Head In The Cloud: The Capital One Ruling

Failing to address your organization’s shortcomings in cybersecurity will always have ramifications, but they won’t always come from where you expect.

Exhibit A: Earlier this month, bank holding corporation Capital One was hit with a cease and desist order from the Office of the Comptroller of the Currency (OCC), citing a “failure to establish effective risk assessment and management processes before migrating its information technology operations to a cloud operating environment.”

On top of the order, Capital One will need to pay an $80 million fine to the U.S. Treasury and fulfill a series of cybersecurity compliance actions, which involves putting together an independent compliance committee, improve risk assessments for all aspects of their cloud operating environment, and take steps to reinvent their internal auditing program for more effective risk evaluation.

Long-time followers of our blog will know this isn’t the first time Capital One’s cybersecurity mishaps have made headlines. But now, as banks nationwide prepare to move to cloud computing, a misstep as consequential as this one is crucial reading for other organizations reimagining the way they handle their data.

Best Laid Precautions

Why might Capital One have let their data security capabilities slide? When working online was a more emergent practice, company executives viewed cybersecurity as the highest priority for this new, rapidly evolving landscape. But in today’s tech-savvy society, best practices in digital security tend to be relegated to a tick on a very long to-do list among competing priorities.

And although the “cloud” might be a familiar concept to our readers, cloud computing is a new and complicated factor in industry-wide cybersecurity. According to McKinsey & Company, in a decade, 40% to 90% of banking companies’ data will be hosted on a public cloud server, and Bloomberg speculates that 80% of financial tech applications will run in various cloud servers by 2025.

The Verizon Data Breach Investigations Report demonstrates that as cloud servers host more data for organizations of all sizes, they suffer a rising volume of data breaches. This year, 24% of breaches have been related to cloud assets, according to the report, and 73% of the time, those breaches involved email or web application servers.

Yet company executives and cybersecurity experts alike view the move to cloud computing as the natural next step in a technological evolution. So what can organizations do to ensure their IT security capabilities keep up with the potential pitfalls of using a cloud server and avoid incurring penalties like the ones Capital One are reckoning with?

For one, CISOs can establish a cybersecurity committee to meet and discuss new resources, products, and working relationships with their service providers. Devoting time and minds to your company’s IT security status and incident response procedures will ensure that, when the time comes to address inevitable vulnerabilities, you’ll have a plan in place and a thought-through method to execute it.

Experts also recommend keeping it simple. Thorough as they may be, reviewing 200+ item cybersecurity questionnaires aren’t always as effective as compiling simple checklists for your organization to address. And, of course, nothing beats complete oversight of your data and digital presence—you should always be monitoring on-premise and cloud-based systems to personally ensure their security.

A Partner In Cybercrime Prevention

Keeping an eye on all your assets may seem insurmountable, especially for small to midsize organizations. You need a partner in cybersecurity who brings talent, expertise, and a trustworthy history to the table, and BAI Security is up to the task.

BAI Security is a nationally recognized security auditing and compliance firm that specializes in providing clients in highly regulated sectors with the most innovative, comprehensive, and affordable security solutions in our industry. Our mission: To ensure that organizations of all sizes have access to truly top-shelf audit and compliance services in the most cost-effective manner possible.

The COVID-19 pandemic may be jamming schedules and causing delays, and for companies seeking an IT security provider, calendars are filling fast. Here at BAI, we can lock in your desired 2020 audit dates before they’re gone, ensuring your next steps toward a more secure future.

We’re on your side—so contact us today.

Posted in BAI Security Blog, Compliance Requirements, Cyber Security Audits, Financial industry and tagged , , , , .