Pub. 15 2020-2021 Issue 4

NEBRASKA BANKERS ASSOCIATION 13 COUNSELOR’S CORNER — continued on page 14 Fully registered Dealer Bank • Not FDIC Insured • No Bank Guarantee • May Lose Value FROMONE COMMUNITY BANK TOANOTHER. Country Club Bank Capital Markets Group has assisted community banks build high- grade bond portfolios that reflect specific markets expectations, product preference, income goals and overall risk parameters, since 1985. Operating in over 30 states, the Capital Markets Group is always ready to meet the needs of our fellow community bankers. We keep investing simple so that banks can focus on what really matters— lending to the communities who support us. • Portfolio Strategy, Fixed Income Sales and Service • Bond and Securities Underwriting/Trading • balanCD Brokered CD and TBA Programs We speak the same language. The Order imposes an action plan on the Capital One Board of Directors to develop and supervise a risk assessment process and reassess the quality and con- tent of reports distributed to the Board. The Order requires a plan to improve the risk assessment process for the bank, develop a cloud operations risk assess- ment, and enhance the audit and audit reporting processes to the Board. Finally, the Order imposes a page of prescriptive requirements on the Board that range from authorizing corrective actions, en- suring the Bank has sufficient processes in place, and ensuring the Board will hold the Bank’s management accountable for executing the plan with timely and ap- propriate reporting. The case, the Consent Order, and the findings by the O.C.C. incorporated in the Order summarize several issues that all banks and their boards review and incorporate into their own processes and procedures. But, the most important take-away is that any and all serious cy- bersecurity issues should be immediately brought to a board of director’s atten- tion. There are real consequences for a company’s failure to proactively avoid cybersecurity breaches, and boards can- not avoid consequences of cybersecurity incidents by failing to address them. Forensics Reports and Maintain- ing Privilege After the exposure of the data, Capital One hired a forensics firm, Mandiant, to conduct an investigation into the breach of their data. Mandiant was the same firm Capital One had an ongoing relationship with to perform periodic reviews and vulnerability assessments. Due to the ongoing relationship with the firm, Capital One decided that Mandiant would be better equipped to deal with the data breach than another firm that would be less familiar with the Capital One network. Based on the prior relation- ship, Capital One engaged withMandiant to conduct the investigation, determine the root cause of the cyber breach, and produce a report. Capital One initially signed a Mas- ter Services Agreement (M.S.A.) with Mandiant in 2015. Under that M.S.A., Capital One signed a series of Statements of Work (S.O.W.s). The S.O.W.s, among other services, provided for cyberse- curity response services in the event a cyber-breach would occur. Mandiant thus had a preexisting relationship to provide incident response services. In addition to the preexisting rela- tionship, Capital One had regularly paid a retainer to Mandiant for their ongoing services. Because the retainer was already established, Mandiant initially deducted the cost of the cybersecurity investigation from the retainer. When the retainer was depleted, Capital One paid for the inves- tigation and report from an account de- nominated as “business-critical” services as part of their overall cyber budget. When Capital One suffered the breach, they retained the law firm Debevoise & Plimpton L.L.P. as their cyber breach coach. Then on “July 24, 2019, Capital One and Debevoise signed a Letter of Agree- ment with Mandiant under which Mandi- ant would provide services and advice, ‘as directed by counsel,’ in the areas of (1) computer security incident response; (2) digital forensics, log andmalware analysis; and (3) incident remediation. These areas reflected the same scope of workMandiant had already agreed to provide under the M.S.A. and S.O.W.s.” The engagement letter provided that all work by Mandiant for this engagement would be conducted under the direction of the law firm and that deliverables would be provided di- rectly to counsel rather than Capital One.