Security at Equifax

Equifax is committed to being an industry leader in security. That's why, since 2018, we have invested an additional $1.5 billion in our security and cloud technology transformation. Today, we are a new Equifax. Our culture prioritizes security, and we have overhauled our security controls, completed rigorous certifications of our program, and shared lessons learned with our customers and partners. Security is embedded into everything we do.

“We have established a culture of security focused on building trust by embedding security into our DNA."

Jamil Farshchi, CISO

Culture

At Equifax, security is built into the DNA of our company. We continuously reinforce our culture of security by ensuring that all employees understand how they contribute to protecting data and systems and treat security as a personal priority.

Tone at the Top

The Equifax Board of Directors and senior leaders have established a strong “tone at the top” in support of security. The Equifax Board is actively engaged in oversight of our security program and includes Directors with relevant  expertise. Additionally, security reviews are integrated in our acquisition and capital allocation processes.

Aligned Incentives

Beginning in 2018, all bonus-eligible employees have a security performance measure included in the calculation of their annual incentive compensation. This change, reinforces our culture by aligning our bonus-eligible employees’ incentives with progress against our security program goals.

Shared Responsibility

Our Board of Directors, leaders, and employees receive security training at least annually. Our customized training program includes role-based training, ongoing campaigns to combat phishing, and customized feedback to aid learning. Tabletop exercises ensure that leaders and team members are ready to respond effectively in the event of a crisis.

Controls

We employ a defense-in-depth approach with multiple layers of controls designed to prevent or limit the success of an attack. Our controls work in concert – no control is viewed in isolation.

 

Built In, Not Bolted On

Security is embedded in our development cycles. Tools and processes like security advisements, automatic code scanning, and penetration testing are integrated into our development pipeline and improve the security of the data, systems, and products that our consumers and customers use.

Controlled Access
By controlling access to our data environments, we provide the right access to the right people at the right time. During our transformation, we expanded multi-factor authentication (MFA) and vaulted privileged, administrative, and service accounts, while increasing coverage of endpoint privilege management.
Protection and Detection

As we migrate to the cloud, we have strengthened our cloud protection and detection controls with an integrated Cloud Access Security Broker, Data Loss Prevention, and Single Sign On. In addition, we have deployed a layer of assurance across our cloud platforms that monitors the implementation and effectiveness of our cloud controls.

Compliance

We strive to exceed the expectations of the people, businesses, and government agencies that count on us. Addressing compliance standards and taking a thoughtful approach to managing risk improves our security program and is critical for growing our relationships.

Based on a Strong Foundation

Our security and privacy controls are aligned with frameworks developed by the National Institute of Standards and Technology (NIST). We have adopted the Cybersecurity Framework (NIST CSF) which integrates industry standards and best practices for cybersecurity, and in 2020, we became an early adopter of the Privacy Framework (NIST PF).

Focused on Risk

Our approach to managing risk is visible, thoughtful, and prioritized. Prioritizing based on risk – instead of taking a “one size fits all” approach – means that we focus our attention and our resources on the highest-risks in our organization and apply fit-for-purpose controls to defend against those risks.

Independently Validated
Third party certifications provide independent validation of our security program and our adherence to industry and compliance standards. We have obtained key security re-certifications since 2017, and we continually evaluate additional opportunities to build confidence in our security program.
Customers

Maintaining the trust of our customers is essential. We demonstrate our commitment to being a leader in security by partnering with customers and industry organizations to share what we have learned for the collective good.

Sharing What We've Learned

As our CEO says, “When it comes to security, there are no trade secrets.” We have hosted briefings and participated in industry events to share lessons learned so that our successes and failures can help others improve, and we continue to seek opportunities to share what we’ve learned.

Collaborating Across Industries

In 2019, Equifax and the World Economic Forum Centre for Cybersecurity convened 47 thought leaders from 34 organizations and 6 countries for a two-day workshop. During the event, leading academics, government officials, public sector representatives, and security professionals collaborated on the future of cyber threats and defenses.

Strength in Numbers

Part of our leadership in security is working externally to combat cybercrime. With our network of partners – including non-profits, government agencies, customers, and even competitors – we collectively share threat intelligence to make the online world safer for all.

icon
Innovative Risk Management
Equifax was honored with the 2019 Risk Management Innovation of the Year award from Continuity Insurance and Risk (CIR) for the board governance framework we use to drive clear and objective security governance decisions.
icon
Award-Winning Transformation
Equifax has been named a 2020 CSO50 award winner for our security transformation. CSO50 awards organizations that demonstrate outstanding thought leadership in security as judged by security executives, industry experts, and academics.