Equifax is committed to being an industry leader in security. That's why we’ve undergone a multi-year transformation of our cybersecurity capabilities, backed by a $1.5 billion investment in security and technology.
The New Equifax embeds security into everything we do – from our technology infrastructure, data fabric, and product development, to our merger and acquisition strategies, employee training, and to our incentive compensation plans. We have overhauled our security controls, completed rigorous certifications of our program, and shared lessons learned with our customers and partners. In multiple independent ratings, our security capabilities now exceed every major industry benchmark.
Security has become a point of strength and a competitive advantage at Equifax. To learn more about these efforts, read our Security Annual Report.
“Few companies have dedicated more time and resources into ensuring that consumer information is protected."
Jamil Farshchi, CISO
Security is built into the DNA of our company. We continuously reinforce our security-first culture by ensuring that all employees understand their role in protecting data and systems as well as the importance of treating security as personal priority.
Tone at the Top
The tone for our security program comes from the top, with our Board of Directors actively engaged in the oversight of our security program and every employee and Board member receiving annual security training. The Equifax Board includes Directors with cybersecurity expertise. Additionally, robust security reviews are integrated in M&A due diligence and integration as well as our capital allocation processes.
All bonus-eligible employees have a security performance measure included in the calculation of their annual incentive compensation, underscoring the vital role that security plays in our business. Throughout the year, every employee receives a monthly security scorecard so that they can keep track of and improve their security performance.
We train 100% of our Board of Directors, leaders, and employees in security at least annually. Our training is developed to meet the specific needs of our business and includes role-based training, ongoing campaigns to combat phishing, and customized feedback to aid learning. We also conduct tabletop exercises and real-time simulations to ensure that the Board, company leaders, and employees are ready to respond effectively in the event of a crisis.
We employ a defense-in-depth approach with multiple layers of controls designed to prevent or limit the success of an attack. Our controls work in concert so no control is viewed in isolation.
Built In, Not Bolted On
Security is embedded in our development cycles. Tools and processes like security advisements, automatic code scanning, and penetration testing are integrated into our development pipeline and improve the security of the data, systems, and products that our customers and consumers use. Additionally, we have built out a library of patterns and stamps -- reusable, security-approved building blocks that developers customize and deploy, ensuring standard configurations are applied to all environments and applications.
We have applied a “least privilege” approach to Identity and Access Management in which no employee has any more access than what is absolutely required for his or her job. We have multi-factor authentication (MFA) for 100% of our remote network access, including our privileged assets that hold our most sensitive information. We also implemented an access management tool that provides security professionals with a one-time, real-time password to access certain programs. By controlling access to our data environments, we provide the right access to the right people at the right time.
Detection and Response
The migration of our data and assets to the cloud gives us stronger visibility into the data that is coming in and out of our environment in real- time. We have enhanced our top-tier cloud security to include automated validation and monitoring. In addition, our team instituted a behavior analytics platform powered by artificial intelligence designed to detect insider threats.
We strive to exceed the expectations of the people, businesses, and government agencies that count on us. We have fielded thousands of customer assessments, regained all of our PCI/ISO/SOC 1&2 and FISMA certifications, and successfully managed and matured our compliance governance processes.
Built on a Strong Foundation
Our security and privacy controls are aligned with frameworks developed by the National Institute of Standards and Technology (NIST). We have adopted the Cybersecurity Framework (NIST CSF) which integrates industry standards and best practices for cybersecurity, and in 2020, we became an early adopter of the Privacy Framework (NIST PF). Five core capabilities – cybersecurity, privacy, fraud prevention, crisis management, and physical security – are now represented in our company’s unified controls framework and comprehensive security program.
Focused on Risk
Our approach to managing cyber risk is visible, thoughtful, and prioritized. Prioritizing based on risk (instead of taking a “one size fits all” approach) means that we focus our attention and our resources on the highest-risks in our organization and apply fit-for-purpose controls to defend against those risks. This approach is integral to our overall Enterprise Risk Management program and aligned with the other types of risk we face.
We utilize leading third-parties to assess how well our organization can adapt to cyber threats and manage risk over time (Security Maturity) as well as our readiness and ability to identify, respond to, and recover from security threats and risks (Security Posture).
Maintaining the trust of our customers is essential. That's why we're leveraging our security investments and expertise to help our customers and consumers become more cyber resilient.
Sharing Lessons Learned
Following the cyber attack on our company in 2017, we made a commitment to helping others avoid the same fate. That’s why we actively participate in global forums to promote stronger cybersecurity for business, government, and society; partner with law enforcement to combat fraud, identity theft, and identify criminal activity; and collaborate with organizations to advance new ideas and solutions in cybersecurity.
Becoming Cyber Resilient
A vital part of our security transformation is leveraging our investments and expertise to help our customers become more cyber resilient. Of note, we developed CloudControl, a platform that strengthens our customer's digital supply chain and gives customers real-time visibility into the security of their Equifax cloud products. We are also combining advanced analytics and intelligent data orchestration to help businesses verify the identity of consumers and prevent fraud with pinpoint accuracy.
Transparency is our standard. We’ve chosen this approach because security shouldn’t be a trade secret. Our company’s security and privacy leaders have hosted several Customer Security Summits in the U.S., Canada, U.K., and Australia, in order to have direct conversations about the evolution of our security program and important topics in cybersecurity sucs as access managment, incident response, cloud security, data protection and privacy.