Request Demo

NIST Cybersecurity Framework

The Aftermath of Equifax and The Importance of Due Care


In May, Equifax, through their own negligence, suffered a major data breach that affected 140 million people with credit data and histories in their network. A few months ago, Rick Smith, CEO, was asked to resign from the company and take his $90M severance with him.  

At the very least, in this particular instance, accountability went all the way to the top. Yet, that’s cold comfort because our identities are still at risk of being stolen, not to mention all the other burdens placed on us with this breach. If only Equifax had exercised due care for their customers, stockholders and employees by patching their servers in a timely manner. Alas, we know that is not what occurred.

What could Equifax done differently that may have thwarted the breach? Specifically, they could have applied patches for known vulnerabilities in a standard patch update process. But what about the Big Picture? Was the InfoSec team following a standard of due care that would have encompassed a consistent and repeatable patching process? Had the executive team received a recommendation from InfoSec/IT that such a standard was necessary to be able minimize risk and make their systems more resilient? Had anyone in-house made the case that adhering to a standard cybersecurity framework for minimizing risk would make the Equifax network more resilient?

Now, we can consider the aftermath of such a counterfactual analysis. Say Equifax had exercised due care and applied a patch management process that aligned with the National Institute of Standards and Technology’s Cybersecurity Framework. Would Rick Smith have been able to hold his head high and say, “Yes, we were breached, but we adhere to the NIST Cybersecurity Framework as our cybersecurity and compliance standard, so we did everything government and industry has defined as the gold standard of due care, and despite this, we were breached.”

Or maybe, by adhering to the Framework, Equifax would not have suffered the breach in the first place. In this parallel universe, Rick Smith would not have been asked to take his $90M and leave. He may have been congratulated for his winning best practices, or at the very least for a valiant effort. More to the point though, consumers wouldn’t be exposed to the risk of thieves stealing our identities and committing fraud in our names.

Unfortunately, breaches are here to stay. What isn’t clear though is whether organizations are doing everything they can to protect themselves by applying the best policies, procedures and technologies. Are they truly providing the Due Care their customers, stockholders, and employees deserve?



Learn How CyberStrong Streamlines the NIST Cybersecurity Framework Adoption


Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.[USLegal, Inc.]

Effective risk management gives comfort to shareholders, customers, employees and society at large that a business is being effectively managed and helps the company or organization confirm its compliance with corporate governance requirements. Risk management is relevant to all organizations large or small. [ICAEW]

You may also like

Prioritizing Cyber Risk Management ...
on July 6, 2020

The risk posed to organizations by cybersecurity threats is large and increasing. COVID-19 related adjustments at home and at work, the move to a remote workforce, and increasing ...

Alison Furneaux
Critical Capabilities of IT Risk ...
on June 22, 2020

Risk management is rapidly becoming the foundation of organizational security efforts, replacing checklist compliance as a cornerstone of a successful security program. This shift ...

What is Cyber Risk Management
on June 21, 2020

Risk management is a fundamental component of any successful organization and has been since the dawn of corporations as we know them. The primary function of risk management as a ...

Cybersecurity Risks Have Changed ...
on June 10, 2020

CyberSaint will host a cybersecurity risk management webinar, live on June 17th, 2020at 12:00pm EST and available on-demand when you register to attend with this link.  The recent ...

Alison Furneaux
What is NIST SP 800 30
on June 10, 2020

The National Institute of Standards and Technology’s Cybersecurity Framework (CSF) is known in cybersecurity as the gold standard framework for computer security guidance, it can ...

Cybersecurity Maturity Model ...
on July 1, 2020

Why DFARS / NIST SP 800-171? A few years back, the United States Department of Defense (DoD) released a new regulation, a Defense Federal Acquisition Regulation Supplement, or ...