In one of the biggest cyber breaches in history, in which highly sensitive information for a staggering 143 million consumers was exposed, Equifax has done very little to assure customers, and even less to help rectify the damage it caused. Even as the board removed CEO Richard Smith on Tuesday, the once-trusted and respected organization faces an uphill and long battle to restoring its reputation.
In order for Equifax to turn things around and get back on solid footing with consumers and investors alike, the board will be forced to act in a way that governing bodies usually do not. While it is the responsibility of a board to remove a CEO in whom they have lost confidence, it is not usual for a board to dig into operational matters. Crossing the boundary between governing and management is rare and should be reserved for the direst situations. Here, the Equifax board had little choice. And much is left for them to do, chiefly:
The board must meet in person to discuss next steps in rectifying the crisis at hand
Removing Smith will not solve all of the issues, nor will it ensure better preventative measure in the future. Beyond his ouster, the board must agree to adopt a systemic view of the situation and dig deeper than they usually would. This should be a temporary posture until the ship is righted.
In considering counsel from legal, public relations, and investor relations advisors, it’s critical that their views be carefully scrutinized by the board for signs of their motive. There will no doubt be advice offered that is intended to protect the board at the expense of doing the right thing, and the board will have to be vigilant to protect against this advice and this mindset. They must recognize that advisors may have a duty to offer such advice. Lawyers must offer legal advice and public relations people advice on minimizing the fallout. Their advice may be sound given their role, but the decisions belong to the board. Protecting reputations must be secondary to protecting consumers, being transparent with investors, and being honest with employees and partners.
The board must also accept that there are chips that will fall, and some will fall on them
Management has failed spectacularly, and this issue will not go away quietly. Removing Smith tells us the board is acting, but it isn’t enough. The longer the board takes to do the right things, the more people worry—and rightfully. A worried investor sells, and worried employees look for other jobs. It is time for courage to face this as a crisis, judgment and discernment to decide what to do, and fortitude to follow through, insisting that whatever systemic changes are needed, they occur. Otherwise, this situation will be calmed but not solved. It will be treated as an aberration rather than evidence.
Recognizing that the management team at Equifax cannot be relied upon, the board must further:
1. Get the consultants who were involved earlier in the breach discovery to give them information, directly, about their assessments. Even though these assessments are no longer fresh, they will provide insights that may be helpful as the board makes additional critical decisions.
2. Insist that the senior management team be available to them for questions during the board meeting. The management should be forthcoming and focused on finding cause and remediation. And while it may be tempting to point fingers to those already departed from the organization, the problem undeniably lies much deeper than a handful of people.
3. To that point, the board must look for cause: specific, technical and—equally important—systemic and cultural. If the board’s focus here is on the immediate issue, restoring image, and is seen as public relations problem, this will not be the last disaster Equifax will face. They need to look at all aspects of the company to get to the true heart of the issue. This is particularly vital in order to select the next CEO, as the more information uncovered, the better the likelihood of the new chief executive succeeding and Equifax being restored to its previous reputation.
4. Maximize the value of the governance structure. This situation with Equifax is precisely why companies have board-level committees to oversee technology. Equifax has such a committee, and now the board must examine what management told the committee. Beyond that, they must ask tough questions: what needs to change, and who else needs to go?
This is not a typical situation, and the board needs to act in atypical ways to address it. Recovery isn’t going to be as simple as taking out one person, even the top leader. The board must act quickly and thoughtfully in the coming days and weeks as they seek to restore faith and confidence—and their next big task, replace the CEO.