Equifax Inc (EFX) — Q3 2017 Earnings Call Transcript

Thanks, and good morning, everyone. Welcome to today's conference call. I am Jeff Dodge, Investor Relations. And with me today are Paulino Barros, Chief Executive Officer; John Gamble, Chief Financial Officer; and Doug Brandberg of Investor Relations. Today's call is being recorded. An archive of the recording will be available later today in the Investor Relations section in the About Equifax tab of our website at www.equifax.com. During this call, we will be making certain forward-looking statements to help you understand Equifax and its business environment. These statements involve a number of risks, uncertainties and other factors that could cause actual results to differ materially from our expectations. Certain risk factors inherent in our business are set forth in filings with the SEC, including our 2016 Form 10-K and subsequent filings. Also, we will be referring to certain non-GAAP financial measures, including adjusted EPS attributable to Equifax and adjusted EBITDA margin, which will be adjusted for certain items that affect the comparability of the underlying operational performance for the third quarter of 2017. Adjusted EPS attributable to Equifax excludes acquisition-related amortization; the income tax effects of stock awards recognized upon vesting or settlement; and certain costs related to the cybersecurity incident, including cost to investigate and remediate the cybersecurity incident; legal and professional services; and the contingent liability for costs associated with providing free credit file monitoring and identity theft protection services to consumers. Adjusted EBITDA margin is defined as net income attributable to Equifax, adding back income tax expense, interest expense, net of interest income, depreciation and amortization, and also excludes certain one-time items, including the costs related to the cybersecurity incident. These non-GAAP measures are detailed in reconciliation tables, which are included with our earnings release and are also posted on our website. Now I'd like to turn it over to Paulino.

Thank you, Jeff, and good morning, everyone. I and the entire Equifax organization apologize to the individuals whose personal information was stolen as well as to our customers, partners, investors, ministers, and other constituents who were disrupted by the cybersecurity incident at Equifax. Last month, when I was named Interim CEO, I told you we'd act quickly in our efforts to support consumers in strengthening our security and IT infrastructure. I believe we have made good progress in these areas. In my remarks today, I will discuss these critical areas of focus as well as provide more detail on the near- and long-term actions we are taking. I will close with comments on where I believe we as a company and the industry should be heading. John will walk you through the results for the third quarter, including the cost of the cybersecurity incident as well as provide a view of fourth quarter 2017 expectations. In terms of the status of our investigation into the cybersecurity incident, the forensic investigation regarding the attacker activity within the Equifax environment is complete. And we understand what occurred and the extent of the intrusion. The company, as well as the special committee of the Board of Directors, continue to investigate all aspects of the incident, and these are important inputs to us for the changes we are making. Being a trusted steward of the information entrusted to Equifax has long been one of the core principles. We have invested aggressively, particularly over the past five years in security and network resilience. Nevertheless, the security incident occurred, and with it, the need for fundamental change. Our near-term focus, as we move through the remainder of this year, is principally in several critical areas. First, improving the support we are providing to all consumers, particularly those impacted by the cybersecurity incident. The free TrustedID Premier service we have offered to all Americans provides a strong suite of credit monitoring and identity theft protection services. Although we certainly accept responsibility for the difficulties related to obtaining this service when it was initially launched on September 8, we believe we have made and will continue to make substantial improvements to the accessibility and performance of this service. To ensure any consumer who wants this service has the ability to enroll, we have extended the enrollment period to the end of January 2018 and also extended the period for which we will offer free credit freezes to the same date. We have made significant improvements in our application process' performance. And currently, consumers wishing to enroll can, in general, do so in a matter of minutes. In our call centers, we had over 3,000 agents, and the average wait times have dropped to less than a minute, with many being serviced without waiting. There are two instances of consumer frustration; the circumstances where wait times are too long or issues are not handled quickly or properly. We are working to resolve this as rapidly as we can. Equifax employees globally understand it's our obligation to provide the best possible service to consumers. In the U.S., we are making every effort to continue to improve the TrustedID Premier Service. We are also providing similar services to impacted U.K. and Canadian consumers. Second, ensuring we're taking significant actions to protect the consumer and commercial data that has been entrusted to us around the world. This incident requires a revisit to our entire IT and data security practice, including engaging industry experts to support the effort. After a comprehensive top-down review with Megan and PwC, we have taken immediate steps to improve our data security infrastructure. We are hardening our networks, changing our procedures to require closed-loop confirmation when software patches are applied, rolling out new vulnerability scanning tools and processes and increasing accountability mechanisms for our security and IT team members. We have also engaged PwC to assist us with our security program, including strategic remediation and transformation initiatives that will help us identify and implement solutions in the future, thereby strengthening our long-term data protection and cybersecurity posture. We're also working to bolster our security culture throughout the entire company. Data security will be a mandatory responsibility for all Equifax employees, whether or not they're members of our security or IT teams. Since taking this position, I have spoken to our employees at multiple town hall meetings about the absolute necessity of solid security practices and the critical importance of protecting consumer information. I have revised our corporate governance structure so that Equifax's Chief Security Officer reports directly to me, ensuring greater accountability of this critical function. I have created a Chief Transformation Officer position, also reporting to me, who will oversee the company's response to the cybersecurity incident and coordinate our efforts to build our new future. This will allow me to have direct insight into every aspect of our remediation and transformation efforts. Third, we're working with customers, partners, and data contributors to help them understand the incident more fully and the actions we have taken to improve our IT systems and data security. Equifax's historic success was built on the trust our customers placed in us to help them solve difficult business problems with unique data and analytical assets. This was, of course, predicated on their trust in our IT and data security capabilities. Over the past two months, we have been working closely with customers worldwide to address their questions on the security incident and our IT and data security infrastructure and capabilities. Our goal is to be as transparent as possible. We will be continuing our efforts in this area over the coming weeks. Our customers are also providing assistance by sharing their views of best practices for our integrated cybersecurity program. We're also working to monitor the use of stolen personal identifiable information being used for fraudulent transactions. To date, we do not have any evidence linking fraudulent activity to data stolen from Equifax. Our customers have been generous with their time and willing to work with us. The business units with the most direct impact from the incident were U.S. Information Solutions, the Global Consumer Solutions as well as Workforce Solutions. In USIS, as expected, we saw deferrals of customers' decisions regarding the purchase of new products or discrete products and services in the third quarter and fourth quarter to date. Within USIS, Online and Marketing Services, which delivers a large online market data project, bore the brunt of the impact. We have seen little evidence of market share shift. And to the extent it has occurred, it has been very limited. We continue to see customers engage in business discussions and have closed some important contract renewals and extensions since the incident was announced. Similar to USIS, Workforce Solutions is also seeing deferrals of customers' decisions regarding the purchase of discrete products and services, impacting its revenue from both government and commercial customers. This impact for Workforce Solutions was not meaningful in the third quarter, but is expected to impact revenue growth in the fourth quarter. GCS revenue was not meaningfully impacted in the quarter. However, the subscriber base was affected by churn and a substantial reduction in customer additions, as we effectively stopped all direct-to-consumer advertising and cross-sell activities. As we discuss our fourth quarter outlook, we expect this impact to accelerate. John will provide more details on the specific revenue impacts in the third quarter and what we expect for the fourth quarter. We also continue to work closely with our data consumers and to date, we have seen only limited impacts across the U.S. businesses. It's important to remember that none of our credit bureaus or Workforce Solution data assets were impacted by the cybersecurity incident. Fourth, responding and working with the government and other regulatory bodies as they assess the impact of the incident. We have received requests for information and subpoenas from a number of United States and Federal regulatory agencies and several regulatory agencies outside of the U.S. In each case, we are cooperating with agencies to provide the requested information. We are also working proactively to brief the appropriate parties about the progress of our investigation and consumer remediation efforts. We hope to reearn the trust of consumers and the government bodies charged with protecting those consumers. Clearly, this incident has emphasized the need for Equifax to give consumers the ability to control access to personal credit data. We plan to launch our lock-and-alert service on January 31, 2018, which we will offer to all U.S. consumers for free for life. This service will allow consumers to lock and unlock their Equifax credit file directly and quickly from their mobile device or a computer. Finally, we have committed to working with the entire industry to develop solutions to the growing cybersecurity and data protection challenges. We believe the time is right for an industry-wide solution that provides consumers with the ability to substantially improve visibility and control over personal credit data for free for life. We believe this is a turning point for everyone interested in protecting personal data. Due to the impact of the cybersecurity incident, we have decided that the Equifax senior leadership team, my direct reports and I, will receive no incentive compensation in 2017. In order to accelerate execution of all these key initiatives, I have refocused a substantial portion of the EGI and Lean teams on these key initiatives. In addition to improving execution, it will rapidly expand the understanding of the integrated security framework we are deploying across the organization. As we focus intensely on these mission-critical actions, we must ensure that we do not lose focus on executing our core strategic initiatives, including the critical processes that have driven our success over the past 10 years. John will provide you details on the performance of the business segment this quarter, but I will take you through progress on NPI and a few key new products. Prior to the cybersecurity incident, Equifax had earned a strong reputation for operational execution. This was delivered through a consistent cadence of well-planned business processes. As I have already stated, we will utilize these processes in our overall governance to ensure it is a strong enabler of the integrated IT and data security strategy being developed. It is important that we get back to executing under this operating cadence as it will ensure the execution of our IT and data security events as well as our long-term growth strategy. The growth engine will continue to be New Product Innovation. Year-to-date, NPI revenues in our Vitality Index are ahead of our targets and also ahead of 2016 levels. This year, we expect to launch over seven new products, roughly 30% more than in 2016. Although we expect the cybersecurity incident to impact the revenue of new products in USIC in the near term, we will continue to focus on maintaining a strong pace of new product launches. Also, we remain bullish on many of the critical new products we have discussed with you this year. Cambrian in our Ignite portfolio of solutions continued to be differentiators for Equifax. The diversity of our unique data with leading analytics, including artificial intelligence, provides unmatched capability in our industry. Ignite Direct allows customer data scientists to work directly with our diverse data assets, including trended data and combining their own data to define new solutions to their business problems. Ignite allows business analysis using predefined configurable to highly customized solutions that again leverage Equifax's broad and unique data assets. We are seeing numerous requests for proof-of-concepts, and early results are well ahead of targets. We continue to move ahead with developments and deployments of the Cambrian data analytics platforms and the associated portfolio of Ignite solutions powered by the platform across the U.S. and Canada, as well as Australia, New Zealand. By the end of 2018, we plan to expand into Europe, Argentina, Chile and Peru. We continue to move ahead with our InstaTouch family of mobile solutions. As a reminder, InstaTouch provides a single method to confirm the identity of the user of a mobile device, and then for that user, to use Equifax data assets to securely repopulate information to complete an application or purchase. This unique offering will be utilized globally as we continue to roll out more solutions to the InstaTouch family. These include InstaTouch ID, a customer acquisition service, which removes friction from the process of applying, ordering, or buying and helps businesses personalize their consumers' or employees' experiences. InstaTouch Pay offers a frictionless means of providing e-wallet capabilities. InstaTouch Offers leverage our secure prescreening of loan capability and deliver personalized contextual offers. We've been gaining good traction with InstaTouch. We expect InstaTouch to be a strong contributor to NPI over the next three years. An enabler of our integrated IT and data security service, as well as our NPI initiatives, is a continuing investment and deployment of our global technology platforms such as Cambrian and InterConnect. We are very excited about the long-term opportunity to leverage successes across our global footprint, including building a Workforce Solutions business in Canada and over time expanding to the U.K. and Australia. Looking at the overall market conditions. In the U.S., we expect the overall trend in GDP to remain in the low 2% range in 2017, with slight strengthening in 2018. Consumer credit continues to be relatively healthy. In terms of growth trends by segment, we continue to expect mortgage to be down double digits year-over-year in the fourth quarter of 2017, with refinancing down significantly. Mortgage and home equity delinquencies continue to decline. In auto, the market is essentially flat, with new car sales down slightly, offset by modest growth in used cars. Bank card originations have slowed this year, following double-digit growth last year. With delinquency rates for auto, there has been an uptick recently, but they remain well below levels seen during the recession. Overall lending continues to be relatively healthy with strong underwriting standards. Outside the U.S., we expect continued strengthening in the economies in Australia and our two largest markets in Latin America, Argentina and Chile. We expect a low single-digit GDP growth in the U.K. and to be fairly flat looking forward. In Canada, we expect continued GDP growth over 2%, although some slowing from the 2.5% GDP growth in 2017. I have every confidence that Equifax will execute the critical deliveries I covered today. We'll be a better company tomorrow and into the future, more focused and delivering great services to consumers with leading industry focus on security integrated into every aspect of our business. The foundation of our business will be based on our dedicated and committed people, our core capabilities, differentiated assets, and great processes that allow us to deliver great value for our customers and return to our shareholders, just as we have been doing for the past decade. With that, let me hand it over to John.

Thank you, Paulino, and good morning, everyone. As before, I will generally be referring to the financial results from continuing operations represented on a GAAP basis. Our non-GAAP results for the quarter exclude the one-time costs related to the cybersecurity incident. We will provide details on these costs so you can consider them in your analysis. Our earnings release this quarter was several weeks after our normal timing to allow us to more fully complete our investigation of the incident and the impact on our results. Total revenue for the quarter was $835 million, up 4% on a reported basis and up 3% on a local currency basis from Q3 2016. For the quarter, FX was a $3 million benefit. Adjusted EBITDA margin was 37.4%, up 150 basis points. Adjusted EPS was $1.53, up 6%. In the quarter, we estimate that the cybersecurity incident negatively impacted total company revenue by 1% to 2% of sales, principally in the U.S. We have not seen a material negative impact on revenues from the increase in consumers freezing or locking their credit files to date. Prior to the September 7 announcement, approximately 0.5% of Equifax credit files were locked or frozen. Since then, we have seen an increase in volume in the number of locks and freezes placed by consumers, and the total files locked or frozen currently represent about 1.5% to 2% of all Equifax credit files. Approximately 15% to 20% are locks, and the rest are state-filed freezes. In addition, the incentive compensation accrual in 3Q '17 was much lower than anticipated, benefiting earnings by over $0.07 per share. Due to the cybersecurity incident, the senior leadership team will not receive incentive compensation in 2017, and the impact on performance and the net costs related to the incident will reduce incentive attainment. In 3Q, we incurred a one-time charge related to the cybersecurity incident of $87.5 million. These costs were included in our non-GAAP adjustments. $27.3 million of costs were for third-party services provided principally in the investigation of the cybersecurity incident. These costs were generally for legal, cyber forensic investigations and other professional services. $60.2 million in accrued expenses relate to the free TrustedID service we have offered to all U.S. citizens. This represents the lower end of our estimated range of costs for providing this service of $60.2 million to $110 million. As you know, we offered all U.S. residents TrustedID Premier, a free service that includes unlimited Equifax credit reports, three-bureau credit file monitoring, the ability to lock your Equifax credit report, social security number monitoring, and identity theft insurance. Consumers can sign up for this free service until January 31, 2018. Equifax does have insurance to cover costs in connection with the data breach incidents with limits in excess of the current amount of the one-time cost incurred in the third quarter, subject to the terms, conditions, and exclusions of the policies. We are currently in discussions with our insurers regarding the cybersecurity incident. As a reminder, our 4Q '17 filings will be made after the completion of the sign-up period for the free TrustedID service. We should have a good estimate when we release full-year results concerning the costs to be incurred in servicing all consumers. Now let's look at the results of the business units. USIS revenue in 3Q '17 was $308 million, down 3% when compared to the third quarter of 2016. USIS saw the largest impact from the cybersecurity incident. We estimate the negative impact on USIS revenue was 3% to 4% in the quarter. Online Information Solutions revenue was $221 million, down 4% when compared to the year-ago period. This decline reflects the mortgage market decline and the impact of the cybersecurity incident deferring new business activity. Total mortgage market inquiries weakened again in the third quarter, declining by double digits versus 3Q '16, consistent with our expectations. Total mortgage-related revenue for USIS was down 3%, and total mortgage-related revenue for Equifax was down 2%. While we lapped the launch of trended data in August, which helped deliver overperformance versus the market in recent quarters, the team continued to deliver revenue performance favorable to overall mortgage market growth in Q3. Equifax outperformed the overall market, reflecting the partial period benefit from trended data as well as continued strong performance in Workforce Solutions. We expect to continue double-digit declines in mortgage market inquiries in the fourth quarter. Financial Marketing Services revenue was $48 million in 3Q '17, down 1%. Revenues in this segment tend to be project-oriented, and this was the portion of the USIS business most significantly impacted by the cybersecurity incident as transactions expected in the period were delayed into 2018. Excluding the impact of the cybersecurity incident, USIS was slightly weaker than expected, reflecting weaker-than-expected sales in the automotive segment and weakness in commercial. The adjusted EBITDA margin for USIS was 49.2%, down 140 basis points from the 50.6% in 3Q '16. The lower margins principally reflect the decline in revenue in the quarter. Workforce Solutions revenue was $186 million in the quarter, up 9% when compared to 3Q 2016. Verification Services revenue was $130 million, up 13% as we continue to increase our penetration in verticals. Employer Services revenue of $57 million was flat versus last year. Excluding Workforce Analytics, Employer Services growth was about 3%, at the low end of our long-term growth expectations, driven by growth in onboarding. Workforce Analytics, our business that helps employers stay in compliance with the Affordable Care Act, was down double digits in Q3 and was weaker than we expected. The lack of clarity around the ACA has made revenues in Workforce Analytics difficult to forecast. Given current trends, we expect WFA to be down again in 4Q '17. As Paulino indicated, Workforce Solutions in 4Q '17 has seen a revenue impact from the cybersecurity incident, specifically deferrals of customer decisions on the purchase of discrete products. Although not meaningful in 3Q, this will actually reduce revenue growth and margin expansion in 4Q. Workforce Solutions' adjusted EBITDA margin was 48.6% in 3Q '16, up 160 basis points from 47% in 3Q '16. International revenue was $240 million in 3Q '17, up 12% on a reported basis and up 10% on a local currency basis. Growth was broad-based, with strong performance across all regions. Europe's revenue was $69 million in 3Q '17, up 11% in U.S. dollars and up 10% in local currency. Europe had several nice wins in the quarter across multiple verticals, including financial, telco, and auto. Asia Pacific revenue was $81 million, up 10% in U.S. dollars and up 6% in local currency. Latin America's revenue was $55 million in 3Q '17, up 16% in U.S. dollars and up 20% in local currency. The Latin America team continues to deliver very strong, broad-based performance with double-digit local currency growth in multiple geographies, including two of our largest, Argentina and Chile. Canada's revenue was $35 million, up 11% in U.S. dollars and up 7% in local currency. The team continued to win new business, including in the auto vertical. International's adjusted EBITDA margin was 33.2% in 3Q '17, up from 28.4% a year ago. Canada continues with nice margin performance. All other regions showed nice margin expansion in the quarter. 3Q '17 EBITDA margins were very strong. 4Q '17 EBITDA margins are expected to decline from the level seen in 3Q '17. Global Consumer Solutions revenue at $101 million in 3Q '17 was flat on a reported basis and on a local currency basis. The cybersecurity incident did not have a meaningful impact on GCS in the quarter. Our consumer direct business in the U.S. saw a limited negative impact due to increased churn as subscriber additions were limited in the quarter. We stopped substantially all consumer direct advertising and sales activities after the cybersecurity incident. The consumer direct business is expected to be negatively impacted by these factors in 4Q '17. This was offset by slightly better-than-expected revenue performance with some partners and resellers. Adjusted EBITDA margin was 27.9% in 3Q '17. In the third quarter, corporate expense was $135 million. Excluding the cost associated with the cybersecurity incident, general corporate expense was about $47 million. Our GAAP effective tax rate was 26.1% in the quarter and includes a $4.8 million benefit from the income tax effect of stock awards. Excluding these items, our 3Q '17 effective tax rate would have been approximately 30.6%. As a reminder, our non-GAAP effective tax rate in 3Q '16 was 29.1% due to the benefit of multiple discrete items. Our non-GAAP effective tax rate for 4Q '17 and for the full year is expected to be about 32%. In 3Q '17, operating cash flow was $280 million and free cash flow was $222 million, up 14% and 12% for the quarter, respectively. Through September, operating cash flow was $609 million and free cash flow was $451 million, up 12% and 9%, respectively. Capital spending incurred in the quarter was $56 million. Total debt at the end of the quarter was $2.7 billion, and our leverage was 2.32 times EBITDA. On our last call, we indicated that we would begin repurchasing shares in the third quarter. We repurchased approximately $77 million in shares in 3Q '17. However, given the cybersecurity incident, we have again suspended share repurchase activities. We do not intend to repurchase shares in 4Q '17. Before I hand it back to Paulino for some closing comments, let me update you on our guidance for 4Q '17. As we look to the fourth quarter, we expect to incur significant one-time costs related to the cybersecurity incident, including legal and other professional fees related to the continuation of the investigation and reporting of the cybersecurity incident, cost of the free services being provided to consumers, and significant accelerated spend in IT and security concentrated in 4Q '17 and early 2018. We're excluding these one-time costs, a significant majority of which are third-party costs, including the accelerated spend in IT and security from our 4Q '17 non-GAAP guidance. We expect these costs to be in the range of $60 million to $75 million in 4Q '17, so you can use this number in your planning. As I referenced earlier, due to the cybersecurity event, Equifax incentive compensation accruals for 2017 reflect no payment of incentive compensation to the senior leadership team. The net cost of the incident will negatively impact incentive compensation attainment. With that understanding, here's our guidance for Q4. For 4Q '17, at current exchange rates, we expect revenue to be between $825 million and $835 million, reflecting growth of 3% to 4%, with about a 1% benefit from FX. Mortgage market headwinds impact total revenue by about 2%. Adjusted EPS is expected to be between $1.32 and $1.38 with approximately $0.01 of FX benefit. We expect the security incident to negatively impact revenue by 3% to 4%. The largest impacts will be in USIS and GCS, with EWS also impacted, but to a somewhat lesser degree. In USIS, we expect to continue to seek transaction deferrals as we continue to work with customers to complete their reviews following the incident. In GCS, we expect our consumer direct revenue to be negatively impacted by customer churn. EWS is also being impacted by customer deferrals of discrete product and service transactions from both government and commercial customers. Looking at the business units, USIS revenue will decline slightly versus 4Q '17, reflecting the mortgage market decline and the impact of the cybersecurity incident. Workforce Solutions' year-over-year growth will decline versus the level achieved in 3Q '17, principally reflecting the impact of the cybersecurity incident. GCS revenue will decline mid-single-digit percent. Reflecting the impact of the cybersecurity incident, this revenue decline will also impact GCS margins. International is expected to continue to perform well. However, revenue growth and EBITDA margins will be below the levels achieved in 3Q '17. Our guidance reflects the decline in EBITDA margins in 4Q '17 versus the prior year. GCS EBITDA margins are expected to decline versus 4Q '16, reflecting the decline in consumer direct revenue. USIS EBITDA margins will also be down somewhat versus 4Q '16 due to the impact of both the cybersecurity incident and a weak mortgage market. EWS EBITDA margins are expected to be about flat versus 4Q '17. We will provide more information on 2018, including information on the expected increase in IT and security ongoing costs, on our 4Q '17 earnings conference call. Now let me hand it back to Paulino for some final comments.

Thanks, John. I want to reiterate our commitment to the consumer and to our customers and partners. We'll deliver on the commitments we have made to provide greater visibility and control to consumers and for Equifax to become a leader in integrated IT and data security areas. As we deliver this, I strongly believe we will be a stronger company, and our culture of innovation and execution will again allow us to deliver differentiated solutions to our customers that drove the Equifax business model over the past ten years. Finally, I want to thank the incredible, resilient employees of Equifax. Their efforts to support consumers, our customers, and Equifax in general are greatly appreciated by me, our leadership team, and the board. And with that, operator, we'll now open it up for questions.

Thank you, good morning, gentlemen. I appreciate the color you gave on 4Q '17 and so forth. My first question was just around the network security and the spend that you've accelerated. I was just hoping for two things. One was some anecdotal color on how much more you're going to spend on it, maybe some areas you're going to spend on it, just to get some more comfort around another repeat incident basically?

Yes. So in the script, we indicated that in the fourth quarter, we expected about $60 million to $75 million worth of cost just in the fourth quarter alone. And of that amount specific to the security actions that you're talking about, it's probably on the order of one-third of that. And then, obviously, there'll also be increased spending as we move into 2018. But the immediate spending is on the order of one-third of that.

And I guess just the areas, just in terms of what you learned from why this mistake happened, like is it just overall or a particular area that you'll be focusing on?

As I mentioned in my top-down review, in my speech here, we have done a comprehensive, top-down review with the help of PwC, and we're strengthening – the approach has been to strengthen the entire operations in this aspect, right, from detection capabilities and processes, updating the tools, and innovating the tools that we have to enhance our detection capabilities. And we will continue, and there's more. I think that when we have an event of this nature, we need to stop and make sure that we have reviewed the entire process. We do this in two steps. First, we want to ensure that our current capabilities are up to speed and able to respond to these attacks; second, to design the future state that we're going to have in the company.

Okay. And then just one last one from me. You talked a lot about customer deferrals into 2018. Just curious if your thoughts around what customers are telling you in terms of your confidence that they will come back in 2018 and do that business with you?

I think that mostly, we didn't lose any contracts that we have today. I have met several customers through this process. It's definitely an issue that we have – they have visibility on the roadmap and our implementation and the things we want to do in the security area. We've been very grateful that I have been able to share with their Chief Security Officers some insights on how we should project and design our new systems. We had in Q3, in the USIS mostly, some deferrals on new projects that they have with us. They want to ensure that our security systems are in line with their expectations. We expect that as we demonstrate and share our experiences with them, which is going to happen in the next couple of weeks, they'll be able to understand what we're doing and that will naturally lead them to come back into a normal cycle of business.

Bottom line is we continue to work through with the customers. We're hoping to win back their trust and then be able to regain the business that we've indicated has been deferred, and we're still working through that process.

Great. Thanks. Good morning, guys. I was hoping you could talk a little bit more about the tenor of the conversations with some of your large USIS customers, if that has started to improve a little bit or maybe changed a little bit as you've gone through the quarter? And then also, when the intrusion was first announced, Equifax was adamant that over the long-term, realizing that this is off the table near term, but over the long term, that the growth algorithm that you had set out, the 6 to 8 on the top line and sort of the low double-digit EPS growth, that that was still on the table. Do you feel any differently about that now, again looking out over the long term, not for '18?

Yes. So again, if – and I think Paulino addressed this in his script, right? What we indicated is that we think the basic capability of the company has in terms of focusing on diversity of assets and strength of analytics, the historic ability to deliver value to customers by delivering that analytics. And I think what we indicated is, to the extent we're able to work through this issue and regain the trust of customers and improve the strength of our security systems and our IT systems, then those fundamental capabilities still exist. If they do, we can continue to deliver that value to customers. If we do that, that was the basis of our business model. In terms of specific numbers, no, we're not in a position to talk about specific numbers regarding our long-term model, and it wouldn't be appropriate at this point. Right now, the focus is on dealing with the IT and security incident and dealing with consumers as we promised that we would.

Just to add a comment on the customer side. We have a range of customers that I've talked to, a number of them. Some customers have been very, very endorsing, very supportive, helping us, giving us insights in order to do a very, very level of conversations out there in front of the customers. My direction has been, let's go and make sure that we are in front of the customers and get their input and feedback on how things proceed going forward. Again, it has been in the fabric and DNA of this company, execution, and we'll continue to do so. We'll continue to expand our data asset. We'll continue to innovate and add value for our customers. This is not going to go away, and this will be the basics of what we have in our business model.

Great. I appreciate the color. And just as a quick follow-up, if we look at the Workforce Solutions, the deferrals that you're seeing there, are they skewing more on the government side versus the corporate side? Or would you say that that's been sort of broad-based?

It's probably more broad-based. If you think about the parts of that business where we do more, call it, discrete activities, it tends to be more on the Employer Services side. But I would say it's more broad-based. It certainly touches government, but also it touches commercial customers.

Hi, good morning. From your guidance comments, it sounds like you expect USIS to be down in fourth quarter, but really more from mortgage than from these purchasing delays that you've highlighted as a result of the breach. So I just wanted to make sure that that's a fair characterization. And so basically, you're saying I think that you can reassure these customers to do new projects with you in the immediate future. And so I wanted to just get a sense of have there been any customers that you've been able to convince so far? And in general, just how long does a typical audit take?

Toni, to your comment, we weren't trying to indicate that it was specific to mortgage and not as much to deferrals, right? Both of those are significant impacts, resulting in the decline in USIS in the fourth quarter. So we're seeing a continuation of what we saw in the third quarter continuing into the fourth quarter in terms of customer deferrals. And then also, obviously, the double-digit decline in mortgage are the two largest factors resulting in the decline in USIS.

Okay. And any sense on if there have been customers that you've been able to sort of prove so far that you can satisfy their data requirements?

Indeed. We have had renewals. We have new customers, in both EWS and USIS, but this is a process. We'll have to regain our credibility and make sure that we will deliver on the execution plans that we have in place.

We indicated that we're seeing deferrals into 2018 because we certainly understand that this process takes time and that we need to work through all of the questions our customers would have and be extremely transparent with them so that they can complete their reviews and move forward. So that's why we indicated you're looking at deferrals into 2018.

Thank you, good morning. Could you provide a little more clarity on why you think the customer deferrals will actually be closed at some point in '18 and you don't think that there are market share losses?

Well, I think that the network today is better than it was at the beginning of this process, and it'll be better tomorrow as we continue to make improvements and invest, as John suggested, the amount of money and resources that we're investing to get it done. We believe that we're starting now. Actually, we will start next week, in 10 days, sharing the issues that we have related to this process with the key customers that we have, and that they will understand what happened and share the roadmap that we have to fix this in the short term and the long term. A significant amount of this in the short term has been addressed. As long as they understand – this is a technical conversation. As long as they understand the rationale we have in place, then they have no reasons not to do so. We understand there's a reputational part of the process as well. This is our job to make sure that they're totally informed about our capabilities and be confident to do business again with us. Of course, it's not going to be done in a few quarters, but we are confident that we have the resources in place to ensure that we will inform our customers to make it easy to do business with us again in the near future.

Also, we characterized these as deferrals because in some cases, these are solutions which we're uniquely positioned to deliver. In other cases, the conversations are ongoing, and it's clear that they are being deferred, decisions are being deferred based on the outcome of continuing discussions around security. But certainly, to your point, to the extent something becomes deferred over an extended period of time, it's certainly lost. It's only been two months since the cyber event, so the discussions are ongoing. We characterized them as deferred. Obviously, if those deferrals continue, those become cancellations. Or these actions that won't occur, not cancellations; they haven't been signed, sorry.

Good morning and thanks for all the details. My question is a little bit of a follow-up on the security spend. And John, I think you were helpful in saying – you gave us sort of a range of $60 million to $75 million. And I think you said one-third of that in the 4Q was going to be for security and IT. I believe when Rick testified in front of Congress, he mentioned that over the last three years, you all spent maybe $250 million or so on cybersecurity and network. Is that $85 million a year the right base to think about? And then can you – if that's true, can you tell us how much more you might be spending going forward? We just get a lot of questions on what's the ongoing kind of dimension of additional ongoing expense for this, if you could.

Understand it, and I think we'll be able to give you a much better view as to what the ongoing increase in spend will be when we hit our discussion at the end of the fourth quarter. My statements earlier were about one-third of the $60 million to $75 million on security in the fourth quarter. That is specifically incremental spend in the quarter, right? It in no way reflects the normal ongoing spend. Obviously, our spend this year is up dramatically from what it has been in the past. To turn to the dimension side of our spend, I think probably the best thing I can reference is we spend in 2017, prior to the breach occurring, and if you looked at what our forecast was, what we were budgeting, we would have spent about 12% of IT and security combined on our security specifically. So that's probably the best metric to use.

Okay. And then you also mentioned that there may be some free monitoring or similar services for folks in the U.K. and Canada. I'm not sure if that's included in the $56 million to $110 million dimensionalized number you gave us from the – kind of taking them on the balance sheet or running that through the P&L. Is that included or is there more to come from that?

It is included in – but the U.S. is by far the substantial portion of the cost.

Hi, it's Andrew. I also remember that 12% comment in the hearing, the 12% of your budgeted spend of the IT budget spent on security. Paulino mentioned in the hearing this week that four times more has been spent post-breach. Just help us understand what the four times means?

Yes. So if you think about the total spend, the total amount of spent not only on security, I don't think he said immediately post-breach. But total on security as well as the other costs, for example, that I referenced we would be incurring in the fourth quarters, that's the type of substantial increase we're talking about that's ongoing in terms of investigation into the cybersecurity event as well as remediation, which is all around IT security and IT investigation in general, right? So those total expenses are the expense levels, I believe, were being referenced there.

Great. Thank you. I just wanted to clarify one comment. Have you been able to identify in terms of contain the fraud aspect of the event at that point, or is that still in the process of being identified? I guess, the impact of the breach in terms of specific dollar amount from people's credit being impacted and things like that, or was that still ongoing?

Yes. I think all we said in the script was that in terms of identifying specific instances specifically related to the Equifax data that we haven't identified. We can't say that nothing has occurred, right? That was, I think, all we were attempting to say with that statement.

Got it. So just at this point, obviously, you haven't seen any direct impact, but that's still ongoing. Is that a fair way to think about it?

All we're indicating is we don't have any direct evidence. But obviously, we can't speak to others who may have other evidence that they would consider. We were just indicating based on our checks, what we have seen.

Understood. That's helpful. And just can you quantify the amount you're insured up to, like is there a certain dollar amount that you're insured up to?

Yes. Again, we're not going to disclose the cap on our insurance.

Hi guys, good morning. Thanks for taking the question. Hey, John, you mentioned in USIS outside of the breach that you thought – and I think outside of mortgage too that you saw a little bit of weakness. Your competitors perhaps haven't been seeing that. Can you just elaborate on trends and whether some of that is vertical market-specific or perhaps clarify what you're seeing outside, to the extent that's possible, outside of any cybersecurity-related deferrals?

Again, to your point, right, I have to admit, given the impact of cyber, it is a little more difficult right now to give specific industry data. But I think in the script, we referenced commercial and auto. Auto, we did see some weakness in the third quarter. If you think about where Equifax is strong, we're particularly strong in the Southeast. Some of the weather-related events, we think, impacted us in the quarter, perhaps more than others, but certainly impacted us in the quarter. Some of that will come back in the fourth quarter, but we did see some weakness in auto. Commercial, as you know, we've been transitioning and building our own commercial financial network here over the past year. We've seen some weaker revenue as we transition off of the prior exchange moving to our own exchange. We've seen some weakness in revenue related to that transition. I would say those are two areas that are probably specific to Equifax.

And then to the extent there's been any sort of authentication friction, I'm thinking about the issuer customers as they work to improve authentication and ensure authentication, are there any sorts of repercussions for Equifax? Are you working with customers to deal with that? How do you think about the consumer credit ecosystem broadly and any implications for Equifax around challenges issuers may face authenticating? I'm thinking about online credit card applications, in particular, for example.

We are certainly discussing this with our customers, probably around this event. In general, right, around authentication, that is an area we have attempted to be of service to our customers in the past. So we'll continue to have those conversations. But anything specifically to this event related to that, I don't really think so. But Paulino may want to address that.

Yes, I think that in general terms, the industry is much more sophisticated to use different and diverse data assets to go through the authentication process. The kind of information that was taken from us and the PII information has had – is not part of their multi-factor authentication process that used to normally bring a customer in. The industry is way ahead on this process.

So again, we are focused on making sure they understand everything that occurred and what we're doing to try to improve it.

Yes, thanks. I think you said that you're not seeing any meaningful B2B share shift or elevated contract cancellation rates. Can you just, first, I guess, confirm that that's true for your most recent data into early November? And then the related question would be, I guess, just sizing up the magnitude of the lost USIS revenue. One, you didn't disclose this until September 7, and there was less than one-month impact in the quarter. Just trying to understand, in a typical business environment, roughly how much of your revenue is what you would call discrete revenue from projects or implementation or other forms of discrete revenue?

Yes. So we disclosed Marketing Services, and as we indicated, that's where most of the discrete revenue would come from. Oftentimes, the discrete revenue can be more back-end-loaded in a quarter than the other revenue – online revenue than you would see. So that is why you may have seen a bigger impact in USIS, even though the announcement was made in September. And I'm sorry, what was the first part of your question?

Just confirming that you've not seen any meaningful B2B share shift or an elevated contract cancellation rate through the most recent data, I guess, into late October, early November?

Yes. So again, we made some comments in the script around what we saw in the third quarter, and we haven't extended really beyond that. But as Paulino said, we're continuing to work very closely with customers to try to make sure they get through their process of understanding what occurred and being able to move forward with us in the way they have in the past. So those processes continue, and we'll update you on how they proceed when we get out in the fourth quarter. We also did give you some view as to what we thought the impact of the event would be in the fourth quarter in terms of our revenue. So that would suggest you look there in terms of what we think the impact may be in the fourth quarter.

Okay. And then finally, on The Work Number, any meaningful loss of access to records, or do you expect a record growth to slow meaningfully?

Again, I think we made a comment in the script around working very closely with data contributors. USIS – sorry, EWS continues to work very closely with data contributors. And as we indicated, it's important to recognize that EWS systems were not impacted by this event.

Hi guys, good morning. The first question, I just wanted to understand how you're thinking about what gets put in and not put in this breach total expense line that you included. I guess what I'm really getting at, clearly, some of the IT spend is going to be more ongoing in nature at a higher level. I also think one might argue any spend on developing the new lifetime free lock and unlock capabilities that you're going to be introducing next year, those are hard to argue those are one-time in nature. So then, I think many investors would argue those should not be added back to adjusted earnings. I appreciate trying to help us understand the magnitude of spend, but how are you going to handle that disclosure as we move forward throughout this process?

Yes. So we broke it out specifically here because in the fourth quarter, the vast majority of that $60 million to $75 million is really with third parties and consultants as the investigative and planning process is ramped and accelerated in this process. But going forward, as has been our practice, our ongoing spend in IT and security will absolutely be included in our non-GAAP results as well as the cost of delivering any free product or any future developments of that free product. We will actively have in the past, which is to make sure that all of those costs are included in our non-GAAP results. You may see a little bit of lead into the first quarter of some of the extremely elevated spending that you're seeing in the fourth quarter. But on an ongoing basis, we'll act as we have always, which is to include anything that is part of our ongoing business in our non-GAAP results. Does that help?

Yes, definitely. I appreciate that. And then the follow-up, just in any given year, how much of revenue growth or how much contribution to revenue does new business, bookings, how much has that been? What I'm wondering is the 3% to 4% revenue hit that you're guiding to for Q4. I mean, is that a run rate number if we were to make the assumption that you have no ability to win new business for several more quarters? Or is 3% to 4% – could that ramp to a larger revenue hit if the deferrals extend more deeply into 2018?

I think the only thing we've historically disclosed around drivers of revenue growth specifically, I think that are consistent with your question, is around NPI. And we've indicated that our new product innovation process delivers on the order of 300 basis points of growth a year, plus or minus a little bit depending on the year. So that's probably the only number we've disclosed historically. We've never disclosed a percentage of contracts renewed or new in a year. That's not something we've ever disclosed, but we have talked about NPI.

Okay. And then just one last quick one. Can you give a sense of how much distraction within the organization, outside of the senior executive leadership where we know it's been extraordinary, has – do you think this is a meaningful impact several layers down, or have you been able to work hard to keep people generally pushing in the right direction despite all of the headlines?

Thank you for the question. This was exactly why we created the Chief Transformation Officer, to make sure that we focus our business people into the business side. We have someone responsible for the short-term and the long-term initiatives that will be generated by this transformation that we have. Given our execution and process streamlining capabilities, we're focusing most of these resources within the transformation area, so the business can continue to run and be aggressive in what they have to do, while we execute the transformation and execution plans under a separate organization. Of course, in general, everybody got impacted because this is very disappointing to us as well. But the commitment and resilience of our employees has been outstanding in how we want to refocus on getting back on the boat and continue rowing again.

And the focus on security is ongoing. We should all understand that, that focus on security is throughout the entire company. Every person, I speak about my organization as well, right, is ongoing and continuous. I wouldn't call that distraction. I would call that focus.

Hi, good morning. Thank you for taking my questions. I just want to focus a little bit on the direct-to-consumer business. Paulino made a comment about ensuring that consumers have access to their credit for life. I want to understand, is that going to be a lock, unlock product? Are you envisioning something more than that in terms of what the others – the credit monitoring that you're providing that there's going to be some kind of version of that, that would just be out there for consumers in the marketplace? I just want to understand what you're thinking about there.

This is exactly what you've understood. The focus is on lock and unlock capability that consumers will have when we launch this service in the end of January.

Okay. And then when you don't market in this business, what is the typical attrition that we should think about? Because you're not going to have marketed for at least probably six months. And I'm not sure if you're planning to see if you're going to start up marketing right away. But as we try to gauge what the impact is to the rest of the business, can you give us just an idea of what attrition is? And frankly, also, what does that mean in terms of not putting the expenses into that part of that business?

Yes. So Shlomo, I think all I can point you to is we did give some specific view on where we think GCS revenue will look like in the fourth quarter. We will certainly give you more color as we get into next year. It's still a bit early to know, right? It's only been a couple of months. But when we gave you our GCS revenue for the fourth quarter, that decline really is heavily related to the question that you asked, and we gave you our best view as to what we think that impact would probably be.

Okay. Thank you very much.

Good morning, everyone. So on the cybersecurity side, it seems like there are really two processes involved. On the – there are the internal changes that you're making to your own cybersecurity. And then externally, there's an evaluation by your clients on your cybersecurity. I wanted to ask when your cybersecurity is going to be up to code or up to standard, however, you want to define that? It sounds like based on your comment about going out within the next couple of weeks, you could be there or close, or whether that's a fourth quarter phenomenon where you feel like, okay, we're up to standard.

No, I think that we have a – this is a journey here. Given the magnitude of the impact that we have, we're going to have two stages, of course. One is to make sure the current systems and capabilities of our security organization and systems will be in place to make sure that we're going to the next stage and then design the future stage that we want to have for the business. This is going to be an ongoing effort. There's opportunity for us to modernize and bring that new technology into place. This is the core of our business. We need to be ahead of that industry.

And we're investing heavily to make sure we see substantial continuous improvement, not only today, not only tomorrow, but going forward into the future. That's progressing and progressing very rapidly, and as Paulino has talked about, so our conversations with customers ensure they understand where we stand and what we're doing going forward.

Has there been any further progress in identifying whether the hack was done by a foreign state actor? Now Bloomberg had run a story saying there was evidence of that, but it didn't sound like anything definitive has come out. When is there a pronouncement about that?

Yes, as I have my testimony declared, there's no – we have no evidence of any third-party, any nation involved in the process.

Yes, I think that covers it.

Hi, thanks. Good morning. You're guiding to $60 million to $75 million of breach-related one-time costs in 4Q. Can you help frame how you're thinking about total costs of the breach and how much you're accruing for breach costs beyond the $56 million to $110 million that you outlined that's related to free monitoring costs?

So the accrual, this – the range of the accrual reflects our current estimate of what we think the total costs will be based on differing assumptions related to the breach. For the full year, if you include the $60 million to $75 million, that would give you the total amount of costs that we expect to incur in 2017.

Got it. Going back to market share shifts, can you elaborate on how much of the USIS decline was due to the data breach compared to mortgage market decline and if you anticipate customer deferral activity to worsen in 4Q compared to 3Q based on customer conversations since the third quarter?

We didn't indicate specifically how much was related to the cybersecurity incident and how much related to the mortgage market decline. So we didn't give those specific numbers. As for what we're expecting for the cyber incident impact, we indicated that – what we indicated in our script what we expected it to be in the fourth quarter. It's certainly greater than the third quarter, but a lot of that's just because of the increased amount of time that will incur that impact. It was only announced in September in the third quarter, and therefore, it saw a more limited impact. So I think we indicated 3% or 4%, and that's consistent with what we expect.

Good morning. It's Stephen Sheldon on for Tim. Just wanted to ask about the higher non-controlling interest this quarter, I guess. What drove that? And does it imply that you're seeing stronger trends from the U.K. TDK contract?

Some of our non-U.S. businesses have partners. In some cases, we have partnerships with financial institutions in the countries in which we operate. When those businesses do better, the non-controlling interest goes out. So that's basically it. It isn't necessarily specific to the U.K. It's a general statement.

Okay. I'd like to thank everybody for their time and interest. And with that, operator, we'll conclude the call. Thanks, everybody.