Capital One fined USD 80 million for failing to establish cyber risk management processes

On 6 August 2020, the US Office of the Comptroller of the Currency (OCC) announced that Capital One had been fined USD 80 million (EUR 67.5 million) for failing to establish effective cyber risk assessment processes from 2015, and for failing to correct these deficiencies in a timely manner. The deficiencies were made evident by a data breach in April 2019, which has been covered separately by ORX.

According to the OCC enforcement action, in or around 2015, Capital One failed to establish effective risk assessment processes before transferring its IT operations to a cloud operating environment. Capital One also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

Furthermore, an internal audit conducted by Capital One failed to identify and report numerous control weaknesses and gaps in the cloud operating environment. The company’s board also did not take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses. This conduct was noncompliant with interagency regulations jointly imposed by US government bodies. 

According to a US Federal Reserve cease and desist order, on 19 July 2019, Capital One determined that in March 2019 an external agent gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for credit card products. The breach affected approximately 100 million individuals in the United States and approximately 6 million individuals in Canada. Capital One has had dozens of lawsuits filed against it since and reported spending more than USD 100 million on clean-up and response efforts, Law360 reports.

As of 6 August 2020, Capital One has agreed to submit a written plan to the Federal Reserve detailing plans to strengthen the oversight of its risk management program. Likewise, without admitting or denying the OCC’s findings, Capital One agreed to submit a plan to improve the risk assessment and management of its cloud operating environment, its internal controls testing processes and its internal audit processes. In addition, it agreed to pay a civil monetary penalty of USD 80,000,000 to the OCC. According to Law360, the OCC has also given Capital One enforcement credit for its customer notification and remediation efforts.

UPDATE

07 January 2022: Paragraph 1 amended. Link added to digest 8852.