Avoid Capital One’s $80 Million Dollar Mistake

Read about the OCC’s recent actions taken against Capital One and learn how to avoid a mistake like this. A combination of technical, operational and personnel weaknesses enabled a data breach in July 2019 allowing a hacker to access the private information of more than 100 million customers.

The US Government’s recent actions taken against Capital One for their July 2019 data breach, in which a hacker accessed private data of more than 100 million US Capital One customers, should not come as a surprise even though Capital One is viewed as one of the most technologically advanced banks in the United States.

The question is, if one of the most technologically advanced banks failed to establish an effective risk assessment program, how are other banks effectively managing their enterprise risk management?

As a result of the data breach, the OCC (Office of the Comptroller of the Currency) has imposed an $80 million dollar civil penalty and a cease and desist order that lays out the steps that Capital One must take to improve its risk management program, as well as internal controls related to cyber security and information security. This plan must include an internal governance framework that, amongst other measures, has clearly defined operational risk roles and responsibilities. While a combination of technical, operational and personnel weaknesses likely contributed to the vulnerability that enabled the data breach to occur; an effective controls framework may have prevented the attack.

At Alyne, we have been vocal about the importance of effective control frameworks in managing enterprise risk. Technology can certainly serve as a key component to a successful controls framework. However, technology must be able to deliver needed information to the right people at the right time in order to drive appropriate behaviour. The combination of the right technology coupled with the right content is key to a successful control framework. At its core, an effective controls framework acts as the single source of truth for information that allows everyone in an organisation to clearly understand their responsibilities and specific steps needed to be both undertaken and continuously monitored in order to sustain a successful risk management profile.

Alyne believes that controls need to be more than a check the box exercise. History has shown that those firms who implement control frameworks to guide and support their organisations objectives are positioned for long term success. Today’s heightened regulatory environment, coupled with the reality that information is now distributed instantly across the digital landscape, makes it imperative that organisations have control frameworks in place that are specially tailored to their organisational structure – saving both time and money by creating operational efficiencies, all the while providing true transparency into your risk profile.

An effective control framework is made up of individual controls. If the individual controls in a controls framework are ineffective, then the framework itself is going to be ineffective. It’s that simple. To ensure control success, Alyne has designed everyone of our 1100+ Controls in our Content Library according to the SAMC3 principle – a term coined by Alyne. Following this process for control creation will help you create an effective control framework and reduce risk.

SAMC3 Principle

  • Specific - each Control describes a specific action or practice that prevents harm to the organisation and its assets.

  • Atomic - each Control only defines one specific aspect. Some poor examples of Controls try to cover multiple aspects and end up covering half a page of text. If one answer cannot describe the current maturity or effectiveness, the Control is not atomic. This also means that every Control shall be meaningful by itself without the context of other Controls.

  • Measurable - the effectiveness and design of each Control shall be measurable. In Alyne, criteria and data points relevant to measuring the design and effectiveness of each Control is always defined with the Control to ensure this attribute.

  • Consistent in Structure - while this is not always perfect, we strive to keep the sentence structure of each Control consistent. Convoluted syntax such as double negatives or starting with subordinate clauses makes it much more difficult for the reader, assessor, recipient or other stakeholder to consume. This should be avoided at all costs.

  • Comprehensible - simply copying the text from a standard or law is not helpful. Wording in Controls should be as simple and meaningful as possible to the audience within the organisation. Laws and standards need to be deliberately broad as to be generally applicable. Controls on the other hand shall only be focussed on your own internal organisation - and therefore use wording that is familiar and meaningful in that context.

  • Contextual - a Control should provide a link to a standard, law or regulation and to risks it may mitigate. This context provides meaning to Control deficiencies and enables more automated analytics.

 

Whether you are in operational risk, information security, compliance or audit, our recommendation is that you review your enterprise controls to measure their alignment with the above principles. Doing so may save your organisation.

We invite you to pair this article with our ‘Enterprise Controls: The Need, Evolution & Future’ webinar or our ‘Controls as a Service’ white paper; both of which take a deeper dive into how we structure our Controls at Alyne.

WATCH WEBINAR OR DOWNLOAD WHITEPAPER

PreviousNext
Tyler Gowen

Related Posts

Blog thumbnail

Seven focus areas for the future of business, compliance and collaboration

This year has shifted mindsets, priorities and strategies that are likely to forever form part of critical thinking and operational planning going forward – crisis or not. Earlier this year we identified our own 7 focus areas that we felt would be particularly relevant for the future of business and compliance.
Blog thumbnail

New Space for Innovation: Alyne Munich Moves Offices

After months of remote work, our move into bigger premises has allowed many of us to reunite once again as a team – now with greater space to spread out and maintain social distancing, while still reaping the benefit of operating in a collaborative in-office work environment.