Dial back your wayback machine to September of last year. Capital One announced a hack of their Amazon environment by an ex-Amazon employee the previous July that was possible to due an incorrect configuration of their security settings.
Fast forward to today and the feds announced an $80 million fine for bad cloud hygiene.
The feds (the OCC) fined Capital One for Failure to establish effective risk management processes” prior to migrating some of their systems to the cloud.
The OCC said that they considered the bank’s notification and remediation processes favorably in assessing the fine, meaning that the fine would likely have been larger if they hadn’t responded as well after the breach as they did.
On the other hand, they said that the bank glossed over numerous weaknesses in an internal audit.
On top of that, the OCC said that they didn’t report the flaws that they found appropriately to their Board’s audit committee. This means that internal processes were not sufficient to allow the Board to perform it’s fiduciary responsibility. Rather than blaming the Board, in this case they blamed management.
They also claim that Capital One failed to patch security vulnerabilities, violating regulations that banks must follow (GLBA).
After Capital One got caught, the bank decided this was a good time to spend some money on cybersecurity and start fixing the problems.
There is a moral here, I think.
This is a bank, so the expectations for security are high, but still …..
You could wait for a breach and the ensuing regulators and lawsuits. And fines. Or you can start looking at cyber risk management as a business problem and decide that it is probably cheaper to spend the money pre-breach. Last year Capital One said the breach could cost them $150 million. Whether this $80 million fine is in addition is not clear. Credit: The Register