How Capital One suffered the price for failing to put in place an effective outsourcing risk oversight programme

An effective strategic planning process of a business must consider supplier chain strategy. Business decisions to outsource are driven by a variety of factors such as cost savings, speed of delivery, need for specialised products or expertise, technology advancement and to meet regulatory requirements.

Businesses may enjoy the benefits of outsourcing but with that comes an array of associated risks, which if not properly identified, assessed and managed can lead to dire effects such as significant disruptions affecting quality of its’ services and products, breaches and reputational damage. 

It is important to ensure that the risk management activities are extended to cover any potential exposures within the ecosystems of suppliers or service providers so that all the necessary safeguards and measures can be put in place in strengthening business resilience especially with critical suppliers or service providers.     

For businesses that decide to put all their eggs in one basket the extended enterprise risk management activities (EERM) must be robust enough to capture all the threats and vulnerabilities for appropriate control action plans. There must also be ongoing monitoring to ensure that basket upholds the business needs, values and ethics.

Take the case of American banking group Capital One, which decided to fully outsource its’ cloud computing activities to Amazon Web Services (AWS) but failed to put in place an effective outsourcing and technology risks governance and oversight programme. The result was a painfully expensive cyber incident.

What happened – Capital One became the target of a cyber attack in the second quarter of 2019, but is wasn’t discovered until several months later. The event resulted in the loss of personal information, including financial data of about 106 million customers. Embarrassingly for the firm, the culprit was an employee of AWS who took advantage of internal network security lapses of the system.

Impact of failure – In August this year Capital One agreed to pay a penalty of $80m for the hacking incident and its failure to sensitive data. The US regulator, the Office of the Comptroller of Currency noted that Capital One was aware its security practices were woefully insufficient, but the board had “failed to take effective actions to hold management accountable”. 

In the consent order of August 2020 one of the Comptroller’s findings provides that ”the Bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment”.

Capital One suffered a dip in share price and reputation damage coupled with shattered confidence of its customers and investors. There are also potential lawsuits which could be brough by its customers for the data breach.

Remediation – Capital One had to undertake the relevant remedial actions comprising improvements to its governance and risk management programme surrounding cybersecurity and outsourcing risk encompassing robust risk assessments, addressing identified risks adequately and compliance with all security standards.

Businesses should learn from the bank’s experience. A similar risk event could happen to any business that chooses to turn a blind eye to the potential material damage an outsourced activity can cause, if the business is not vigilant enough to identify, assess and address the potential risks and concerns. 

Risk managers play an integral role in ensuring the wide spectrum of exposures associated with outsourcing risk falls within the radar of the board with commitment from senior management in conducting the necessary review and monitoring.