A massive security breach discovered in July 2019 led to an $80 million fine for Capital One Financial Corporation. Personal data of more than 106 million individuals was exposed when a former employee at Amazon Web Services (AWS) inappropriately accessed Capital One’s AWS cloud servers through a misconfigured web application firewall.
The Office of the Comptroller of the Currency (OCC) levied the fine based on noncompliance with the Code of Federal Regulations (CFR), specifically, 12 CFR Part 30, Appendix B, Interagency Guidelines Establishing Information Security Standards.
What went wrong?
The OCC consent order noted the following:
- Capital One failed to establish effective risk assessment processes in 2015 before migrating its information technology operations to a cloud environment.
- Internal audit did not properly assess the cloud environment, and as a result, did not effectively identify nor report on weaknesses and gaps to the Audit Committee.
- For internal audit findings that were reported, the Board did not take the appropriate action to hold management accountable.
How can these risks be prevented?
To minimize cybersecurity risks, the following elements within 12 CFR Part 30, Appendix B, Interagency Guidelines Establishing Information Security Standards are required for banks such as Capital One that fall under the authority of the OCC, and are practices that should be followed robustly by any bank:
Information Security Program
The program should be comprehensive and include the administrative, technical and physical safeguards appropriately scaled for the size and complexity of the bank and the scope of its activities. It should:
- Ensure the security and confidentiality of personal information
- Protect against anticipated threats to the security or integrity of personal information
- Protect against unauthorized access
The program should also be adjusted to consider relevant changes to technology. In this case, the migration to cloud services and the related outsourcing arrangements should have been incorporated into the program.
Assessment of Risk & Implementation of Internal Controls
At least annually, the bank should perform risk assessments to identify the likelihood and impact of internal and external threats regarding the unauthorized access to personal customer information.
Key internal processes and control activities should then be implemented and tested by internal audit. Systems that are misconfigured could then be identified through internal audit testing procedures of these control activities. Any gaps could then be remediated by management to reduce the possibility of an incident occurring. As new risks emerge over time, the control environment should be appropriately adjusted to mitigate them.
Service Provider Arrangements
Appropriate due diligence is essential when selecting service providers. It is important to make sure contracts with service providers include the appropriate measures designed to meet the objectives of the guidelines.
Selecting service providers that can adequately address security risks may reduce the likelihood and impact of a catastrophic incident such as a security breach. Just as critical is having a thorough understanding of the obligations required of both parties and then implementing the steps to fulfill the responsibilities required as the user of the services. In this case, the bank having a more thorough understanding of their responsibilities in properly configuring the firewall used in its operations hosted by AWS may have prevented the breach altogether.
Monitoring and Response
Monitoring of systems should be in place to detect actual and attempted attacks or intrusions to the relevant systems. Banks should develop effective response programs that specify the actions to take when they suspect or detect such activity, including appropriate reports to regulatory and law enforcement agencies.
Monitoring and robust detection tools are critical for the bank to quickly respond and reduce the impact of a security incident. Although they responded swiftly to rectify the firewall vulnerability once they learned of it, Capital One only became aware of this event when the hacker that performed the breach began to openly discuss the attack through an online forum. Delayed discoveries of security breaches are a problem and are not unique to Capital One. According to Verizon’s 2020 Data Breach Investigations Report, of the 3,950 data breaches in 2019 that were analyzed, over 20% were discovered after multiple months.
In addition to the financial penalty, the consent order requires Capital One to submit a comprehensive action plan detailing the remediation actions to achieve compliance. The OCC will appoint a Compliance Committee to oversee the bank’s adherence to the consent order. The bank must also prepare and submit an initial written progress report that includes a status of the corrective actions that they have taken with subsequent progress reports to be provided within 45 days after the end of each quarter.
This case highlights the challenges that even the largest banks face in a) managing and monitoring sound information security programs, b) maintaining risk management activities to prevent, detect and minimize the impact of security events and c) achieving compliance objectives. The failure to meet regulatory expectations can not only result in significant financial fines, but also expose reputational risk. Organizations, large or small, should continue to focus their attention and investment in cyber defenses, and evaluate how prepared they are to prevent and/or respond to a security event and the required federal regulations.
Authored by Mehul Lalloobhai, CISA, senior manager in Weaver’s IT Advisory Services practice.