August 12, 2020
Mandy L. Stanton
Information Security & Privacy
In March 2019, Capital One experienced a significant hacking incident in which a former tech company software engineer for Amazon Web Services (AWS), Capital One’s cloud hosting company, exploited a misconfigured open-source web application firewall that Capital One was using as part of its operations hosted in the cloud with AWS. The incident resulted in the access of approximately 100 million credit card applications. Around July 17, 2019, Capital One was alerted to the situation after the hacker bragged about taking the company’s data in online discussion groups. Capital One investigated and corrected the vulnerability promptly. However, despite receiving credit for its customer notification and remediation efforts, the Office of the Comptroller of the Currency (OCC) issued a Consent Order against Capital One Bank including a civil money penalty for $80,000,000 on August 5, 2020.
If Capital One was responsible and conscientious in its remediation efforts, then what is this hefty fine based on and more importantly, what can we learn from this incident?
Understand and Manage Risks
Identifying operational risk and mitigating the loss resulting from inadequate or failed processes, people or systems is not a new concept in the financial sector. Financial institutions are expected to have documented inventory of its assets and documented processes to identify threats and vulnerabilities continuously. In Capital One’s circumstances, the OCC linked the data breach to problems with Capital One’s cloud migration plan. Back in 2015, Capital One failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. It also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls and effective dispositioning of alerts. It is an apt reminder that processes and procedures should not only focus on the reactive, but also be proactive in mitigating risk before an incident occurs.
Be Diligent in Following Up on Audits
In the financial sector, audits are expected to review every aspect of the information security program, the environment in which the program runs and the outputs of the program. These audits should report on information security activity and control deficiencies to decision makers, identify root causes and recommend corrective action for deficiencies. Audits should track the results and the remediation of control deficiencies reported therein along with any additional technical reviews. Capital One’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the institution’s audit committee. Often plans and processes are legal obligations, but the effectiveness of these plans hinges on diligent execution. It is important to view these processes from a ‘living’ perspective and remain vigilant in performing each step in a timely fashion.
Prioritize Management Accountability
Institutions with stronger security culture are expected to generally integrate information security into new initiatives from the outset and throughout the lifecycle of services and applications. The board, or designated board committee, should be responsible for overseeing the development, implementation, and maintenance of the institution's information security program and holding senior management accountable for its actions. The board should reasonably understand the business case for information security and the business implications of information security risks; provide management with direction; approve information security plans, policies, and programs; review assessments of the information security program's effectiveness; and, when appropriate, discuss management's recommendations for corrective action. For certain concerns raised by Capital One’s internal audit, Capital One’s Board failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses. An effective security-driven culture should be prioritized from the top down to demonstrate the importance of the issue. All financial institutions have a responsibility to safeguard employee, customer and applicant records and this responsibility starts in the board room.
Regardless of how developed an organization’s program is, it is always appropriate to take a step back and review the basics of an information security and ensure your program is being diligently maintained – it may end up saving you from regulatory penalties.
The Between the Lines blog is made available by Mitchell Williams Law Firm and the law firm publisher. The blog site is for educational purposes only, as well as to give general information and a general understanding of the law. This blog is not intended to provide specific legal advice. Use of this blog site does not create an attorney client relationship between you and Mitchell Williams or the blog site publisher. The Between the Lines blog site should not be used as a substitute for legal advice from a licensed professional attorney in your state.