Strategies
November 03, 2020

OCC and HIPAA Cybersecurity Regulator Fines Now in Hundreds of Millions

blog
5 min. read

Regulators are increasing enforcement actions and penalties against the big banks for failures in cyber risk management, and the rest better take notice. Between August and October of 2020, the Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, imposed $625 million in fines on major financial institutions.1 Compared to the same period in 2019, no actions were taken against the banks (OCC, 2019,) underscoring the magnitude of the 2020 actions.

In a 2019 statement, however, FDIC Chairwoman Jelena McWilliams predicted that fines would increase. She also admitted that protecting banks and consumer data is “prohibitively expensive.”2 One may argue that we should have seen this coming, but realistically speaking, no one could have anticipated the ferocity in which regulators have gone after the banks these past few months. Nor could they anticipate the financial scale we have seen, especially with the acknowledgement that there isn’t enough money to properly defend against the breaches they are experiencing.

Fines Against Financial Institutions for Cybersecurity Failures

The OCC levied massive fines—on just four banks—citing cybersecurity failures as the reason. Let’s break down that $625 million in fines in Table 1.

 

Date Institute Fine Reason
August 6, 2020 Capital One $80 million 2019 hack of 100 million credit card applications3
October 7, 2020 Citibank $400 million Deficiencies in data governance, risk management, and internal controls4
October 8, 2020 Morgan Stanley $60 million Failing to properly decommission hardware containing sensitive data5
October 14, 2020 USAA $85 million Unsafe and unsound practices related to the bank’s compliance risk management program and IT risk governance program6

Table 1 - Fines against financial institutions for cybersecurity failures in 2020

Previously, there was a considerable number of threats of enforcement against the banks, but actual regulatory damages were pretty limited. This new data shows that regulators are willing to take bold action to curtail bank behaviors they feel are insufficient. Interestingly, these enforcements have all come toward the later part of the year, indicating that regulators are finally getting their footing back following COVID-19-related impacts to their routines.

Fines Against Healthcare Organizations for Cybersecurity Failures

Now let’s look at how this compares to the only other commercial industry that is federally regulated for cybersecurity failures: healthcare. The healthcare industry is governed by the Health Insurance Portability and Accountability Act (HIPAA) through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HSS). During that same period, August through October of 2020, the OCR settled fines totaling $11,046,500.7 Of the 11 actions, the three largest fines equaled $10,650,000, or roughly 96.4% of the total. Table 2 details the distribution of these three fines.

 

Date Institute Fine Reason
September 21, 2020 Athens Orthopedic Clinic PA $1.5 million HIPAA noncompliance8
September 23, 2020 CHSPSC LLC $2.3 million Breach of Protected Health Information (PHI) affecting more than 6 million people9
September 25, 2020 Premera Blue Cross $6.85 million Breach of Protected Health Information (PHI) affecting more than 10.4 million people10

Table 2 - Fines against healthcare organizations for cybersecurity failures in 2020

Compared to the same time period in 2019, there were only three fines against healthcare organizations totaling $2.2 million. The 2020 fines represent roughly a 392% increase. The trend is the same as in banking, but only 1.4% of the fines were imposed on the banks.

The Future of Cybersecurity Regulation Enforcement and Fines

Based on the trends, here are a few parting thoughts on what to look for going forward:

  • Increased inspections. Regulatory inspections will increase in scope and velocity. Expect the rate of Requests for Information (RFIs) to go up and the required response times to go down.
  • Fine-tuned frameworks. Focus of frameworks will increase by both banks looking for defensible strategies as well as regulators looking for clear-cut standards to access against.
  • Delayed improvements. Cloud transitions will be the long-term beneficiaries of this. Most organizations will not be able to achieve real risk management improvements without substantial refactors. However, businesses will not be able/willing to invest in these major refactors without other business benefits such as speed, stability, and efficiency.
  • Election-related shift. A democratic presidential win may increase the rate of enforcements.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.