The corrective actions required by the newly-signed Multi-State Regulatory Agencies (including NYDFS) Consent Order with Equifax in response to its 2017 data breach encompass a laundry list of Board-level and/or Board Technology Committee (TC) oversight responsibilities across the areas of IS, Audit, Vendor Management, Patch Management, IT Operations, and Validation, as well as enhanced oversight generally that includes:
- Annual approval of a consolidated written IS Program and IS Policy
- Review of an annual report from management on the adequacy of the Company's IS Program
- Review & approval of a series of enumerated IT and IS policies to ensure they are current and applicable
- Review of the Security Incident Handling Procedure Guide to ensure current incident-related procedures and clearly-delineated roles and relationships of groups involved in incident response
Notably, the Order also requires more detailed TC and board minutes or associated board meeting packages that document relevant corrective actions (e.g., approval of a formal, written IS risk assessment), and board policies/committee charters that memorialize the board's/committee's new review mandates. The Order further imposes extremely short time frames for corrective actions in addition to ongoing annual review/approval obligations, and requires the Board to provide quarterly written progress reports to the Multi-State Regulatory Agencies as part of its board minutes beginning July 31st.
|
See also this memo from Davis Polk; these articles from CNBC and the WSJ; and additional information and resources here. We first reported on this Consent Order, in addition to other cybersecurity developments - in last week's Society Alert!
|