(New York, NY – Insurance News 360) – Euifax has signed consent orders with eight state banking commissioners which require the ompany to conduct risk assessment and implement board oversight of information security program audit and other functions.

Financial Services Superintendent Maria T. Vullo today announced on June 27 that Equifax Inc. will to take corrective actions after the company’s massive 2017 data breach. This is thanks to a  consent order with the New York State Department of Financial Services (DFS) and the commissioners of seven other state banking regulators.

The order requires Equifax to take corrective actions like developing a proper risk assessment program,and improving the Board’s oversight of information security information, audit, patch management, information technology operations, vendor management, and other functions. The company must submit  list of their remediation efforts, whether in planning, in proess or implemented; they must explain their prioritization and provide regular written reports showing progress of compliance with provisions of the  consent order.

“DFS continues to take aggressive action in holding Equifax Inc. accountable for the massive data breach that exposed the sensitive and private information of millions of Americans,” said Financial Services Superintendent Vullo. “The consent order announced today between Equifax and the commissioners of eight state banking departments demonstrates the necessity of continued state oversight of financial services companies, through measures such as examinations and actions such as DFS’s recently finalized credit reporting agency registration regulation. In an era of weakened federal government oversight, strong state regulation is essential in order to safeguard our markets, ensure strong consumer protections and hold regulated entities accountable for their actions. New York will continue to lead in supporting a robust state financial services regulatory regime. New York will also continue in its efforts to obtain relief for consumers who were harmed by the Equifax breach.”

In addition to DFS, the multi-state team of regulators was comprised of the Alabama State Banking Department, the California Department of Business Oversight, the Georgia Department of Banking and Finance, the Maine Bureau of Consumer Credit Protection, the Massachusetts Division of Banks, the North Carolina Office of Commissioner of Banks, and the Texas Department of Banking.

These corrective actions are included in the order:

Information Technology: The Equifax board must review and approve a written risk assessment that identifies foreseeable threats and vulnerabilities to the confidentiality of personally identifiable information; the likelihood of threats; the potential damage to the company’s business operations; and the safeguards and mitigating controls that address each threat and vulnerability.

Audit: The Equifax board or Audit Committee must improve the oversight of the audit function. Accordingly, the Audit Committee must oversee the establishment of a formal and documented internal audit program that is capable of effectively evaluating IT controls and that complies with the internal audit charter.

Board and Management Oversight: The company shall improve the oversight of the Information Security Program. Accordingly, the board or, if appropriately authorized, the Technology Committee of the board shall:

Approve a consolidated written Information Security Program and Information Security Policy and annually thereafter;

Review an annual report from management on the adequacy of the company’s Information Security Program;

Enhance the level of detail within the Technology Committee and board minutes, or respective meeting package, by documenting relevant internal management reports (i.e. approval of a formal, written information security risk assessment).

Review and approve IT and information security policies and ensure they are up-to-date and applicable;

Ensure that the company’s Security Incident Handling Procedure Guide includes up-to-date incident-related procedures and clarifies the roles and relationships of the groups involved in the incident response.

Vendor Management: The company must improve oversight and documentation of critical vendors and ensure that sufficient controls are developed to safeguard information.

Patch Management: The company must improve standards and controls for supporting the patch management function. An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames.

Information Technology Operations: The company must enhance oversight of IT operations as it relates to disaster recovery and business continuity function.

A copy of the consent order can be found here.

 Source: New York Department of Financial Services.