If you’re attempting to justify security budget, this news might help…:
[…] On the surface, the Equifax downgrade may appear to be unfairly punishing a company for an event that happened nearly two years ago. However, a 2018 U.S Congressional investigation into the cyber attack found that the data breach was “entirely preventable.” In addition, Equifax appeared to be woefully unprepared for such a cyber attack. The full Congressional report cited “a lack of accountability and management structure,” “complex and outdated IT systems,” a “failure to implement responsible security measures,” and an inability to respond to affected consumers. In other words, Equifax was a disaster waiting to happen.
As might be expected the size and severity of the Equifax data breach, class action lawsuits soon followed, as did the threat of stiff regulatory penalties at the state and federal level. To this day, Equifax is still reeling from the impact of the 2017 data breach. In the first quarter of the year, the company posted a $690 million charge to cover cost related to settling ongoing class action lawsuits, investigations, and potential federal and state regulatory penalties. And that might not be the end of the damage: when Equifax’s lawyers tried to get an Atlanta judge to dismiss future class action lawsuits, the request was denied. So it’s not out of the question to expect higher cybersecurity costs in the near future.
Moreover, given the glaring weaknesses in Equifax’s cyber defenses and potential for even more data breaches, the company is being forced to spend aggressively on cyber infrastructure over the next 24 months. In 2019 and 2020, the company expects to spend nearly $400 million on cyber infrastructure upgrades, Moody’s told CNBC. That’s more than twice what the company originally projected to spend on shoring up its cyber defenses. Moreover, the company’s baseline spending on cybersecurity will ramp up to $250 million 2021 and beyond. As Moody’s noted in its commentary about the Equifax downgrade, the fallout from the data breach – measured purely in financial terms – was more than enough to “move the needle” and trigger the ratings outlook downgrade.