Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docx
BDQCRM Service Offering Phase I Scoring
1. Black DiamondQuantitativeCyber Risk Management Group
Black Diamond Quantitative Cyber Risk Management Group 1
Black Diamond Quantitative CyberRisk Management (BDQCRM) Service Offering– Phase I Scoring
The Foundersof BDQRM, Dr. RobertMark, Michael AngeloandMitchell Groomsare experienced Risk
ManagementProfessionalswithglobal expertise indesigning,constructing,implementingand
operationalizing,comprehensive, solutionsforCybersecurityRiskManagementprograms(including
Regulatoryapproval).
BDQRM offersacomprehensive,resilient,preventative,Quantitative CybersecurityRiskManagement
program forfinancial intermediariesandcorporations.The proof of conceptcan be demonstratedby
operationalizingPhase IScoring of the three part framework,whichincludesaSecurity review and
analysis;consistingof 1) a Technical andProcessreview of the infrastructure,2) Scoring,and3)
Assessments,inordertostresstestthe Securityinfrastructure forprotection, preparedness,generate a
migrationplantoenhance the Securityinfrastructure,developaResidualRiskManagementplanto
manage the risk, identifythe price andobtaindesiredinsurance byoperationalizinganERMframework
that transparentlydemonstratesthe managementof the Cybersecurityrisk,deliversummary
assessments tothe Boardand SeniorManagementasappropriate andto linktoPhase IIand Phase IIIif
so proscribed.
BDQCRM DiscussionPoints
Executive Summary: Organizations face a host of Regulatory challenges (Federal Financial
Institutions Examination Council, Securities and Exchange Commission Office of Compliance
Examinations and Inspections, Federal Trade Commission, Financial ConductAuthority,
Prudential Regulatory Authority, Bank of England CBEST, Singapore Monetary Authority,
others) which also contain embedded standards,e.g., ISO 27001, PCI DSScompliance. In
addition, the business environment and corporate infrastructure challenges of managing
earnings in the digital economy includes the management of the significant Cybersecurity Risk.
Cybersecurity is a significant risk with extraordinary exponential aspects (Operational Risk that
morphs into Credit Risk and escalates harm) that is a major risk in managing earnings and
assuring corporate survival in the digital economy. To manage earnings in today’s environment
it is essential to assess the Security infrastructure and processes of your company and build an
Enterprise Risk Management (ERM) Framework that incorporates Cybersecurity Risk
Management into the company’s overall earnings management,governance and ERM program.
The first step in operationalizing a successful Quantitative Cybersecurity Risk Management
Program is Scoring.
BRQCRM ServiceOffering
Phase I Scoring
2. Black DiamondQuantitativeCyber Risk Management Group
Black Diamond Quantitative Cyber Risk Management Group 2
a) Security Review and Analysis
Technical Analysis
Process Analysis
b) Cybersecurity Risk Management Scoring
Quantitative Cybersecurity Risk Management Scoring
o Scoring is based on multilayered granular assessment
Migration Strategy Recommendations
o Protect and prepare
o Coordinate, inform, as requested the primary Regulator
c) Cybersecurity Risk Residual Risk Mitigation Strategy
Assessment of Cyber Risks and Determination of How to Manage Cyber Risks
Introduction of Cyber Risk Transfer Pricing & Transparency
d) Cybersecurity Risk Residual Risk Study for the purposes of pricing and acquiring Cyber Risk
Insurance
Pricing, evaluation, for structuring Cyber Insurance
Make trade-offs between self-insurance and buying Cyber Insurance
e) Executive presentation to Senior Management and the Board of the Cyber Risk Assessment
and Scoring Assessment of Phase I Results
o Protect and assess current level of Preparedness for Cybersecurity
o Shift from Reactive Event driven Cybersecurity Risk Management to
Preventative Cybersecurity Risk Management
Phase II Cybersecurity Risk Management Database Recommendation
o Develop Cybersecurity Proactive Risk Management Business Intelligence
Phase III Quantitative Cybersecurity Risk Management Program Recommendation
o Operationalize Quantitative Cybersecurity Risk Management Program
o Harmonize Security, Information Security, Cybersecurity with Office of the
CRO* (See Note)
o Implement Cybersecurity Risk Management Capital Management Program
o Establish the transparency of the Quantitative Cybersecurity Risk Management
Program internally for the Board, Executive Management, CRO & CSO,
externally, for the primary Regulator(s)
3. Black DiamondQuantitativeCyber Risk Management Group
Black Diamond Quantitative Cyber Risk Management Group 3
How the Cybersecurity Program Phase I – Scoring, works:
1) Scoring
2) Assessments
Statement of Work
1) Scoring
Using the BDQRM Scoring System we are going to perform a Security analysis of the
infrastructure, the analysis will be done on a Technical and Process analysis basis, which will
includes:
Cybersecurity Controls
External Dependency Management
Cybersecurity Controls
Connectivity includes: ISP’s, Unsecured External Connections (FTP, Telnet, rlogin), Wireless
Network Access Points, Personal Devices Allowed to Connect to Corporate Network, PCI DSS
compliance, the total number of Third parties, including number of organizations and number
of individuals from vendors and subcontractors, with access to internal systems (e.g., virtual
private network, modem intranet, direct connection,Wholesale customers with dedicated
connections, internally hosted and developed or modified vendor applications supporting
critical activities, internally hosted, vendor developed applications supporting critical activities,
internally hosted vendor developed applications supporting critical activities, User developed
technologies and user computing that support critical activities, User developed technologies
and user computing that support critical activities support critical operations at End-of-Life
(EOL) or a majority of critical operations dependent on systems that have reached EOL or will
reach EOL within the next 2 years or an unknown number of systems that have reached EOL, a
majority of operations dependent on OSS that support critical operations, Network devices (e.g.,
servers, routers, and firewalls; include physical and virtual, Third-party service providers
storing and/or processing information that supports critical activities (Do not have access to
internal systems, but the institution relies on their services, Cloud computing services, Cloud
providers; Cloud provider locations used include international us of public Cloud.
Patch Management
External Dependency Management
Delivery Channels includes: Online presence thatserves as a delivery channel for Wholesale
4. Black DiamondQuantitativeCyber Risk Management Group
Black Diamond Quantitative Cyber Risk Management Group 4
Customers including a focus on account originations and managing large value assets, Mobile
Asset Management application assessing full functionality, including originating new
transactions (e.g., ACH,wire), ATM services managed internally; ATM services provided to
other financial institutions; ATM’s at domestic branches and retail locations; cash reload
services managed internally, debit or credit cards directly; issue cards on behalf of other
financial institutions, prepaid cards internally, through a third party, on behalf of other financial
institutions, direct acceptance of emerging payments technologies; moderate transaction
volume and/or foreign payments, Person-to-Person payments (P2P), sponsor third-party
payment processor; originate ACH debits and credits, wholesale payments (e.g., CHIPS), wire
transfers, Merchantremote deposit capture (RDC), Global remittances, Treasury services, Trust
services, a Correspondent Bank, a Merchant acquirer (sponsor Merchants or card processor
activity into the payment system) and card payment processor, host IT services or provide IT
services for other organizations (either through joint systems or administrative support)
Ongoing Monitoring includes: Efforts to develop new auditable processes for ongoing
monitoring of Cybersecurity risks posed by third parties, incident response process includes
detailed actions and rules based triggers for law enforcement.
2) Assessments
Security Review and Assessment, includes Technical and Process analysis that initiates the
comprehensive BDQCRM Program and establishes the level of preparedness and the most
efficient, capable, path to protect your business.
Upon completion of the Security analysis and Scoring we will provide specific assessments for
internal and external use;
Risk Mitigation Assessment for internal usage; enhancing Security infrastructure, determine
Residual Risk Mitigation strategies, based on the results of the Scoring, immediately take
actions by using the results to eliminate the Operational Risks identified with Operational Risk
mitigation strategies that remove the Operational Risk, the Scoring identifies the Risk and how
to reduce the Risk thereby creating an immediate Security migration strategy for Hermes
Investment Management, applications for business development, new products.
Residual Risk Mitigation Assessment used to develop pricing for insurance.
Board, Senior Management Presentation including recommendations for Phase II & Phase III of
the Quantitative Cybersecurity Risk Management Program,non-Executive Board Member
Cybersecurity Risk Management training, recommendations on how to set the target state of
Cybersecurity preparedness that best aligns with the board of directors’ (board) stated (or
approved) risk appetite., review, approve, and support plans to address risk management and
5. Black DiamondQuantitativeCyber Risk Management Group
Black Diamond Quantitative Cyber Risk Management Group 5
control weaknesses, analyze andpresent results for executive oversight, including key
stakeholders and the board, or an appropriate board committee, recommendations on how to
oversee the performance of ongoing monitoring to remain nimble and agile in addressing
evolving areas of Cybersecurity Risk, recommend changes to maintain or increase the desired
Cybersecurity preparedness.
o Note: What differentiates us from other solutions is we provide a 3 phase
approach, others provide a strategy which does not harmonize Security,
Information Security, and Cybersecurity with Office of the CRO.