The Fed filed a cease and desist order, laying out steps Capital One must take to improve its risk-management program and internal controls related to cybersecurity and information security. It’s part of consent orders Capital One entered into with the Fed and the Office of the Comptroller of the Currency in response to the incident. The Fed’s action comes in conjunction with an $80 million civil penalty announced Thursday against Capital One by the Office of the Comptroller of the Currency.
In July 2019, Capital One revealed that a hacker had accessed private data for more than 100 million US Capital One customers. The exposed data from the hack included Social Security numbers, credit card applications, home addresses, credit scores, credit limits and balances. The hacker also had access to the personal data of approximately 6 million individuals in Canada, according to the Federal Reserve Board.
The hack marked one of the largest data breaches ever, and among those affected were some of the bank’s most financially vulnerable customers.
“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” the Comptroller’s office said in a release Thursday.
Capital One said that controls put in place prior to the hack allowed the company to secure customers’ data before it could be used or disseminated, and helped law enforcement arrest the hacker.
“Safeguarding our customers’ information is essential to our role as a financial institution,” a Capital One spokesperson said in a statement to CNN Business. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
As part of the Fed’s order, Capital One’s board of directors will be required to submit a plan within 90 days describing actions it will take to improve its risk management program and internal governance and controls.
It must include, for example, an internal governance framework with “clearly defined operational risk roles and responsibilities,” risk testing and validation processes, and measures to ensure proper training of operational risk personnel. Capital One is also required to provide a timeline for improvements to its cybersecurity and data loss protection program.
The bank will be required to provide quarterly updates the Fed detailing actions it has taken in response to the order.
The Capital One spokesperson said in the statement it will continue to work closely with regulators to ensure it meets “the highest standards of protection for its customers.”