CAPITAL ONE FINANCIAL CORP 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

CAPITAL ONE FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:35:22 EST.

Filings

10-K filed on 2025-02-20

CAPITAL ONE FINANCIAL CORP filed a 10-K at 2025-02-20 16:35:22 EST
Accession Number: 0000927628-25-000092

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As a financial services company entrusted with the safeguarding of sensitive information, including sensitive personal information, we believe that a strong enterprise cybersecurity program is a vital component of effectively managing risks related to the confidentiality, integrity and availability of our data. While no organization can eliminate cybersecurity and technology risk entirely, we devote significant resources to a cybersecurity program designed to mitigate such risks. For further discussion of cybersecurity and technology risk, and related risks for our business, see “Item 1A. Risk Factors. " We manage cybersecurity and technology risk at the enterprise level according to our Framework, as described in more detail under “Part II-Item 7. MD&A-Risk Management” in this Report, which uses a three lines of defense model. Our cybersecurity and technology risks are managed programmatically under the “operational risk” category of our Framework. Through this Framework, we establish practices for assessing our risk posture and executing key controls for cybersecurity and technology risk, data management, and oversight of third parties with which we do business. These operational risks are managed within a governance structure that consists of defined roles and responsibilities, formal governance bodies, and processes, policies and standards. Our policies and procedures define an overall, enterprise-wide approach for managing cybersecurity and technology risk. They establish the following process to identify, assess and manage such risks across our three lines of defense: 1.Identification: We evaluate the activities of our lines of business on a regular basis to identify potential cybersecurity and technology risk, including cybersecurity threats and vulnerabilities. This process takes into account the changing business environment, the technology and cyber threat landscape, and the objectives of the line of business being assessed. 2.Assessment, Measurement and Response: Management assesses identified risks to estimate such risk’s potential severity and the likelihood of occurrence. Once a risk is identified and measured, management determines the appropriate response, including determining whether to accept the risk in accordance with our established risk appetite, or alternatively to implement new controls, enhance existing controls, and/or develop additional mitigation strategies to reduce the impact of the risk. 3.Monitoring and Testing: Management is required to evaluate the effectiveness of risk management practices and controls through monitoring of key risk indicator metrics, testing and other activities. Identified issues are remediated, addressed via mitigation plans, or escalated, in line with our risk appetite. 4.Aggregation, Reporting and Escalation: Management collects and aggregates risks across the Company in order to support strategic decision-making and to measure overall risk performance against risk appetite metrics. Management also establishes processes designed to escalate, report, and address risks and deficiencies within different business lines, according to the requirements of our policies. For additional information regarding the escalation of these risks to the Board of Directors, see “Governance” below. Our policies and procedures collectively help execute a risk management approach designed to account for cybersecurity threats specifically targeting us, as well as those that may arise from our engagement with business partners, customers, service providers and other third parties. For example, our third-party risk management policy is designed to help enable timely and effective identification, measurement, and management of third-party risks throughout the lifecycle of such relationships, which includes planning, due diligence and third-party selection, contracting, risk-based monitoring, and termination. We also assess, identify, and manage cybersecurity and technology risks associated with our merger and acquisition activities. See “Governance” below for more information. As part of our cybersecurity program, we employ a range of security mechanisms and controls throughout our technology environment, which include the use of tools and techniques designed to search for cybersecurity threats and vulnerabilities, as well as processes designed to address such threats and vulnerabilities. We also engage a number of external service providers with additional knowledge and capabilities in cybersecurity threat intelligence, detection, and response. When appropriate, we leverage partnerships with relevant government entities, law enforcement agencies, and industry information sharing forums, 46 Capital One Financial Corporation (COF) Table of Contents such as the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), to further inform our understanding of the threat environment and how to effectively defend the Company against such threats. These defenses include, among other things, a range of cyber educational initiatives that we design and deliver to employees across the enterprise to promote best practices for protecting our information and data, and reporting cyber threats and other risks to corporate systems, data, and facilities. Employees are required to annually certify their completion of training on both cybersecurity and data privacy, and our cyber education program implements targeted testing and training focused on high-risk populations and responding to an evolving threat landscape. We also maintain an Enterprise Cyber Response Plan (“ECRP”) designed to handle potential or actual cybersecurity events that could impact us and our personnel, data, systems and customers. The ECRP defines the roles and responsibilities of various teams, individuals, and stakeholders in performing this enterprise response, guides decision making for taking actions and escalations to our executive management and the Board of Directors, as appropriate, and helps to plan follow-on actions that seek to reduce the likelihood of similar events’ recurrence in the future. The ECRP is reviewed and refined periodically and refinement is informed in part by a series of table-top exercises that we conduct over the course of the year. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, such as the 2019 Cybersecurity Incident, have materially affected our overall business strategy, results of operations, or financial condition. For further discussion of cybersecurity, and related risks for our business, see “Item 1A. Risk Factors” under the headings “We face risks related to our operational, technological and organizational infrastructure , " and “A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.” Governance The Board of Directors is responsible for providing oversight of our Framework. The Risk Committee of the Board of Directors (“Risk Committee”) assists the full Board of Directors in discharging these responsibilities. The Risk Committee is responsible for overseeing our Framework, including cybersecurity and technology risk. The Risk Committee regularly receives reports from management on our cybersecurity and technology risk profile, and key enterprise cybersecurity initiatives, and on any identified significant threats or incidents, or new risk developments, which, in the aggregate, are intended to present an overall view on the status of our cybersecurity program and the Company’s compliance with applicable legal and regulatory requirements. The Risk Committee coordinates with the full Board of Directors regarding the strategic implications of cybersecurity and technology risks. At least annually, the Board of Directors, either directly or through the Risk Committee, reviews our technology strategy with the Chief Information Officer (“CIO”); reviews our cybersecurity program with the Chief Information Security Officer (“CISO”) and the Chief Technology Risk Officer (“CTRO”); and approves our cybersecurity policy and program. In addition, the Risk Committee and the Board of Directors participate in periodic cybersecurity education sessions. We assess and manage risk at the enterprise level according to our Framework using a three lines of defense model. For cybersecurity and technology risks, our first line of defense includes the following: - Chief Information Security Officer: The CISO establishes and manages the enterprise-wide cybersecurity program. - Chief Information Officer: The CIO oversees the establishment of appropriate governance, processes, and accountabilities within each business area to comply with our internal policies. our second line of defense includes the following: - Chief Technology Risk Officer: The CTRO provides independent oversight of our cybersecurity programs and challenges of first line risk management and risk-taking activities pertaining to cybersecurity and technology risk. 47 Capital One Financial Corporation (COF) Table of Contents - The Executive Risk Committee: This committee provides a forum for our top management to have integrated discussions of risk management across the enterprise, including cybersecurity and technology risk, with the purpose of ensuring prioritization and awareness, encouraging alignment, and coordinating risk management activities among key executives. Primary responsibility for specialized risk categories, such as cybersecurity and technology, can also be delegated to other senior management sub-committees, as appropriate. our third line of defense is comprised of: - Internal Audit: Our internal audit team provides independent and objective assurance to senior management and to the Board of Directors that our cybersecurity and technology risk management processes are designed and working as intended. In order to be appointed to one of the roles described above, we require the individuals to possess significant relevant experience and expertise in information security, technology, risk management or audit, as demonstrated by a combination of prior employment, possession of relevant industry certifications or related degrees, and other competencies and qualifications. In particular, our CISO has more than 30 years of cybersecurity and information technology experience, including for nearly five years as CISO at a major global technology company before joining the Company, and holds a CISO Certificate from Carnegie Mellon’s Heinze College. Our CTRO has been in cybersecurity for approximately 25 years and spent over three years as the global CISO of a G-SIB. Prior to that, he served as a senior executive in cybersecurity in the U.S. government. Our CIO has been with the Company for approximately 20 years, during which he has overseen multiple technology transformation initiatives, including the Company’s transition to the public cloud. He holds degrees in physics and business administration from Harvard University.

Company Information