![]() This includes holding relevant individuals accountable for gaps in information security systems and response processes, ensuring the proper information security programs and procedures are in place and staying apprised of any internal information security developments or events soon after they take place. Board oversight: Both the OCC and Federal Reserve cease and desist orders highlight the importance of oversight and involvement by the Board and senior management.The Federal Reserve Board order focuses on risk management and requires the parent bank holding company to take remedial actions, including strengthening Board oversight, strengthening governance and internal controls with respect to risk management, improving the risk management program and revising the internal audit program. creation of additional plans related to enhancing information security controls, including a board and management oversight plan, a plan for enhanced risk assessment processes related to the cloud and legacy technology operating environments, a cloud operations risk management plan, an independent risk management plan including provision for testing and validation, a plan to enhance internal controls and a plan to enhance internal audit.submission of an action plan outlining remedial measures to achieve compliance with the order and.formation of a compliance committee comprised of independent directors.The OCC cease and desist order requires remedial actions to strengthen the bank’s information security program, including: Prior to this action, there had been only one case where the OCC imposed a civil monetary penalty based on noncompliance with the information security guidelines, a 2005 penalty against First Horizon Home Loan Corporation for $180,000. ![]() ![]() The OCC enforcement actions were based on the agency’s Part 30 safety and soundness regulations, including the interagency guidelines on information security that implement section 501(b) of the Gramm-Leach-Bliley Act and are codified in Appendix B to the Part 30 regulations. The press release referred to risk assessment processes related to migrating operations to the cloud. Ĭapital One notified potentially affected customers, and the OCC press release accompanying the consent orders noted that the OCC “positively considered the bank’s customer notification and remediation efforts.” The OCC orders and press release did not explicitly reference the 2019 data breach incident. In early 2019, Capital One was subjected to a cyber-attack in which a third party obtained unauthorized access to certain personal information of approximately 100 million individuals. The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security. The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company. The actions follow a 2019 cyber-attack against Capital One. In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |