The Consequences To An Organization’s Board Of Directors, Executive Management, and Internal Audit Function As A Result Of A Cyber Breach Of Their Organization’s Cloud Environment

What is the cost of a cyber breach of an organization's insecure cloud environment?

On July 19, 2019, Capital One reported during March 2019 a cyber threat actor gained access to their infrastructure via a configuration vulnerability.  The cyber threat actor gained unauthorized access to personal information about Capital One credit card customers who had applied for credit card products.  According to the FBI indictment of the cyber threat actor, the infrastructure accessed was Capital One’s cloud infrastructure.  

According to Capital One’s 2019 annual report regarding its March 2019 cyber breach,  Capital One has spent an estimated $72 million in remediation costs.  Capital One expects the 2019 costs for this cyber breach to be between $100 and $150 million.  Capital One expects these costs to extend beyond 2019.  This was in fact the case when a U.S. financial regulator levied an $80 million fine on Capital One for this cyber breach during August 2020.

These noted costs are just some of the tactical, operational, and strategic costs which have resulted from a successful cyber breach of an organization’s cloud infrastructure.  

If you are a financial services sector corporate director, c-suite executive, executive responsible for the internal audit function (i.e. Chief Audit Executive), and have or are contemplating migrating your customer data into the cloud, please continue reading.

U.S Regulator Fine of Capital One

During August 2020, the U.S. Department of Treasury Office of the Comptroller of the Currency (OCC) fined Capital One $80 Million for a cyber breach of their cloud environment and unauthorized access of the personal information of over 100 million card customers and applicants by a cyber threat actor. 

During August 2019, the cyber threat actor, Paige A. Thompson, a software engineer previously employed by Amazon Web Services, was charged by the FBI with computer fraud and abuse and wire fraud for this cyber breach.  According to the FBI indictment, Thompson used scanning software which allowed her to identify customers of a cloud company which had misconfigured their firewalls, allowing outside commands to penetrate and access their servers.  Thompson conducted unauthorized intrusions into stored data on more than thirty (30) different organizations including Capital One.

The OCC noted in its press release it took these actions based on Capital One’s “failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner”.

Article II Comptroller's Findings

One of the most important articles found in both the Consent Order for the Assessment of a Civil money Penalty and the Cease and Desist Order is Article II which are the OCC findings.  Both of these consent orders note the following findings against the board of directors, executive management, and the internal audit function of Capital One (emphasis added by author): 

“The Comptroller finds, and the Bank neither admits nor denies, the following:

1. "In or around 2015, the Bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts."
2. "The Bank's internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the Audit Committee." 
3. "For certain concerns raised by internal audit, the Board failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses."
4. "By reason of the foregoing conduct, the Bank was in noncompliance with 12 C.F.R. Part 30, Appendix B "Interagency Guidelines Establishing Information Security Standards," and engaged in unsafe or unsound practices that were part of a pattern of misconduct."
5. "The Bank has begun addressing the identified corrective action and has committed to providing resources to remedy the deficiencies."

Impact to the Board of Directors, Executive Management, and Internal Audit Function

So what is the impact of this financial regulator's consent order to the Board of Directors, Executive Management, and the Internal Audit Function of Capital One?

I have summarized Articles III through Articles XI of the consent order's articles and highlighted the new responsibilities as directed by the OCC pursuant to this consent order for the Board, the Bank (Executive Management or EM) and the Internal Audit Function. In addition, I have noted whether the Board of Directors, Executive Management, and/or the Internal Audit Function are impacted by each respective article in the consent order.

Article III Compliance Committee

Impact: Board of Directors

Article III requires that by August 31, 2020,  the Board shall appoint a Compliance Committee which shall monitor an oversee the Bank’s compliance with the provisions of this consent order.

By October 30, 2020, and thereafter within 45 days after the end of each quarter, the Compliance Committee will submit to the Board a written progress report which:

1. describes the corrective actions needed to achieve compliance with each article of the order;
2. the specific corrective actions undertaken to comply with each article of the order; and 
3. the result and status of the corrective actions.

Article IV Comprehensive Action Plan

Impact: Bank (EM), Board of Directors

Article IV requires that within 60 days of the effective date of the order, the Bank shall develop a written action plan detailing the remedial actions necessary to achieve compliance with Articles V through X of the consent order. This “Action Plan” will incorporate the Bank’s four previously adopted action plans and shall at minimum specify:

1. a description of the corrective actions needed to achieve compliance with each Article of the consent order;
2. timelines for completion of the corrective actions required; and 
3. the person(s) responsible for completion of this corrective actions required by the order.

The Board shall ensure the Bank has timely adopted and implemented all corrective actions required by the order and the Board shall verify the Bank adheres to the Action Plan including the timelines set forth in the Action Plan. 

If the Bank considers any modifications to the Action Plan, it will need approval from the OCC. Upon approval of any modifications to the Action Plan, the Board shall ensure the Bank has timely adopted and implemented all corrective actions required by the order and the Board shall verify the Bank adheres to the revised Action Plan.

By October 30, 2020 and thereafter within 45 days after the end of each quarter, the Bank shall prepare a written action report progress report and submit to the Board. The Board will then forward their comments and the report to the OCC.

Article V Board and Management Oversight 

Impact: Bank (EM), Board of Directors, Internal Audit Function

Article V requires that within 90 days of the effective data of the order, the Bank shall submit a "Board and Management Oversight Plan" to improve oversight of the Bank's cloud operating environment information security program for review and approval by the OCC. The minimum requirements of this plan shall require the Bank to:

1. develop appropriate and effective risk assessment processes across all three lines of defense to identify and manage technology risks within the cloud operating environment, including processes specific to technology changes;
2. release the quantity and content of Board reporting and improve transparency into the materiality and status of known technology and cyber risk issues;
3. increase the scrutiny, monitoring, and oversight of management's actions to address significant technology and cyber risk issues, including audit findings; and 
4. hold management accountable for the timely remediation of material risk issues identified by internal and external sources, including requiring management to explain why key issues and risks related to the cloud operating environment have not been addressed in a timely and effective manner.

Article VI Risk Assessment

Impact: Bank (EM)

Article VI requires that within 90 days of the effective date of the order, the Bank shall develop a "Risk Assessment Plan" to improve risk assessment for the Bank's cloud and legacy technology operating environments. At a minimum, the Risk Assessment Plan shall require the Bank to:

Article VI requires that within 90 days of the effective date of the order, the Bank shall develop a “Risk Assessment Plan” to improve risk assessment for the Bank’s cloud and legacy technology operating environments. At a minimum, the Risk Assessment Plan shall require the Bank to:

1. document expected and potential threats of material changes to the cloud and legacy technology environments and mitigating controls or remediation plans to address such threats;
2. develop appropriate risk mitigation testing from the beginning and throughout new project life cycle;
3. create a current threat inventory for use in risk assessment processes;
4. maintain the current threat inventory through continuous updating and analyzing of information regarding new threats and vulnerabilities, actual attacks, and the effectiveness of existing security controls; and
5. reassess critical business processes related to cyber and technology change activity to ensure they are appropriately captured and included in existing risk assessment processes.

This Risk Assessment Plan shall expand existing risk assessment processes and supporting policies and procedures; redesign the enterprise risk assessment framework to capture and aggregate results of all relevant risk identification and control effectiveness inputs to drive enterprise risk reporting of cyber and technology change risk; and the Bank shall not implement a material technology or cyber change initiative before development and submission of a comprehensive risk assessment for the change initiative to the OCC.

Article VII Cloud Operations Risk Management

Impact: Bank (EM)

Article VII requires that within 90 days of the effective date of the order, the Bank shall submit a “Cloud Operations Risk Management Plan” to improve the Bank’s Cloud Operations Risk Management.  At a minimum, the Cloud Operations Risk Management Plan will require the Bank to implement effective corrective actions required as a result of the 2019 OCC examination.  This plan shall broadly require the Bank to:

1. develop comprehensive security controls protecting the Bank's network perimeter;
2. develop effective controls to identify and protect sensitive customer information contained within the Bank's technology systems and applications;
3. develop effective vulnerability and configuration management controls related to the containerization of objects within the Bank's cloud environment.

Article VIII Independent Risk Management

Impact: Bank (EM)

Article VIII requires that within 90 days of the effective date of the order, the Bank shall submit an “Independent Risk Management Plan” to improve independent risk management of the cloud operating environment.  At a minimum, the Independent Risk Management Plan shall require the Bank to:

1. Assess inherent technology and cyber risks enterprise-wide and deploy appropriate and effective controls to mitigate these risks;
2. Challenge inherent and residual cyber risks identified by technology and cyber first line functions;
3. Formally define and document a comprehensive cyber risk and control universe that captures all relevant risks; and
4. Utilize control universe data to create and implement an appropriate risk-based control testing and validation plan.

Article IX Internal Controls Testing

Impact: Bank (EM)

Article IX requires that within 90 days of the effective date of the order, the Bank shall submit an “Internal Controls Plan” designed to enhance the Bank’s internal controls testing in the cloud environment.  At a minimum, the Internal Controls plan shall require the Bank to:

1. develop a control inventory by identifying and documenting relevant controls with the Bank's cloud operating environment;
2. develop and implement a comprehensive risk-based testing and monitoring plan that is reconciled back to the inventory; and 
3. track and remediate control gaps, or appropriately approve control gaps as a risk acceptance.

Article X Internal Audit

Impact: Bank (EM), Board of Directors, Internal Audit Function

Article X requires that within 90 days of the effective date of the order, the Bank shall submit an “Internal Audit Plan” to enhance the Bank’s internal audit program.  At a minimum, the Internal Audit Plan shall require the Bank to:

1. reassess the cyber and technology risk assessment methodology and scoring system that ranks and evaluates business and control risks for significant business units, products, services and security functions;
2. assess and validate the completeness and accuracy of management's documented inventory of technology assets and configurable devices and software;
3. map the existing audit universe to the concerns noted in the recent examination to identify coverage gaps and audit quality issues;
4. incorporate lessons-learned related to the cybersecurity breach root cause analysis;
5. revise the risk-based technology audit plan to address the gaps and weaknesses described in Article II and within audit's lessons-learned assessment to ensure appropriate coverage of cloud operations and related security controls; and 
6. assess audit staff expertise and training needs.

The Internal Audit plan shall include improved reporting to the Audit Committee to capture detailed technology risk issues and control themes and ineffective or untimely remediation efforts to provide the Board with sufficient information to make informed decisions regarding risks within the IT operating and control environment.

Article XI General Board Responsibilities 

Impact: Board of Directors, Bank (EM), Internal Audit Function

The Board shall ensure that the Bank has timely adopted and implemented all corrective actions required by the order and shall verify the Bank adheres to the corrective actions and they are effective in addressing the Bank’s deficiencies that resulted in this order.

In each instance in which the order imposes responsibilities upon the Board, the Board shall:

1. authorize, direct, and adopt corrective actions on behalf of the Bank as may be necessary to perform the obligations and undertakings imposed on the Board by the order;
2. ensure the Bank has sufficient processes, management, personnel, control systems, and corporate and risk governance to implement and adhere to all provisions of the order;
3. require that Bank management and personnel have sufficient training and authority to execute their duties and responsibilities pertaining to or resulting from the order;
4. hold Bank management and personnel accountable for executing their duties and responsibilities pertaining to or resulting from the order;
5. require appropriate, adequate, and timely reporting to the Board by Bank management of corrective actions directed by the Board to be taken under the terms of the order;
6. address any noncompliance with corrective actions in a timely and appropriate manner.

Cybersecurity Leadership Training

As I have noted above, Capital One’s Board of Directors, Executive Management, and the Internal Audit Function now have many more cybersecurity leadership responsibilities as a result of these consent orders.  

The Article XI General Board Responsibilities require that the Board shall ensure that Bank management and personnel have sufficient training and authority to execute their duties and responsibilities pertaining to or resulting from the order.  In addition, Article X Internal Audit requires the Bank to assess audit staff expertise and training needs.

It is my recommendation that the Capital One Board, Bank (Executive Management) and the Internal Audit Function leadership obtain cybersecurity leadership training to become cyber savvy to assist each group of executives in their new cybersecurity leadership responsibilities as required by the OCC consent orders.

As today’s cyber threat actors and cyber threat landscape continues to evolve and get more sophisticated, any financial services organization can suffer the same experience Capital One has experienced as a result of a cyber breach of its cloud infrastructure. 

It is my recommendation that U.S. financial services sector corporate directors, c-suite executives, and executives responsible for the internal audit function (i.e. Chief Audit Executive), also obtain cybersecurity leadership training.  This cybersecurity leadership training will assist these executives to become cyber savvy and assist each group of executives in their current cybersecurity leadership responsibilities. 

Conclusion

These consent orders demonstrate the strategic and operational impact of a successful tactical cyber breach to an organization.  It also demonstrates the significant consequences to an organization and its senior leadership of not being cyber savvy in today’s digital environment.

Over the last few years, cybersecurity regulators in the U.S. and around the globe have assessed massive fines to organizations which have suffered a major cyber breach.  Capital One is the latest cybercrime victim to be held responsible for not having the most optimal cybersecurity posture for their organization.

As an executive, does this real life example seem familiar to you in the way the strategic cyber threat has challenged your own organization?  If it does, it is time to get your board of directors, senior leadership team, and internal audit leadership team started on obtaining cybersecurity leadership training.  This first step will assist your organization’s senior executives to better understand the current cyber threat landscape and its overall impact on your organization which will allow for better discussions on how to improve your organization’s overall cybersecurity posture.

Key Takeaways for Executives to Consider

            The following are some key takeaways for executives to consider from this victim organization’s cyber breach experience:

1. Boards, executive management, and the internal audit function must understand cybersecurity as an enterprise risk.
2. Executives must be properly trained to better understand the various components of enterprise wide cybersecurity, the various cyber threat actors, and the cyber threat methodologies that comprise today's cyber threat landscape.
3. Executives must understand, monitor, identify corrective actions, and follow up on the identified corrective actions in the enterprise cybersecurity risk management program (to include cybersecurity compliance regulatory requirements and deficiencies and findings identified by the internal audit function).
4. Executives must ensure their internal audit function is properly trained to understand the various components of enterprise wide cybersecurity, the various cyber threat actors, the cyber threat methodologies that comprise today's cyber threat landscape, and obtain advanced training in the various areas of cybersecurity to appropriately address this sophisticated enterprise threat.
5. Boards and executive leadership must ensure cybersecurity is a regular item for discussion in their respective meeting agendas to ensure the appropriate strategic leadership, governance, and strategic resources are being provided to address the enterprise wide cybersecurity threat.
6. Executives must consider the real world tactical, operational and strategic costs of failing to proactively and continuously mature an organization’s cybersecurity posture to appropriately protect the organization from the constantly evolving cyber threat.

For a review of the U.S. Department of Treasury Office of the Comptroller of the Currency (OCC) news release of their $80 million fine of Capital One and associated consent orders, please visit https://www.occ.treas.gov/news-issuances/news-releases/2020/nr-occ-2020-101.html.