CAPITAL ONE FINANCIAL CORP - (COF)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
As a financial services company entrusted with the safeguarding of sensitive information, including sensitive personal information, we believe that a strong enterprise cybersecurity program is a vital component of effectively managing risks related to the confidentiality, integrity and availability of our data. While no organization can eliminate cybersecurity and information technology risk entirely, we devote significant resources to a cybersecurity program designed to mitigate such risks.
We manage cybersecurity and technology risk at the enterprise level according to our Framework, as described in more detail under “Part II—Item 7. MD&A—Risk Management” in this Report, which uses a three lines of defense model. Our cybersecurity risks are managed programmatically under the “operational risk” category of our Framework. Through this Framework, we establish practices for assessing our risk posture and executing key controls for cybersecurity and technology risk, data management, and oversight of third parties with which we do business.
These operational risks are managed within a governance structure that consists of defined roles and responsibilities, formal governance bodies, and processes, policies and standards.
Our policies and procedures define an overall, enterprise-wide approach for managing information security and technology risk. They establish the following process to identify, assess and manage such risks across our three lines of defense:
1.Identification: We evaluate the activities of our lines of business on a regular basis to identify potential technology risk, including cybersecurity threats and vulnerabilities. This process takes into account the changing business environment, the technology and cyber threat landscape, and the objectives of the line of business being assessed.
43
Capital One Financial Corporation (COF)

2.Assessment, Measurement and Response: Management assesses identified risks to estimate such risk’s potential severity and the likelihood of occurrence. Once a risk is identified and measured, management determines the appropriate response, including determining whether to accept the risk in accordance with our established risk appetite, or alternatively to implement new controls, enhance existing controls, and/or develop additional mitigation strategies to reduce the impact of the risk.
3.Monitoring and Testing: Management is required to evaluate the effectiveness of risk management practices and controls through monitoring of key risk indicator metrics, testing and other activities. Identified issues are remediated, addressed via mitigation plans, or escalated, in line with our risk appetite.
4.Aggregation, Reporting and Escalation: Management collects and aggregates risks across the Company in order to support strategic decision-making and to measure overall risk performance against risk appetite metrics. Management also establishes processes designed to escalate, report, and address risks and deficiencies within different business lines, according to the requirements of our policies. For additional information regarding the escalation of these risks to the Board of Directors, see “Governance” below.
Our policies and procedures collectively help execute a risk management approach that accounts for cybersecurity threats specifically targeting us, as well as those that may arise from our engagement with business partners, customers, service providers and other third parties. For example, we have processes designed to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers. The procedures, capabilities and processes established under our policies are subject to regular review by the Chief Information Security Officer (“CISO”) and Chief Technology Risk Officer (“CTRO”). See “Governance” below for more information.
As part of our cybersecurity program, we employ a range of security mechanisms and controls throughout our technology environment, which include the use of tools and techniques to search for cybersecurity threats and vulnerabilities, as well as processes designed to address such threats and vulnerabilities. We also engage a number of external service providers with additional knowledge and capabilities in cybersecurity threat intelligence, detection, and response. In addition, a range of cyber educational initiatives are employed to promote best practices for protecting our information and data, and reporting cyber threats and other risks to corporate systems, data, and facilities.
We also maintain an Enterprise Cyber Response Plan (“ECRP”) for handling potential or actual cybersecurity events that could impact us and our personnel, data, systems and customers. The ECRP defines the roles and responsibilities of various teams, individuals, and stakeholders in performing this enterprise response, guides decision making for escalation and other actions, and helps to plan follow-on actions designed to reduce the likelihood of similar events’ recurrence in the future.
We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, such as the 2019 Cybersecurity Incident, have materially affected our overall business strategy, results of operations, or financial condition. For further discussion of cybersecurity, and related risks for our business, see “Item 1A. Risk Factors” under the headings “We face risks related to our operational, technological and organizational infrastructure,” and “A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions.”
Governance
The Board of Directors is responsible for providing oversight of our Framework. The Risk Committee of the Board of Directors (“Risk Committee”) assists the full Board of Directors in discharging these responsibilities.
The Risk Committee is responsible for overseeing our Framework, including cybersecurity and technology risk. The Risk Committee regularly receives reports from management on our cybersecurity and technology risk profile, and key enterprise cybersecurity initiatives, and on any identified significant threats or incidents, or new risk developments.
The Risk Committee coordinates with the full Board of Directors regarding the strategic implications of cybersecurity and technology risks.
At least annually, the Board of Directors, either directly or through the Risk Committee, reviews our technology strategy with the CIO; reviews our information security program with the CISO and the CTRO; and approves our information security policy
44
Capital One Financial Corporation (COF)

and program. In addition, the Risk Committee and the Board of Directors participate in periodic cybersecurity education sessions.
We assess and manage risk at the enterprise level according to our Framework using a three lines of defense model.
For information security and technology risks, our first line of defense includes the following:
Chief Information Security Officer: The CISO establishes and manages the enterprise-wide information security program.
Chief Information Officer: The CIO oversees the establishment of appropriate governance, processes, and accountabilities within each business area to comply with our internal policies.
Our second line of defense includes the following:
Chief Technology Risk Officer: The CTRO provides independent oversight of our information security and technology risk programs and challenge of first line risk management and risk-taking activities pertaining to information security and technology risk.
The Executive Risk Committee: This committee provides a forum for our top management to have integrated discussions of risk management across the enterprise, including cybersecurity and technology risk, with the purpose of ensuring prioritization and awareness, encouraging alignment, and coordinating risk management activities among key executives. Primary responsibility for specialized risk categories, such as cybersecurity and technology, can also be delegated to other senior management sub-committees, as appropriate.
Our third line of defense is comprised of:
Internal Audit: Our internal audit team provides independent and objective assurance to senior management and to the Board of Directors that our information security and technology risk management processes are designed and working as intended.
In order to be appointed to one of the roles described above, we require the individuals to possess significant relevant experience and expertise in information security, technology, risk management or audit, as demonstrated by a combination of prior employment, possession of relevant industry certifications or related degrees, and other competencies and qualifications.