Governance Response Memo (Capital One 2019)¶

Use this to respond to an audit or regulatory request focused on governance: roles, committees, reporting, escalation, and accountability.

Hallucinated writing examples¶

Scenario. In November 2020, following the July 2019 incident and the Consent Order (August 6, 2020) (time), the OCC examiner (audience) requests a formal description of the Bank's security governance structure—roles, committees, reporting, and accountability. The Chief Information Security Officer (role) must submit a governance response memo (type) that explains who owns what, how oversight works, and what evidence supports the description. The memo will be used in the examination and must align with the Consent Order's governance requirements.

GOVERNANCE RESPONSE MEMO

To: Office of the Comptroller of the Currency (Examiner)
From: Capital One Bank (USA), N.A. — Chief Information Security Officer
Date: November 20, 2020
Re: Governance Structure and Security Oversight — Response to Request (Post–July 2019 Incident; Consent Order)

Context. This memo responds to the examiner's request for a description of the Bank's security governance structure, roles, and oversight following the July 2019 cybersecurity incident and the Consent Order and Civil Money Penalty issued by the Office of the Comptroller of the Currency on August 6, 2020 (OCC NR 2020-98). The incident involved unauthorized access to customer data in our AWS-hosted infrastructure; the individual responsible was arrested on July 29, 2019 (United States v. Paige A. Thompson, U.S. District Court, W.D. Wash.). The Consent Order required the Bank to strengthen board and management oversight of cybersecurity, risk management, and reporting to the OCC. The following describes our governance structure as strengthened to meet those requirements.

Governance model. The Board of Directors delegates oversight of technology and cybersecurity risk to the Board Audit Committee. The Committee receives quarterly reports on security program status, key risks, Consent Order progress, and key metrics. Reporting line: the Chief Information Security Officer reports to [designated executive]. Security leadership participates in [committee name] for operational risk. Charters and minutes are maintained; the Audit Committee charter (as of [date]) and org chart showing the security reporting line are attached.

Security ownership. The Chief Information Security Officer is accountable for security strategy, policy, standards, and control implementation. Authority includes approval of security exceptions within policy limits and escalation to the Board for material risk acceptances. This structure was reinforced following the 2019 incident and is reflected in the Consent Order commitments.

Risk and control oversight. Risk and control issues are escalated via [defined path]. Material incidents and Consent Order milestones are reported to the Audit Committee. Risk acceptances require documented rationale and revisit dates. Policies and standards are approved by [authority]; the CISO organization maintains standards and updates them per [cadence]. Exceptions are requested through [process] and documented. Attached: policy approval record; last Committee meeting date and security briefing summary. The Bank is committed to maintaining clear accountability and evidence of oversight per the Consent Order.

Official document (governance in enforcement and disclosure)¶

The OCC consent order required Capital One to strengthen governance—board reporting, risk management, and accountability—not only technical controls. 10-K Item 1C and proxy disclosures describe how the board oversees cybersecurity, which is the public face of “governance response.”

OCC Consent Order (2020): OCC Consent Order and Civil Money Penalty against Capital One — required governance improvements: board oversight, management accountability, and reporting to the OCC.
Capital One 10-K: Capital One 10-K — Item 1C describes board and management roles, risk management, and reporting; use as a model for “who owns what.”
SEC Disclosure Guidance: SEC Cybersecurity Disclosure Guidance — expectations for governance disclosure.

Governance response memos are often confidential; the consent order and 10-K show how regulators expect roles and oversight to be documented.

Writing analysis¶

How governance response memos are typically structured

Context — Request or finding being addressed.
Governance model — Board and committee structure; reporting lines.
Security ownership — CISO/security leadership role and authority.
Risk and control oversight — How risk and controls are reviewed and escalated.
Policies and standards — How they are set, maintained, and enforced.
Evidence — Minutes, charters, org charts, and policy approval records.
Conclusion — Summary of governance and any commitments.

What to emulate

Back every governance claim with an artifact (charter, org design, minutes, policy approval).
Use clear reporting lines and escalation paths so “who decides what” is unambiguous.
Align with regulatory language (e.g., “board oversight,” “management accountability”) so the memo speaks the examiner’s language.

What to improve

Avoid vague “tone at the top” statements; cite specific committees, cadence, and deliverables.
Include a short evidence index (charter, last meeting date, policy version) so the auditor can verify quickly.