OCC Requires Board Oversight of Cyber Risk

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

OCC Requires Board Oversight of Cyber Risk.  This week, let’s consider Capital One’s recent agreement to pay an $80 million fine and enter into a consent order related to its cybersecurity posture following a data breach that exposed more than 100 million customer records. 

According to KrebsOnSecurity, the breach was caused by Capital One leaving customer data on an exposed Amazon Web Services S3 storage “bucket.” In other words, Capital One misconfigured its AWS environment. 

You can read more about the particulars of the incident in the following blog post:

https://krebsonsecurity.com/tag/capital-one-breach/

A link to the consent order follows:

https://www.occ.gov/static/enforcement-actions/ea2020-037.pdf

For now, let’s focus on the consent order, and particularly its requirement under Article V for Board Management and Oversight. 

This Consent Order makes the requirement for Board oversight explicit

The Office of the Comptroller of the Currency (OCC), which regulates national banks, requires Capital One’s Board to do the following:

  • ·      develop appropriate and effective risk assessment processes to identify and manage technology risks, including risks in the cloud environment, and processes specific to technology changes;

  • ·      reassess the quality and content of Board reporting and improve transparency into the materiality and status of known technology and cyber risk issues;

  • ·      increase oversight of management’s actions with respect to significant technology and cyber risk issues; and

  • ·      hold management accountable for the timely remediation of identified material risk issues, including requiring management to explain why key issues and risks have not been addressed.

Keep in mind that banks, like Capital One, are subject to 12 CFR Part 30, Appendix B, Interagency Guidelines Establishing Information Security Standards.  The following post by the accounting and advisory firm Weaver explains the implications of those standards well, especially in the context of the Capital One case:

https://weaver.com/blog/occ-fines-capital-one-bank-2019-cybersecurity-breach

We see a progression here. 

We have written before about the importance of escalating systems and processes of monitoring privacy and cyber risks to the board level (in any company), as a best practice.  You can read one of those posts by clicking on the following link:

https://www.hoschmorris.com/privacy-plus-news/privacy-and-cyber-liability

Now, we see an important industry regulator in one of the 18 “critical infrastructures” making that requirement explicit, and directly enforceable by consent order. 

Regulators talk to one another, and no one wants to lag behind.  We expect others, across the 18 “critical infrastructures,” to follow suit.

(Not sure if you’re in one of the 18 “critical infrastructures?”  Find out by clicking below:)

https://www.cisa.gov/critical-infrastructure-sectors

It’s becoming increasingly evident to enforcement actors of every type – private attorneys as well as public regulators -- that Board and management oversight are critical to a defensible cybersecurity posture.

---

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

California Consumer Privacy Rights Act – Up for a Vote in November
Next

NY-DFS and SEC Show Teeth, but will they Bite?