OCC Requires Board Oversight of Cyber Risk
Privacy Plus+
Privacy, Technology and Perspective
OCC Requires Board Oversight of Cyber Risk. This week, let’s consider Capital One’s recent agreement to pay an $80 million fine and enter into a consent order related to its cybersecurity posture following a data breach that exposed more than 100 million customer records.
According to KrebsOnSecurity, the breach was caused by Capital One leaving customer data on an exposed Amazon Web Services S3 storage “bucket.” In other words, Capital One misconfigured its AWS environment.
You can read more about the particulars of the incident in the following blog post:
https://krebsonsecurity.com/tag/capital-one-breach/
A link to the consent order follows:
https://www.occ.gov/static/enforcement-actions/ea2020-037.pdf
For now, let’s focus on the consent order, and particularly its requirement under Article V for Board Management and Oversight.
This Consent Order makes the requirement for Board oversight explicit.
The Office of the Comptroller of the Currency (OCC), which regulates national banks, requires Capital One’s Board to do the following:
· develop appropriate and effective risk assessment processes to identify and manage technology risks, including risks in the cloud environment, and processes specific to technology changes;
· reassess the quality and content of Board reporting and improve transparency into the materiality and status of known technology and cyber risk issues;
· increase oversight of management’s actions with respect to significant technology and cyber risk issues; and
· hold management accountable for the timely remediation of identified material risk issues, including requiring management to explain why key issues and risks have not been addressed.
Keep in mind that banks, like Capital One, are subject to 12 CFR Part 30, Appendix B, Interagency Guidelines Establishing Information Security Standards. The following post by the accounting and advisory firm Weaver explains the implications of those standards well, especially in the context of the Capital One case:
https://weaver.com/blog/occ-fines-capital-one-bank-2019-cybersecurity-breach
We see a progression here.
We have written before about the importance of escalating systems and processes of monitoring privacy and cyber risks to the board level (in any company), as a best practice. You can read one of those posts by clicking on the following link:
https://www.hoschmorris.com/privacy-plus-news/privacy-and-cyber-liability
Now, we see an important industry regulator in one of the 18 “critical infrastructures” making that requirement explicit, and directly enforceable by consent order.
Regulators talk to one another, and no one wants to lag behind. We expect others, across the 18 “critical infrastructures,” to follow suit.
(Not sure if you’re in one of the 18 “critical infrastructures?” Find out by clicking below:)
https://www.cisa.gov/critical-infrastructure-sectors
It’s becoming increasingly evident to enforcement actors of every type – private attorneys as well as public regulators -- that Board and management oversight are critical to a defensible cybersecurity posture.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.