Business Day
Consumers, but Not
Executives, May Pay for Equifax Failings
Fair Game
By
GRETCHEN
MORGENSON
SEPT.
13, 2017
|
A security guard outside the
Equifax office in Atlanta.
Kevin D. Liles for The New York Times |
The
stunning data breach recently disclosed by
Equifax, one of the nation’s top
three credit reporting agencies, has imperiled millions of consumers,
opening them up to identity theft, monetary losses and colossal
headaches.
Equifax
investors are also shouldering the burden associated with the
company’s apparently lax security practices. Since disclosing the
breach, Equifax’s stock has fallen more than 30 percent, losing its
shareholders $5.3 billion in market capitalization.
It remains
unclear, though, whether the company’s executives will take a financial hit for
the failures that allowed thieves to steal
Social Security numbers, driver’s license numbers and
other sensitive data. Indeed, Equifax’s top managers may not feel any
financial ill effects, given the company’s past compensation practices.
| |
Fair Game
A
column from Gretchen Morgenson examining the world of finance
and its impact on investors, workers and families
See More »
|
| |
|
Over the last three years, when Equifax determined its top executives’
incentive compensation, it has used a performance measure that
excluded the costs of legal settlements made by the company. If it
follows this practice after dealing with the costs of settling legal
claims arising from the security breach, Equifax’s top managers will
essentially escape financial accountability for the blunder.
This troubles
Charles M. Elson, a professor of finance at
the University of Delaware and the director of its John L. Weinberg Center for
Corporate Governance. “To the investors in the company, the legal settlement
does impact earnings and stock price,” Mr. Elson said in an interview. “If the
shareholders suffer because of this breach, why should management be excluded?
These folks take home all of the upside and want none of the down.”
I asked Equifax
whether its board would stop excluding legal settlement costs from executive
compensation calculations so that management would be required to absorb some of
the pain.
An Equifax
spokeswoman supplied this statement: “The board is actively engaged in a
comprehensive review of every aspect of this cybersecurity incident.”
Equifax is not
alone in excluding certain costs of doing business from the financial factors it
uses to determine executive pay. Such practices have become prevalent among
large United States companies.
Equifax uses two
main performance measures to decide incentive pay. One, called corporate
adjusted earnings per share from continuing operations, is not calculated using
generally accepted accounting principles, or GAAP. It is figured by excluding
certain costs — such as those related to acquisitions — that normally flow
through a company’s profit-and-loss statement. This has the effect of making
Equifax’s earnings per share look better in this measure than they actually do
under accounting rules.
Equifax says in
regulatory filings that it uses the adjusted earnings figure because it best
represents the company’s profit growth. Top managers at the company get a larger
or smaller annual incentive award based on increases in this measure over the
course of a year.
Acquisition
expenses make up the bulk of the costs Equifax has excluded from its profit
calculation in recent years. But Equifax has also excluded costs associated with
impaired investments and legal settlements from the figure.
In regulatory
filings, Equifax said its exclusion of legal charges from certain financial
results “provides meaningful supplemental information regarding our financial
results” and is consistent with the way management reviews and assesses the
company’s historical performance.
This approach is
not unusual. Roughly one-fifth of the companies in the Standard & Poor’s
500-stock index excluded legal settlements and fees in their non-GAAP earnings
measures in 2016, according to Jack Ciesielski, publisher of The
Analyst’s Accounting Observer and a close
follower of companies’ financial reporting.
When settlements
are small, of course, excluding the legal costs associated with them is a
nonevent. And in recent years that has been the case at Equifax, with
settlements equaling around 1 percent of net income.
In the fourth
quarter of 2016, for example, Equifax recorded a $6.5 million charge for a
settlement with the Consumer Financial
Protection Bureau. Under that settlement, which involved deceptive marketing of
credit scores to consumers according to the bureau, Equifax paid $3.8 million in
restitution to customers, a fine of $2.5 million and $200,000 in legal costs.
But the scope of
Equifax’s recent security breach is so far-reaching that legal settlements
arising from it will most likely be enormous. And this brings up another
question: whether Equifax executives should return past pay because of the
security failure. Certainly, last year’s proxy filings indicate that the pay
received by the company’s top three executives was based in part on their
accomplishments in keeping consumers’ data secure.
Consider Richard
F. Smith, the chief executive and chairman of the Equifax board, who received
$15 million in total compensation in 2016, up from $13 million in 2015. One
rationale for his pay package, the proxy said, was Mr. Smith’s “distinguished”
work in meeting his individual management objectives for 2016. Among those
objectives was “employing advanced analytics and technology to help drive client
growth, security, efficiency and profitability.”
Or take John
Gamble, Equifax’s chief financial officer. He also received a rating of
“distinguished” on his individual objectives, the proxy said, because he
continued “to advance and execute global enterprise risk management processes,
including directing increased investment in data security, disaster recovery and
regulatory compliance capabilities.” Mr. Gamble received $3.1 million in 2016.
John J. Kelley
III, the company’s chief legal officer, also achieved a “distinguished” rating
from the Equifax board last year. One reason: He continued “to refine and build
out the company’s global security organization.” Mr. Kelley received $2.8
million in compensation last year.
Will these
executives be asked to return any of this pay given that their ratings on
security are now looking a little less distinguished?
Equifax declined
to answer this question.
What the Equifax
mess seems to show, yet again, is the heads-I-win, tails-you-lose deal between
executives and shareholders that is so prevalent at major corporations today.
As for Equifax’s exclusion of litigation costs in its profit measure, Mr.
Ciesielski, the accounting expert, said that should only be allowed for events
that are outside of management’s control. “A hurricane, an earthquake, falling
space debris — all those things are exogenous, outside of management’s control
and ultimately more forgivable,” Mr. Ciesielski said. “Bad management leading to
customer harm is exogenous and forgivable? That’s a lot harder to accept.”
A version of this article appears in print on September 17, 2017, on
Page BU1 of the New York edition with the headline: Who’ll Pay For the
Mess At Equifax?.
© 2017 The
New York Times Company
