Ahead of Equifax Inc.’s announcement that it suffered “a cybersecurity incident potentially impacting approximately 143 million U.S. consumers,” as a Sept. 7 press release from the consumer credit reporting firm stated, it was well aware of the risks of a hack, and of the danger that it may not have had “adequate” insurance to cover associated losses.

In spite of efforts to stave off the risk of a breach, “our information technology networks and infrastructure or those of our third-party vendors and other service providers could be vulnerable to damage, disruptions, shutdowns, or breaches of confidential information due to criminal conduct, denial of service or other advanced persistent attacks by hackers,” the company stated in the “risk factors” section of its most recent annual filing with the Securities and Exchange Commission, dated Feb. 22. “Unauthorized access to data files or our information technology systems and applications could result in inappropriate use, change or disclosure of sensitive and/or personal data of our customers, employees, consumers and suppliers.”

STRUCTURE SECURITY -- USE THIS ONE Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Photo: Newsweek Media Group

The company also expressed concerns that its “property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur” in the event that “such access, disclosure or other loss of information could subject us to litigation, regulatory fines, penalties or reputational damage, any of which could have a material effect on our cash flows, competitive position, financial condition or results of operations.”

Equifax held an insurance policy covering between $100 million and $150 million around the time of the news of the hack, but will likely have to fork over multiple times that amount in related penalties, Bloomberg reported last week, citing “people familiar with the coverage.” The firm may face fines from the federal government on multiple fronts. The Federal Trade Commission, for example, confirmed Thursday that it was conducting an investigation of the breach, and lawmakers from both parties have urged the SEC and Justice Department to look into a possible case of insider trading by Equifax’s executives, three of whom shed $1.8 million in shares in the company just days after the discovery of the hack.

In a more recent filing for the second quarter, dated July 27, the firm said its risk factors had not changed from those listed in the annual report, in which the company also had said it was “not aware of any material breach of our data, properties, networks or systems.” The Sept. 7 press release stated that Equifax became aware of the hack on July 29, two days after the company filed its quarterly report. 

An Equifax spokesperson did not immediately respond to requests to comment on the firm's risk assessments and the timeline of its awareness of the data breach.