The US Office of the Comptroller of the Currency has fined Capital One, a bank whose headquarers are in Virginia, $80 million for engaging in unsafe or unsound practices relating to information security and cloud computing.

The OCC alleges that in or around 2015, the bank failed to establish effective processes for assessing risks before it moved its information technology operations to the Cloud. It also supposedly failed to manage risks to do with the cloud operating environment, not designing and implementing certain network security controls very well, not imposing adequate controls to prevent itself from losing data and not doing enough to arrange alerts. At the time of the alleged wrongdoing, Capital One had a large private banking operation.

The OCC also claims that the bank’s internal auditors failed to spot many weak controls and gaps in the cloud operating environment and did not report enough weaknesses and gaps that they had found to the Audit Committee in an effective way. When they did express certain worries, the board allegedly failed to take effective action to hold managers accountable, especially in respect of gaps and weaknesses in controls.

In this way, according to the OCC, the bank failed to comply with the Code of Federal Regulations at 12 CFR Part 30, Appendix B, entitled “Interagency Guidelines Establishing Information Security Standards,” and engaged in “a pattern of misconduct.” The bank neither admits nor denies any of this.

The regulators have told the board to appoint a compliance committee of at least three people (two of whom must be directors) who are not its employees or officers. The board must tell the Examiner-in-Charge their names shortly. By 30 October, and thereafter within 45 days after the end of each quarter, the committee must send reports about corrective action to the board, which must then forward it to the Examiner-in-Charge.

The bank has to draw up a "Cloud operations risk management plan" to:

• develop comprehensive security controls to protect the perimeter of its network;
• develop effective controls to identify and protect sensitive information about customers;
• develop comprehensive processes to prevent and detect unauthorised disclosures of sensitive information that might drift outside the reach of the bank’s technology; andn
• develop effective controls to manage "vulnerability and configuration related to the containerisation of objects within the bank’s cloud environment."

Regulators visited the bank last year and handed it a series of instructions that are not included in the cease-and-desist order, which only makes a vague reference to its duty to fulfil them.

Furthermore, the bank is going to have to submit a plan to improve independent risk management of the cloud operating environment in three months' time at the latest. This plan must:

• assess risks pertaining to IT all over the enterprise;
• deal with so-called 'cyber-risks' as identified by 'first-line' people;
• set out a comprehensive 'risk universe,' i.e. a list of all relevant risks; and
• use the data from it to create an appropriate risk-based plan to test and validate controls.