JUNE 26, 2026 - 5 MIN READ
How Capital One reshaped its 3rd-party cyber and risk model
- Data Governance
- Data Security
- Databolt
April WilliamsProduct Marketing Manager, Capital One Software
At the recent Gartner Security & Risk Management Summit in National Harbor, MD on June 3rd, Andrew Scott, Capital One’s VP of Cyber Third-Party Risk Reduction, and Ana Matei, Capital One Software’s Sr. Director Cyber Field CTO, took the stage to address one of the most critical vulnerabilities in modern enterprise security: the supply chain.
Their session, "Beyond Compliance: Capital One’s Approach to Cyber Third-Party Risk Reduction," outlined how to shift from passive, check-the-box compliance to active, engineering-led third-party risk remediation. By integrating advanced technology directly with business processes, Capital One is securing its third- and fourth-party ecosystems, ensuring external vendors meet the same rigorous cybersecurity standards as internal teams.
Why traditional compliance fails
Andrew Scott opened the session by contextualizing the modern threat landscape using a blend of public sector experience and private sector data. Having spent 25 years in government within the CIA, CISA, State Department and White House, he noted a definitive common denominator: A large percentage of major cyber incidents over the past decade have been enabled or accelerated through third-party vendors.
"Threat actors are incredibly pragmatic," Scott said during the presentation. "They are looking for the path of least resistance. Why spend months trying to crack the front door when they can compromise a smaller vendor you use?"
This "side door" vulnerability is the new reality:
According to data published by Gartner, 76% of executive risk committee members consider third-party vulnerabilities a priority.
As outlined by Marsh Risk, 36% of all corporate data breaches (opens in new tab) originate from a third-party compromise.
Between 2020 and 2025, Capital One observed a 400% increase in cyber incidents affecting its third-party vendors.
Traditional third-party risk management relies on security questionnaires and self-reported certificates. But as Scott summarized, "Questionnaires don't stop malware."
Minimizing risk from evolving third-party cyber threats has required Capital One to shift our security philosophy away from absolute prevention toward systemic resilience. Operating under the assumption that our vendors will be compromised, our goal is to strip the value from the data itself. If a vendor is breached, the stolen data must be completely useless to the attacker.
Extending the baseline to the supply chain
As a starting point, Capital One has shifted to treating the security of its vendors as an extension of its own baseline. We have focused on enforcing two primary control pillars to neutralize common attack vectors:
1. Identity and access management
As shown in a recent Data Breach Investigations Report by Verizon Business, compromised credentials cause roughly 22% of data breaches (opens in new tab). Capital One requires third parties to implement phishing-resistant Multi-Factor Authentication (MFA) deployed via federated Single Sign-On (SSO) to eliminate weak vendor passwords as an entry point.
2. Data protection
Capital One is mandating field-level encryption or tokenization for any high-risk vendor holding sensitive data, drastically shrinking the blast radius of a potential compromise. While both encryption and tokenization render data useless if stolen, as we moved to the cloud, Capital One standardized heavily on tokenization for protecting our most sensitive data. Unlike encryption, which alters the underlying data structure, tokenization maintains the data's format and referential integrity. This means Capital One’s data scientists and applications can still run complex queries on the tokenized data without needing to detokenize it first.
The results
Enforcing these control pillars and leaning into an engineering-led risk remediation approach has already reduced existing risk to Capital One. We have reduced MFA/SSO technical exceptions by 15% across our entire population. More importantly, on the data front, multiple high-risk vendors are already committing to adopt field-level encryption or tokenization, specifically to meet our new, higher standards.
The architecture of tokenization
While encryption is a standard defense, it is only as secure as the keys that control it. If an attacker compromises the decryption keys—frequently lost via credential theft or cloud misconfigurations—they gain immediate access to the raw text.
Vaultless tokenization neutralizes the threat of simple key compromise. While tokens are mathematically derived placeholders for sensitive data (like an SSN or account number); reversing them requires more than just a stolen key. The transformation is inextricably linked to the secure tokenization infrastructure. If tokens fall into the wrong hands, they are merely unusable strings of text.
Additionally, tokenization preserves the format and referential integrity of data. A tokenized database allows applications to run complex queries, analytical models and sorting algorithms without ever needing to detokenize the records, keeping data secure across trust boundaries.
The scale challenge and Databolt
When Capital One migrated entirely to the public cloud, it needed a tokenization solution that could process billions of real-time daily operations without latency or ingestion bottlenecks.
Commercial options fell short on speed, scale and cloud-native integration, so we built our own tokenization engine. After various enhancements to our own internal product, we built Databolt, a high-performance, vaultless tokenization engine for commercial use.
How Databolt secures the ecosystem
Ana Matei broke down the specific architectural capabilities that allow Databolt to bypass traditional tradeoffs between security and business utility:
Vaultless architecture: Unlike old-school platforms that rely on a massive central database to map tokens, Databolt uses a highly-optimized, vaultless design. It executes millions of operations per second, enabling fast data ingestion and real-time analytics with limited infrastructure latency.
In-environment security: Tokenization operations, keys and policies remain entirely within the enterprise's controlled environment. Sensitive data does not need to transit to an external tokenization vendor's environment to be secured.
Format-preserving customization: The engine generates tokens that mimic the format, length and traits of the input fields, maintaining downstream application compatibility.
Developer integration: To simplify deployment across diverse engineering teams and external partners, Databolt provides native SDKs for Java, Python, PySpark and GoLang, with native integrations into modern platforms like Snowflake, Databricks and AWS.
The usability impact on AI and analytics
Matei shared an independent assessment that Capital One Software conducted with PwC to measure the impact of data tokenization on model accuracy and analytical utility within real-world AI/Machine Learning (ML) workloads.
The data masking approach: Models trained in a masked environment retained approximately 50.6% of their predictive performance compared to models trained using clear text.
The Databolt tokenization approach: Models trained on tokenized data successfully retained 99.7% of their predictive performance compared to models trained using clear text.
These findings demonstrate that organizations no longer have to sacrifice utility for data protection. Instead, advanced security controls can directly enable innovation by transforming sensitive data into usable, non-sensitive tokens.
Real-world impact at scale
Capital One’s shift from compliance checklists to active data engineering is proven at scale. To date, its centralized tokenization platform protects 29 distinct sensitive data types integrated natively across more than 900 core business applications, processing billions of records seamlessly.
By deploying an architecture where data is tokenized immediately on write, we insulate our assets from vendor vulnerabilities. If an external supplier suffers a cyber attack, proactive remediation ensures the compromised data holds no value for the adversary.
A checklist for leadership
Organizations aiming to secure their third- and fourth-party ecosystems should adopt four key principles:
Assume the vendor breach: Stop focusing exclusively on perimeter walls. Assume third-party systems will face compromise, and focus engineering efforts on neutralizing the value of the data stored within those environments.
Enforce the enterprise baseline externally: Do not allow vendor contracts to rely on lower security standards. Enforce core identity controls (like phishing-resistant MFA) and explicit data protection standards as non-negotiable criteria for doing business.
Evaluate controls against business and security needs: Avoid security controls that break business processes or impair analysis. Implement high-performance, vaultless tokenization to keep data usable for analytics and AI initiatives while ensuring it remains un-exploitable if stolen.
Partner through technology: Move your third-party risk management division from a legal and compliance function into an engineering discipline. Work directly with critical ecosystem vendors, providing clear technical guidelines and developer-friendly tooling to help them meet your standards.
By utilizing modern security platforms like Databolt and holding external partners to a rigorous, technology-driven baseline, organizations can turn supply chain risk from an ongoing vulnerability into a managed, resilient component of business growth.
Ready to take your supply chain security to the next level? Learn more about how Databolt can help your enterprise protect sensitive data at scale, preserve analytical accuracy for your AI models and secure your third-party ecosystem. Explore Databolt today.
April Williams
Product Marketing Manager - Capital One Software
April Williams is a Product Marketing Manager at Capital One Software, where she serves as a strategic marketing intent owner for the enterprise data protection platform, Databolt. With over a decade of enterprise marketing experience, April has a deep background in product positioning and content development. She specializes in technical content engineering, lead-generation strategy and thought leadership programming.
Footnotes
DISCLOSURE STATEMENT: © 2026 Capital One. Opinions are those of the individual author. Unless noted otherwise in this post, Capital One is not affiliated with, nor endorsed by, any of the companies mentioned. All trademarks and other intellectual property used or displayed are property of their respective owners.
