much worse.
A data privacy breach is now an everyday risk that is waiting to happen
In the last few years, there have been a record number of data privacy breaches—many outside of Financial Services. Remember Target, Home Depot, Sony, Wendy’s ... even the DNC? According to Bloomberg, there were over 1,000 data breaches recorded in 2016. And so, with data breaches being the new normal, it is hard to fathom as to why Equifax did not have a plan for preparedness? According to our recent studies on reputation risk, the General Public believes there is a more than a 75% probability of a data breach happening within their own Financial Services provider. This suggests that in the same way a CPG company should anticipate a product recall, or in the way in which an airline is concerned about safety, a Financial Services company should be especially paranoid about data breaches.
Lesson: Being unprepared to manage risk that is core to your business is inexcusable.
When it comes to data breaches, don’t assume that “it won’t happen to us”
No one expected such a large and highly established company like Equifax to experience such a widespread data breach. Based on the pre-crisis U.S. RepTrak data from earlier in 2017, Equifax recorded a strong reputation score of 76.4 on the merits of strong data privacy and security practices (although that is unlikely to be the case post crisis.) And you would expect that before the crisis the management at Equifax thought they had all the appropriate measures in place to protect the organization against a significant breach. But perhaps inherent within the risk management approach of Equifax, there was an institutional inertia that was grounded on the assumption of a false sense of security.
Lesson: You can’t plan for a potential risk if you don’t pre-measure its severity
Banks, lenders, insurers, or credit cards companies, could be guilty by association with Equifax
The real impact of the Equifax data breach on the Banking and Financial Services industry is yet to be fully assessed. The month-on-month reputation trend for August vs. September based on the continuous National Tracker in the U.S. across all financial related benchmarks will be telling. But for now, it’s fair to say there’s a distinct possibility that the looming threat of data breaches coupled with the recent events related to Equifax, could have an acute and highly negative impact on governance scores across the Banking and Financial Services category—and that could result in an overall decline in reputation. At minimum, a business customer or consumer might think twice about supporting banks, lenders, insures, or credit card companies if they believe the company is strongly aligned with Equifax
Lesson: Don’t point the finger at Equifax because it could come back to bite.
What is the reputational prognosis for Equifax?
Equifax is likely to bounce back, but it’s going take time for that to happen based on the way it has mishandled the issue (after the data breach) and for the viscerally negative sentiment to recede in the minds of the General Public.
To accelerate reputation recovery, Equifax might consider the following three point plan:
Provide full disclosure on the data breach, explaining exactly what happened, how it happened, and why it happened. If there is anything else left to be said don’t wait, put it out there.
Put measures in place so that a data breach can never happen again. Reassure clients of the steps being taken and explain what is being done to mitigate against future risk.
Pivot the narrative to the future. Don’t continue to over explain the past, rather proceed with confidence, focus on the delivery of seamless execution, and win back confidence one individual at a time.
Stephen Hahn-Griffiths Executive Vice President The RepTrak Company @shahngriff