Good day, and welcome to the Equifax Third Quarter 2017 Earnings Call. Today's conference is being recorded. At this time, I'd like to turn the conference over to Mr. Jeff Dodge. Please go ahead.

Thanks, and good morning, everyone. Welcome to today's conference call. I am Jeff Dodge, Investor Relations. And with me today are Paulino Barros, Chief Executive Officer; John Gamble, Chief Financial Officer; and Doug Brandberg of Investor Relations. Today's call is being recorded. An archive of the recording will be available later today in the Investor Relations section in the About Equifax tab of our website at www.equifax.com. During this call, we will be making certain forward-looking statements to help you understand Equifax and its business environment. These statements involve a number of risks, uncertainties and other factors that could cause actual results to differ materially from our expectations. Certain risk factors inherent in our business are set forth in filings with the SEC, including our 2016 Form 10-K and subsequent filings. Also we will be referring to certain non-GAAP financial measures, including adjusted EPS attributable to Equifax and adjusted EBITDA margin, which will be adjusted for certain items that affect the comparability of the underlying operational performance for the third quarter of 2017. Adjusted EPS attributable to Equifax excludes acquisition-related amortization; the income tax effects of stock awards recognized upon vesting or settlement; and certain costs related to the cybersecurity incident, including cost to investigate and remediate the cybersecurity incident; legal and professional services; and the contingent liability for cost associated with providing free credit file monitoring and identity theft protection services to consumers. Adjusted EBITDA margin is defined as net income attributable to Equifax, adding back income tax expense, interest expense, net of interest income, depreciation and amortization, and also excludes certain onetime items, including the costs related to the cybersecurity incident. These non-GAAP measures are detailed in reconciliation tables, which are included with our earnings release and are also posted on our website. Now I'd like to turn it over to Paulino.

Thank you, Jeff, and good morning, everyone. I and the entire Equifax organization apologize to the individuals whose personal information was stolen as well as to our customers, partners, investors, ministers and other constituents who were disrupted by the cybersecurity incident at Equifax. Last month, when I was named Interim CEO, I told you we'd act to quickly in our efforts to support consumers in strengthening our security and IT infrastructure. I believe we have made good progress in these areas. In my remarks today, I will discuss these critical areas of focus as well as provide more detail on the near- and long-term actions we are taking. I will close with comments on where I believe we as a, company and the industry, should be heading. John will walk you through the results of the – for the third quarter, including the cost of cybersecurity incident as well as provide a view of fourth quarter 2017 expectations. In terms of the status of our investigation into the cybersecurity incident, the forensic investigation regarding the attacker activity within Equifax environment is complete. And we understand what occurred and the extent of the intrusion. The company as well as the special committee of the Board of Directors continue to investigate all aspects of the incident, and these are important inputs to us change – for the changes we are making. Being a trusted steward of the information entrusted to Equifax has long been one of the core principles. We have invested aggressively, particularly over the past 5 years in security and network resilience. Nevertheless, the security incident occurred, and with it, the need for fundamental change. Our near-term focus, as we move through the remainder of this year, is principally in several critical areas. First, improving the support we are providing…

Thank you, Paulino, and good morning, everyone. As before, I will generally be referring to the financial results from continuing operations represented on a GAAP basis. Our non-GAAP results for the quarter exclude the onetime costs related to the cybersecurity incident. We will provide details on these costs, so you can consider them in your analysis. Our earnings release this quarter was several weeks after our normal timing to allow us to more fully complete our investigation of the incident and the impact on our results. Total revenue for the quarter was $835 million, up 4% on a reported basis and up 3% on a local currency basis from Q3 2016. For the quarter, FX was a $3 million benefit. Adjusted EBITDA margin was 37.4%, up 150 basis points. Adjusted EPS was $1.53, up 6%. In the quarter, we estimate that the cybersecurity incident negatively impacted total company revenue by 1% to 2% of sales, principally in the U.S. We have not seen a material negative impact on revenues from the increase in consumers freezing or locking their credit file to date. Prior to the September 7 announcement, approximately 0.5% of Equifax credit files were locked or frozen. Since then, we have seen an increase in volume in the number of locks and freezes placed by consumers, and the total files locked or frozen currently represent about 1.5% to 2% of all Equifax credit files. Approximately 15% to 20% are locks, and the rest are state-filed freezes. In addition, the incentive compensation accrual in 3Q '17 was much lower than anticipated, benefiting earnings by over $0.07 per share. Due to the cybersecurity incident, the senior leadership team will not receive incentive compensation in 2017, and the impact on performance and the net costs related to the incident will reduce incentive…

Thanks, John. I want to reiterate our commitment to the consumer and to our customers and partners. We'll deliver on the commitments we have made to provide greater visibility and control to consumers and for Equifax to become a leader in integrated IT and security areas – data security areas. As we deliver this, I strongly believe we will be a stronger company and our culture of innovation and execution will again allow us to deliver differentiated solution to our customers that drove the Equifax business model over the past 10 years. Finally, I want to thank the incredible, resilient employees of Equifax. Their efforts to support consumers, our customers and Equifax in general are greatly appreciated by me, our leadership team and the board. And with that, operator, we'll now open it up for questions.

Thank you. [Operator Instructions] And your first question comes from Manav Patnaik with Barclays.

Thank you, good morning gentlemen. Appreciate the color you gave on 4Q '17 and so forth. My first question was just around the network security and the spend that you've accelerated. I was just hoping for 2 things. One was the – some anecdotal color on how much more you're going to spend on it, maybe some areas you're going to spend on it, just to get some more comfort around another repeat incident basically?

Yes. So in the script, we indicated that in the fourth quarter, we expected about $60 million to $75 million worth of cost just in the fourth quarter alone. And of that amount specific to the security actions that you're talking about, it's probably on the order of 1/3 of that. And then obviously, there'll also be increased spending as we move into 2018. But the immediate spending is on the order of 1/3 of that.

And I guess, just the areas, just in terms of what you learn from why this mistake happened, like is it just overall or a particular area that you'll be focusing on?

As I mentioned in my top-down review, in my speech here, we have done a comprehensive, top-down review of – with the help of PwC and we're strengthening – the approach has been to strengthen the entire operations in this aspect, right, from detection capabilities and processes, the tools, updating the tools and innovating the tools that we have to enhance our detection capabilities. And we will continue and there's more. I think that when we have an event of this nature, we need to make – we need to stop and make sure that we have – review the entire process. And we do this in 2 steps. First, we want to make sure that our current capabilities are up to speed and able to respond to these attacks; and second, to design the future stake that we're going to have in the company.

Okay. And then just one last one from me. You talked about – you talked a lot about customer deferrals into 2018. Just curious if your thoughts around what customers are telling you in terms of your confidence that they will come back in 2018 and do that business with you?

I think that mostly, we didn't lose any contracts that we have today. I have met several customers through this process. And it's definitely an issue that we have – they have visibility on the road map and our implementation and the things we want to do in the security area. We've been very actually grateful that I have been able to share with their Chief Security Officers some insights on how we should project and design our new systems. We – what we had in Q3, in the USIS mostly, was some deferral – new projects that they have with us. They want to make sure that our security systems are in line with their expectations. And we're expecting it. As we demonstrate and share our experiences with them, which is going to happen in the next couple of weeks, they'll be able to understand what we're doing and naturally just will come back into a normal cycle of business.

Bottom line is we continue to work through with the customers. We're hoping to win back their trust and then be able to regain the business that we've indicated has been deferred, and we're still working through that process.

And your next question comes from George Mihalos with Cowen.

Great. Thanks. Good morning guys. I was hoping you could talk a little bit more about the tenor of the conversations with some of your large USIS customers, if that has started to improve a little bit or maybe changed a little bit as you've gone through the quarter? And then also, when the intrusion was first announced, Equifax was adamant that over the long term, realizing that this is off the table near term, but over the long term that the growth algorithm that you had set out, the 6 to 8 on the top line and sort of the low double-digit EPS growth, that, that was still on the table. Do you feel any differently about that now, again looking out over the long term, not for '18?

Yes. So again, if – and I think Paulino addressed this in his script, right? What we indicated is that we think the basic capability of the company has in terms of focusing on diversity of assets and strength of analytics, the historic ability to deliver value to customers by delivering that analytics. And I think what we indicated is, to the extent we're able to work through this issue and regain the trust of customers and improve the strength of our security systems and our IT systems, then those fundamental capabilities still exist. And if they do, we can continue to deliver that value to customers. If we do that, that was the basis of our business model. In terms of specific numbers, no, we're not in a position to talk about specific numbers about our long-term model, and it wouldn't be appropriate at this point. Right now, the focus is on dealing with the IT and security incident and dealing with consumers as we promised that we would.

Just to add a comment on the customer side. We have a range of customers that I talked to, a number of them. Some customers have been very, very endorsing, very supportive, helping us, giving us insights in order to do a very, very level a lot of conversations out there in front of the customers. my direction has been, let's go and make sure that we are in front of the customers and get their input and feedback on how the things proceed going forward. Again, it has been in the fabric and DNA of this company, execution, and we'll continue to do so. We'll continue to expand our data asset. We'll continue to innovate and have added value to our customers. This is not going to go away, and this would be the basics of what we have in our business model.

Great. I appreciate the color. And just as a quick follow-up, if we look at the Workforce Solutions, the deferrals that you're seeing there, is – are they skewing more on the government side versus the corporate side? Or would you say that, that's been sort of broad-based?

It's probably more broad-based. If you think about the parts of that business where we do more, call it, discrete activities, it tends to be more on the Employer Services side. But I would say it's more broad-based. It certainly touches government, but also it touches commercial customers.

Thanks guys.

And your next question comes from Toni Kaplan with Morgan Stanley.

Hi, good morning. From your guidance comments, it sounds like you expect USIS to be down in fourth quarter, but really more from mortgage than from these purchasing delays that you've highlighted as a result of the breach. So I just wanted to make sure that, that's a fair characterization. And so basically, you're saying I think that you can reassure these customers to do new projects with you in the immediate future. And so I wanted to just get a sense of have there been any customers that you've been able to convince so far? And in general, just how long does a typical audit take?

Toni, to your comment, we weren't trying to indicate that it was specific to mortgage and not as much to deferrals, right? Both of those are significant impacts, resulting in the decline in USIS in the fourth quarter. So we're seeing a continuation of what we saw in the third quarter continuing into the fourth quarter in terms of customer deferrals. And then also, obviously, the double-digit decline in mortgage are the 2 largest factors resulting in the decline in USIS.

Okay. And any sense on if there have been customers that you've been able to sort of prove so far that you can satisfy their data requirements?

Indeed. We have had renewals. We have new customers, in both EWS and USIS, in that – but this is a process. This is – we'll have to regain our credibility and make sure that we will deliver on the execution plans that we have in place.

We indicated that we're seeing deferrals into 2018, because we certainly understand that this process takes time, right, and that – and we need to work through all of the questions our customers would have and be extremely transparent with them so that they can complete their reviews and move forward. So that's why we indicated you're looking at deferrals into 2018.

Correct.

Okay, I understood. And just last for me on the consumer business. Can you give us a number of how many have signed up for the free product and what your expectation would be that, that number reaches? And could you just tell us what the difference is between your paid product and the free product, so basically the ongoing business that you're generating in USIS on the B2C side?

Yes. I think in the 10-Q, we provided information in terms of the range of expenses we expected to incur. And we provided detail around the – how the estimate was generated. So that's probably the best source for that information. And on the second question, I'm not sure I understood it completely. But if you'd like to understand the differences between the paid product which exists and the free product, that information is also available on the website. To be clear, we're not currently selling the paid product on the website, right? So if we have existing customers that we're continuing to service as best we can and doing our best service for them, but we're currently not advertising, not cross-selling, and you can't purchase that product on the website.

Thank you.

And your next question comes from David Togut with Evercore ISI.

Thank you, good morning. Could you provide a little more clarity on why you think the customer deferrals will actually be closed at some point in '18 and you don't think that there are market share losses?

Well, I think that the network today is better than was in the beginning of this process, and it'll be better tomorrow as we continue to make improvements and invest, as John suggested, the amount of money, the resources that we're investing in to get it done. We believe that we're starting now. And actually, we start next week, in 10 days, sharing the issues that we have related to this process with the key customers that we have and that they will understand what happened and share the road map that we have to fix this in the short term and the long term. A significant amount of this in the short term has been addressed. And so as long as they understand – this is a technical conversation. As long as they understand the rationale we have in place, then they have no reasons why not to do so. We understand there's a reputational part of the process as well. We – this is our job to make sure that they're totally informed about our capabilities and be confident to do business again with us. Of course, it's not going to be done in few quarters, but we are confident that we have the resources in place to make sure that we will inform our customers to be – it's easy of doing business with us again in the near future.

Also, we characterized these as deferrals, because in some cases, these are solutions which we're uniquely positioned to be able to deliver. In other cases, because the conversations are ongoing and are actually – it's clear that they are being deferred, decision is being deferred based on the outcome of continuing discussions around security. But certainly, to your point, to the extent something becomes deferred over an extended period of time, it's certainly lost. It's only been 2 months since the cyber event. So the discussions are ongoing. So we were characterizing them as deferred. Obviously, if those deferrals continue, those become cancellations. Or these actions that won't occur, not cancellations. They haven't been signed, sorry.

Got it. A quick question on insurance coverage. You indicated your insurance coverage is beyond the amount of cyber spending you've had so far. Can you dimension for us what your insurance coverage might be? And what's your overall level of comfort that the majority of the cyber costs would be covered by insurance as opposed to being more Equifax ultimately?

Yes. So we're not going to specifically disclose the specific amount of the coverage. And in general, we believe that the type of cost that we've incurred related to the cyber event are indeed under the general structure of the policy, and we're currently in discussions with the insurers around completing – around moving forward with insurance claims. And we would expect to make very good progress in this quarter on that process.

Understood. A quick final question from me. You mentioned that your current leverage is only 2.32x, and yet you've halted the share repurchase. So could you flesh out why you've halted the share repurchase? Obviously, the stock is down significantly. Is it more a reflection of uncertain earnings power going forward or you just want to keep headroom for potential legal claims against Equifax?

It's more specifically around the fact that given the cybersecurity event that's ongoing, there's ongoing investigations with the company, as Paulino mentioned in his script, that we just don't think it's appropriate for us to be purchasing shares at this time.

Got it. Thank you very much.

And your next question comes from Brett Huff with Stephens, Inc.

Good morning and thanks for all the details. My question is a little bit of a follow-up on the security spend. And John, I think you were helpful in saying – you gave us sort of a range of $60 million to $75 million. And I think you said 1/3 of that in the 4Q was going to be for security and IT. I believe when Rick testified in front of Congress, he mentioned that over the last 3 years, you all spent maybe $250 million or so on cybersecurity and network. Is that $85 million a year the right base to think about? And then can you – if that's true, can you tell us how much more you might be spending going forward? We just get a lot of question on what's the ongoing kind of dimension of additional ongoing expense for this, if you could.

Understand it, and I think we'll be able to give you a much better view as to what the ongoing increase in spend will be when we hit our discussion at the end of the fourth quarter. My statements earlier were about 1/3 of the $60 million to $75 million on security in the fourth quarter. That is specifically incremental spend in the quarter, right? It in no way reflects the normal ongoing spend. So obviously, our spend this year is up dramatically from what it has been in the past. To turn to the dimension side of our spend, I think probably the best thing I can reference is we spend in 2017, prior to the breach occurring, so if you took a look at what our forecast was, what we were budgeting, we would have spent about 12% of IT and security combined on our security specifically. So that's probably the best metric to use.

Okay. And then you also mentioned that there may be some free monitoring or similar services for folks in the U.K. and Canada. I'm not sure if that's included in the $56 million to $110 million dimensionalized number you gave us from the – kind of taking them on the balance sheet or running that through the P&L. Is that included or is there more to come from that?

It is included in – but the U.S. is by far the substantial portion of the cost.

Great. That’s all I needed, appreciated.

And your next question comes from Andrew Steinerman with JPMorgan.

Hi, it's Andrew. I also remember that 12% comment in the hearing, the 12% of your budgeted spend of the IT budget spent on security. Paulino mentioned in the hearing this week that four times more has been spent post-breach. Just help us understand what the four times means?

Yes. so if you think about the total spend, the total amount of spent not only on security, I don't think he said immediately post-breach. But total on security as well as the other costs, for example, that I referenced we would be incurring in the fourth quarters, that's the type of substantial increase we're talking about that's ongoing in terms of investigation into the cybersecurity event as well as remediation, which is all around IT security and IT investigation in general, right? So those total expenses are the expense levels, I believe, were being referenced there.

Okay. Thank you.

And your next question comes from Kevin McVeigh with Deutsche Bank.

Great. Thank you. I just wanted to clarify one comment. Have you been able to identify in terms of contain the fraud aspect of the event at that point, or is that still in the process of being identified? I guess, the impact of the breach in terms of specific dollar amount from people's credit being impacted and things like that, or was that still ongoing?

Yes. I think all we said in the script was that in terms of identifying specific instances specifically related to the Equifax data that we haven't identified. We can't say that nothing has occurred, right? That was, I think, all we were attempting to say with that statement.

Got it. So just at this point, obviously, you haven't seen any direct impact, but that's still ongoing. Is that a fair way to think about it?

All we're indicating is we don't have any direct evidence. But obviously, we can't speak to others may have other evidence that they would consider. We were just indicating based on our checks, what we have seen.

Understood. That's helpful. And just can you quantify the amount you're insured up until, like is there a certain dollar amount that you're insured up to?

Yes. Again, we're not going to disclose the cap on our insurance.

Okay. Thank you very much.

And your next question comes from Andrew Jeffrey with SunTrust.

Hi guys. Good morning. Thanks for taking the question. Hey, John, you mentioned in USIS outside of the breach that you thought – and I think outside of mortgage, too, that you saw a little bit of weakness. Your competitors perhaps haven't been seeing that. Can you just elaborate on trends and whether some of that is vertical market-specific or perhaps clarify what you're seeing outside, to the extent that's possible, outside of any cybersecurity related deferrals?

And again, to your point, right, I have to admit, given the impact of cyber, it is a little more difficult right now to give specific industry data. But I think in the script, we referenced commercial and auto. Auto, we did see some weakness in the third quarter. If you think about where Equifax is strong, we're particularly strong in the Southeast. And some of the weather-related events, we think, impacted us in the quarter, perhaps more than others, but certainly impacted us in the quarter. Some of that will come back in the fourth quarter, but we did see some weakness in auto. Commercial, as you know, we've been transitioning and building our own commercial financial network here over the past year. And versus last year, we have seen some weaker revenue as we transition off of the prior exchange moving to our own exchange. And we've seen some weakness in revenue related to that transition. And I'd say those are 2 areas that are probably specific to Equifax.

And then to the extent there's been any sort of authentication friction, I'm thinking about the issuer customers as they work to improve authentication and to ensure authentication, are there any sort of repercussions for Equifax? Are you working with customers to deal with that? How do you think about the consumer credit ecosystem broadly and any implications for Equifax around challenges issuers may face authenticating? I'm thinking about online credit card apps, in particular, for example.

Could you ask your question one more time. I want to make sure we understood it. I'm not completely clear.

I'm just wondering to the extent an issuer is losing business – and again, I'm thinking about credit cards, because there are roadblocks or friction that's being introduced into the process of authenticating an applicant or an application. When you talk to your issuers about that, can you help them remediate? Is that one of the things you think that causes them to defer spending? In other words, any blowback on their consumer credit business, does that affect Equifax one way or another? Is it something that you can proactively address with your customers?

Well, I – we are certainly discussed with our customers probably around this event. In general, right, around authentication, that is an area we have attempted to be of service to our customers in the past. So we'll continue to have those conversations. But anything specific to this event related to that, I don't really think so. But Paulino may want to address that.

Yes, I think that in general terms, the industry is much more sophisticated to use different and diverse data assets to go through the authentication process. So the kind of information that was taken from us and the PII information has had – is not part of their multifactor authentication process that used to normally bring a customer in. So I think that the industry is way ahead on this process.

So again – yes. And if your question is, to that effect, the way a customer wants to deal with us can hard press to speak with that. But again, we're focused very much on making sure they understand everything that occurred and what we're doing to try to improve it.

Okay. I appreciate that. Thank you.

And your next question comes from Jeffrey Meuler with Baird.

Yes, thanks. I think you said that you're not seeing any meaningful B2B share shift or elevated contract cancellation rights. Can you just, first, I guess, confirm that, that's true for your most recent data into early November? And then the related question would be, I guess, just sizing up the magnitude of the lost USIS revenue: one, you didn't disclose this until September 7 and there was less than 1-month impact in the quarter. Just trying to understand, in a typical business environment, roughly how much of your revenue is what you would call discrete revenue from projects or implementation or other forms of discrete revenue?

Yes. So we disclosed Marketing Services, and as we indicated, that's where most of the discrete revenue would come from. Oftentimes, the discrete revenue can be more back-end-loaded in a quarter than the other revenue – online revenue than you would see. So that is why you may have seen a bigger impact in USIS, even though the announcement was made in September. And I'm sorry, what was the first part of your question?

Just confirming that you've not seen any meaningful B2B share shift or an elevated contract cancellation rate through the most recent data, I guess, into late October, early November?

Yes. So again, we made some – we made comments in the script around what we saw in the third quarter, and we haven't extended really beyond that. But as Paulino said, we're continuing to work very closely with customers to try to make sure that they get through their process of understanding what occurred and being able to move forward with us in the way they have in the past. So that – those processes continue, and we'll update you on how they proceed when we get out in the fourth quarter. We also did give you some view as to what we thought the impact of the event would be in the fourth quarter in terms of our revenue. So that would suggest you look there in terms of what we think the impact may be in the fourth quarter.

Okay. And then finally, on The Work Number, any meaningful loss of access to records, or do you expect a record growth to slow meaningfully?

So again, I think we made a comment in the script around working very closely with data contributors. USIS – sorry, EWS continues to work very closely with data contributors. And as we indicated, it's important to recognize that EWS systems were not impacted by this event.

Thank you.

And your next question comes from Gary Bisbee with RBC.

Hi guys, good morning. The first question, I just wanted to understand how you're thinking about what gets put in and not put in this breach a total expense line that you included. And I guess what I'm really getting at, clearly, some of the IT spend is going to be more ongoing in nature at a higher level. I also think one might argue, any spend on developing the new lifetime free lock and unlock capabilities that you're going to be introducing next year, those aren't – hard to argue those are onetime in nature. And so then I think many investors would argue those should not be added back to adjusted earnings. I appreciate trying to help us understand the magnitude of spend, but how are you going to think about that and handle that disclosure as we move forward throughout this process?

Yes. So we broke it out specifically here, because in the fourth quarter, the vast majority of that $60 million to $75 million is really with third parties and consultants as the investigative and planning process is ramped and accelerated in this process. But going forward, as has been our practice, our ongoing spend in IT and security will absolutely be included in our non-GAAP results as well the cost of delivering any free product or any future developments of that free product, right? So we will actively have in the past, which is to make sure that all of those costs are included in our non-GAAP results. So you may see a little bit of lead into the first quarter of some of the extremely elevated spending that you're seeing in the fourth quarter. But on an ongoing basis, we'll act as we have always, which is to include anything which is part of our ongoing business in our non-GAAP results. Does that help?

Yes, definitely. I appreciate that. And then the follow-up, just in any given year, how much of revenue growth or how much contribution to revenue does new business, bookings, how much has that been? And I guess, what I'm wondering is the 3% to 4% revenue hit that you're guiding to for talking about for Q4, I mean, is that a run rate number if we were to make the dramatic assumption that you have no ability to win new business for several more quarters? Or is 3% to 4% – could that ramp to a larger revenue hit if the deferrals extend more deeply into 2018?

I think the only thing we've historically disclosed around drivers of revenue growth specifically, I think that are consistent with your question, is around NPI. And we've indicated that our new product innovation process delivers on the order of 300 basis points of growth a year, plus or minus a little bit depending on the year. And so that's probably the only number we've disclosed historically. We've never disclosed percentage of contracts renewed or new in a year. That's not something we've ever disclosed, but we have talked about NPI.

Okay. And then just one last quick one. Can you give a sense of how much distraction within the organization, outside of the senior executive leadership where we know it's been extraordinary, has – do you think this is have a meaningful impact several layers down, or have you been able to work hard to keep people generally pushing in the right direction despite all of the headlines?

Thank you for the question. This was exactly why we created the Chief Transformation Officer, to make sure that we focus our business people into the business side. And we have someone responsible for the short-term and the long-term initiatives that will be generated by this transformation that we have. And also, given our execution and process streamlining capabilities, we're focusing all this – most of it – most of these resources within the transformation area, so the business can continue to run and be aggressive and what they have to do, why we do a transformation and execution plans under a separate organization. Of course, in general, everybody got impacted, because this is very disappointing to us as well. So the – but the commitment and resilience of our employees has been outstanding in how we want to focus on getting back on the boat and row – continue to rowing again.

And the focus on security is ongoing, right? We should all understand that, that focus on security is through the entire company. Every person, I speak about my organization as well, right, is ongoing and continuous. So I wouldn't call that distraction. I would call that focus.

We'll be part of that going forward.

Thank you.

And your next question comes from Shlomo Rosenbaum with Stifel.

Hi good morning. Thank you for taking my questions. I just want to focus a little bit on the direct-to-consumer business. And Paulino made a comment about ensuring that consumers have access to their credit for life. And I want to understand, is that going to be lock, unlock product? Are you envisioning something more than that in terms of what the others – the credit monitoring that you're providing that there's going to be some kind of version of that, that would just be out there for consumers in the marketplace? I just want to understand what you're thinking about there.

This is exactly what you've understood. The focus is on lock, unlock capability that consumers will have when we launch this service in the end of January.

Okay. And then when you don't market in this business, what is the typical attrition that we should think about? Because you're not going to have marketed for at least probably 6 months. And I'm not sure if you're planning to see if you're going to start up marketing right away. But as we try to gauge what the impact is to the rest of the business, can you give us just an idea of what attrition is? And frankly also, what does that mean in terms of not putting the expenses into that part of that business?

Yes. So Shlomo, I think all I can point you to is we did give some specific view on where we think GCS revenue will look like in the fourth quarter. And then we will certainly give you more color as we get into next year. It's still a bit early to know, right? it's only been a couple of months. But when we gave you our GCS revenue for the fourth quarter, that decline really is heavily related to the question that you asked, and we gave you our best view as to what we think that impact would probably be.

Okay. And then if you don't mind, as I shift over just to the cost component, it seems to me like there's product delivery cost and then there's kind of an ongoing IT cost. When you talk about the $56 million to $110 million, is that product cost in terms of requirement to buy information from other bureaus and the like, but there are other IT costs on top of that? Or is this a totally inclusive cost? Or how should I be thinking of that?

Yes. The $56 million to $110 million is almost exclusively external cost. It's really the cost of purchasing services from others that we have to deliver. The – yes – and also call center. I'm sorry, so the call center cost is in there, which is internal as well as we use some third parties for call center and then the third-party costs associated with the product that we're delivering to people for free. The internal cost is reflected in our ongoing results.

Okay. Thank you very much.

And your next question comes from Bill Warmington with Wells Fargo.

Good morning, everyone. The – so on the cybersecurity side, it seems like there are really 2 processes involved. On the – there are the internal changes that you're making to your own cybersecurity. And then externally, there's an evaluation by your clients on your cybersecurity. And so I wanted to ask, when is your cybersecurity going to be up to code or up to standard, however, you want to define that? And it sounds like based on your comment about going out within the next couple of weeks, you could be there or close or whether that's a fourth quarter phenomenon where you feel like, okay, we're up to standard.

No, I think that we have a – this is a journey here. Given the magnitude of the impact that we have, we're going to have 2 stage, of course. One is to make sure the current systems and capabilities of our security organization and systems will be in place to make sure that we're going to the next stage and then design the future stage that we want to have for the business. This is going to be an ongoing effort. There's opportunity for us to modernize and bring that new technology into place. And this is a phenomenon that the entire industry is going to have, okay? The hacking industry continues to evolve, and we need to be ahead of them, and we'll do so. This is the core of our business. We need to be ahead of that industry.

And we're investing heavily to make sure we – that our security substantially improves continuously, right? And that's really what we're talking about here. I can't make any comment about your – the specifics of your first question. But we're investing very heavily to make sure that we're seeing substantial continuous improvement not only today, not only tomorrow, but going forward into the future. So that's progressing and progressing very rapidly and as Paulino has talked about, so our conversations with customers, ensuring they understand where we stand and then what we're doing going forward.

Has there been any further progress in identifying whether the hack was done by a foreign state actor? Now Bloomberg had run a story saying that there was evidence of that, but it didn't sound like anything definitive has come out. When is there a pronouncement about that?

Yes. What we have – as I have my testimony declared, there's no – we have no evidence of any third-party, any nation involved in the process.

Got it. And then a couple of housekeeping items. What was mortgage-related revenue and the percentage of third quarter revenue?

I don't have that number at my fingertips, but we'll look it up and we'll give it when the next person asks the question.

Okay.

Thanks.

Thank you very much.

And your next question comes from George Tong with Goldman Sachs.

Hi, thanks, good morning. You're guiding to $60 million to $75 million of breach-related onetime costs in 4Q. Can you help frame how you're thinking about total costs of the breach and how much you're accruing for breach costs beyond the $56 million to $110 million that you outlined that's related to free monitoring costs?

So the accrual, this – the range of the accrual reflects our current estimate of what we think the total costs will be based on differing assumptions related to the breach. And then for the full year, if you include the $60 million to $75 million, that would give you the total amount of costs that we expect to incur in 2017.

Got it. Going back to market share shifts, can you elaborate on how much of the USIS decline was due to the data breach compared to mortgage market decline and if you anticipate customer deferral activity to worsen in 4Q compared to 3Q based on customer conversations since the third quarter?

And so in terms of this split of those 2, pardon me – so in terms of the split of those 2, we didn't indicate specifically how much was related to the cybersecurity incident and how much related to the mortgage market decline. So we didn't give those specific numbers. And then also if you could ask your question again, just to make sure I understood it.

Yes. Whether you expect deferral activity to worsen in 4Q compared to 3Q just based on the customer conversations you've had since the third quarter?

Yes, so going back to a previous question, so the mortgage market revenue – mortgage revenue was about 19% of the total revenue for the quarter. So sorry for the deferral on that. And in terms of what we're expecting for the cyber incident impact, we indicated that – what – we indicated in our script what we expected it to be in the fourth quarter. It's certainly greater than the third quarter, but I think a lot of that's simply because of the increased amount of time that will incur that impact. And so it was only announced in September in the third quarter and therefore saw a more limited impact. So I think we indicated 3% or 4%, and that's consistent with what we expect.

Okay. Thank you.

And your next question comes from Tim McHugh with William Blair.

Good morning. It's Stephen Sheldon on for Tim. Just wanted to ask about the higher non-controlling interest this quarter, I guess. What drove that? And does it imply that you're seeing stronger trends from the U.K. TDK contract?

Some of our non-U. S. businesses have partners. In some cases, in some of our businesses, we have partnerships with financial institutions in the countries in which we operate. And therefore when those businesses do better, the non-controlling interest was out. So that's basically it. So it isn't necessarily specific to the U.K. It's a general statement.

And I would now like in the call back over to Jeff Dodge for any additional or closing remarks.

Okay. I'd like to thank everybody for their time and interest. And with that, operator, we'll conclude the call. Thanks, everybody.