OCC Hits Capital One Bank With $80 Million Penalty for Failing to Properly Migrate Data to the Cloud

Earlier this month, the Office of the Comptroller of Currency (OCC) assessed an $80 million civil penalty, and ordered certain remedial actions, against Capital One Bank “based on the bank's failure to establish effective risk assessment” prior to migrating information technology operations to the cloud. While the OCC also cited the bank's failure to correct the deficiencies in a timely manner, it did look positively on the bank’s subsequent customer notification and remediation efforts. 

Specifically, the bank violated 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards,” which addresses administrative, technical and physical safeguards to protect the security and confidentiality of customer information. The OCC alleged (and the bank neither admitted nor denied) in the Consent Order that

[] In or around 2015, the Bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. The Bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

[] The Bank’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the Audit Committee.

The OCC notice, with links to the consent order and cease and desist order, can be found here.