top of page
Stewart Room

Equifax fine highlights supply chain and incident response risks

Updated: Oct 27, 2023


Last week the FCA, one of the UK’s financial services regulators, fined Equifax Ltd £11.2M for a cybersecurity breach suffered by Equifax Inc, its US parent, back in 2017. The breach has become a cautionary case study for a range of reasons, including because it was avoidable; due to the number of people impacted (over 160 million, of which nearly 14M were in the UK); and the failure of an appropriate response to deal with the upstream international impacts outside of the US.


All of these issues are public knowledge and the FCA’s penalty notice covers them well, but there are two issues that I want to explore here. First, the case illuminates the problem of dealing with cybersecurity breaches in the supply chain. Second, it provides a salutary reminder of what can happen if you don't own the narrative in serious breach cases.


Key facts according to the FCA are:

  • Equifax Ltd used Equifax Inc for data processing services, thus the UK business had various legal duties for oversight and governance of its parent’s security, which it failed to discharge.

  • 29th July 2027 - Equifax Inc detected unauthorised access to its systems.

  • By 29th August 2017 - Equifax Inc was aware that UK data was impacted.

  • 7th September 2017 - Equifax Inc informed Equifax Ltd of the breach on 7th September 2017, approximately five minutes before it made a public announcement about it.

  • 8th September 2017 - The FCA learned of the breach through a press report.

According to other reporting, Equifax has invested over $1.5 billion in security and technology transformation since the incident.


Complexity of supply chain breaches


Where an organisation outsources data processing services to a third-party supplier, there are a variety of ways by which it will acquire legal duties for supervision and governance over the supplier. The FCA points to Principle 3 of its Handbook and rule 8.1.6 of its rules on systems and controls for outsourcing (SYSC), which are made under the Financial Services and Markets Act 2000. For data protection purposes, Article 28 of the GDPR achieves similar results (note that in September 2018, Equifax Ltd was fined £500,000 by the Information Commissioner’s Office for this incident, which was the maximum penalty under the Data Protection Act 1998, which pre-dated the GDPR). The duties will generally consist of the performance of pre-contractual due diligence, the contracting process itself and the post-contractual diligence, such as the principal reviewing the supplier’s security controls and the supplier assisting the principal in the discharge of its duties through timely reporting incidents.


This all makes sense on paper, but it’s often easier said than done. Indeed, one might think that if these outcomes cannot be achieved in a company group situation like Equifax’s, then what hope does everyone else have where we don’t have the binding values of the same legal structure and brand?


Supervision and governance in the supply chain


Unfortunately, problems with supervision and governance are endemic in the supply chain. Contributing factors include:


  • The principal engages a supplier without really thinking about the need for supervision and governance. This can occur when the supplier is engaged without appropriate consultation with operational and legal security experts.

  • The principal acts irrationally, in the sense that it makes an assumption that the supplier will guarantee security, meaning that the supervision and governance doesn’t penetrate further than the contractual paperwork. This is a common problem with Cloud engagements, due to the mental conditioning over the past 15 plus years that “Cloud is best”. See my blog on Cloud risks for more thoughts.

  • The power imbalance in the relationship is such that the principal isn’t able to apply appropriate supervision and governance. In this situation, the supplier has the upper hand and the engagement is conducted on its terms and conditions, on a take-it-or-leave-it basis. Of course, there is a spectrum of power relationships, from small businesses that have virtually none, to principals with significant buying power who are able to meaningful negotiate the terms.

  • An appropriate methodology and tools for performance of supervision and governance aren't established or adequately operationalised.


Incident response


If you’ve had the misfortune of being in a supply chain breach, it’s likely that you will have experienced problems in your supplier's handling of the incident. Again, the late notification of incidents by suppliers is endemic. Other problems encountered by principals include getting access to useful information - sometimes, it’s like trying to get blood out of a stone - and sometimes the supplier engages with regulators prior to letting the principal know. Contributing factors include:


  • Where an incident has international impacts, the response is often dictated by the geographical location of the largest part of the blast zone, with other locations taking second order priority. The likelihood of this happening may increase where the end user impacts in one country are very highly concentrated in comparison to the others.

  • The process of forensic and data analysis can often be highly complex, with a slowly emerging or constantly changing picture of impacts. Thus, the supplier might not be in a position to judge whether a particular principal has been affected in the timeframes that the principal and its governing laws might prefer.

  • The supplier might be aware of risk information that requires a circumspect response, with the result that the principal is kept in the dark. The most obvious reasons for this are the needs of an effective operational response and the needs of law enforcement.

  • An emotion-free risk call has been made, which might be for the supplier to prefer its interests over anyone else’s.


I do not suggest that these factors were operative in the Equifax case, but as points of reference, it is interesting to note that the number of US people impacted was approximately 147.9 million, compared to 13.8 million in the UK and 19,000 in Canada, whereas the regulatory financial settlement was about $700 million in the US compared to under £12 million in the UK when the FCA and ICO fines are combined.


Is it wrong to look at things in this way? Well, you can make your legal argument on this, but there is also a need for pragmatism in an incident response situation, or, perhaps more accurately, prioritisation of responses.


Loss of the narrative


I help businesses to develop their strategies for incident response and I have various techniques to help progress the thinking. One of them is the question “what do you want to be famous for?”, because in cybersecurity breach cases it is not inevitable that the incident will become notorious, by which I mean one where are fines imposed, or accepted, for serious legal contraventions. However, the odds of that happening will increase without a crystal-clear idea of where you are heading and why.


A key weight on the swinging pendulum between being a negative case study and an escape from the worst consequences that the law can impose is the nature of the narrative. At all times you have to be on the front foot. The FCA’s penalty makes clear the regulator’s displeasure in learning of the breach in the press. You have to avoid this at all costs. It’s simply not “a good look” to present to a regulator in that way.


Where the narrative is lost, it is gone for good and you’re not going to get it back, but its certainly not inevitable that you will end up there. If you want to find a case study for a great incident response where the narrative is entirely different, it's worth having a look at how well Maersk came out of the NotPetya attacks. It doesn't have to end badly.


Credit where credit’s due


Personally, I do not like to end on a negative, so I want to emphasise two points of substance:


First, Equifax cooperated with the FCA and the fine was discounted on this basis. My take is that it did all that it could in the UK to remedy the awful impression made at the beginning. This is a good thing to remember.


Second, the financial investment that Equifax has reportedly made in security and technology is very impressive on anyone's measure. Expressing this in operational security terms, best practice for security incident management and response requires the lessons of failure to be understood and addressed. The uplift in security at Equifax must be massive and that is something that it can be rightly proud of, as it aligns to best practice.



114 views
bottom of page