Skip to content

Security Transparency Report Section (Capital One 2019)

Use this to draft a section for an annual or ad-hoc transparency report covering security: requests received, incidents, and program highlights; supports accountability and stakeholder trust.

Hallucinated writing examples

Scenario. In March 2021, for the 2020 reporting period and following the July 2019 incident and OCC Consent Order (August 2020) (time), the Chief Information Security Officer (role) is asked to draft the security section of the Company's annual trust or transparency report (type) for the public and investors (audience). The section must summarize the incident, Consent Order, remediation progress, and commitments—in a form suitable for public disclosure and consistent with 10-K and other filings. The draft will be reviewed by Legal and Communications before publication.

SECURITY — TRANSPARENCY REPORT SECTION (DRAFT)

Reporting period: January 1, 2020 – December 31, 2020
Scope: U.S. operations; cybersecurity and data protection
Prepared for: Annual Trust / Transparency Report
Date: March 2021

Overview. Our security program protects customer and company data, manages technology and cyber risk, and meets regulatory and legal expectations. This section summarizes our approach, key metrics, notable events, and commitments for the reporting period. It should be read together with our SEC filings, including 10-K Item 1C (Cybersecurity) and Risk Factors, for a complete picture of material risks and incidents.

Material cybersecurity incident. In July 2019, we publicly disclosed that an unauthorized individual had obtained access to customer data stored in our AWS-hosted infrastructure. The incident affected approximately 106 million individuals in the United States and Canada. We fixed the vulnerability, notified federal law enforcement, and the individual was arrested on July 29, 2019 (United States v. Paige A. Thompson, U.S. District Court, W.D. Wash.). Remediation and program improvements have been ongoing since that time.

Regulatory and legal outcomes. In August 2020, the Office of the Comptroller of the Currency (OCC) issued a Consent Order and imposed an $80 million civil money penalty (OCC News Release NR 2020-98). The Consent Order required us to strengthen risk management, board and management reporting, cloud security, and third-party risk management. We are in compliance with Consent Order milestones and report progress to the OCC. Consumer class-action litigation related to the 2019 incident was resolved by a settlement approved by the U.S. District Court for the Eastern District of Virginia (In re Capital One Consumer Data Security Breach Litigation); settlement benefits and claims process are described at the settlement website.

Program highlights (2020). We have invested in cloud configuration governance (config-as-code, drift detection), identity and access management (least-privilege review), logging and retention, and independent control testing. Board and regulator reporting have been enhanced per the Consent Order. We are committed to maintaining a strong security program, meeting our Consent Order and legal obligations, and providing transparent and accurate disclosure to customers, regulators, and investors. We will continue to report material developments in our SEC filings and public statements. References: 10-K (Item 1C and Risk Factors); [Company security or privacy page]; [Settlement site]. For questions: [contact].

Official document (transparency in practice)

Capital One does not publish a standalone “security transparency report” in the same way some tech companies do; however, 10-K Item 1C, public statements, and settlement communications collectively provide a transparency narrative: incident, impact, response, and program commitments.

  • Capital One 10-K: Capital One 10-K — Item 1C and risk factors describe governance, risk management, and material incidents in a structured way.
  • Capital One public statement (2019): Capital One Announces Data Security Incident — incident disclosure and customer commitment.
  • Industry practice: Some firms publish annual trust or transparency reports (e.g., requests, incidents, certifications); this section type fits that format.

Transparency report sections are often voluntary; 10-K and public statements show what is disclosed in a regulated context.

Writing analysis

How security transparency report sections are typically structured

  • Reporting period — Date range and scope.
  • Overview — Security mission and approach (brief).
  • Metrics — Incidents, requests (e.g., law enforcement), or other disclosed metrics.
  • Notable events — Significant incidents or changes (as appropriate to disclose).
  • Program highlights — Investments, certifications, or improvements.
  • Commitments — What the organization commits to going forward.
  • References — Link to full report, policy, or contact.

What to emulate

  • Metrics and events accurate and consistent with internal records; review by legal and leadership before publication.
  • Balance transparency with legal and competitive constraints; do not promise more disclosure than you can sustain.
  • Clear “reporting period” and “references” so readers know scope and where to go for more.

What to improve

  • Avoid vague “we take security seriously”; use concrete metrics or commitments.
  • Align with 10-K and other disclosures so the section does not contradict formal filings.
Last updated: