The Federal Reserve is beginning to focus on cybersecurity and the impact that a data breach could have on the stability of the banking system. Some banks are finding significant value using SR 11-7 compliant regression models. We explain how these models can be combined with the security team’s Incident Response Plan to argue for a substantially lower loss reserve in the context of CCAR Idiosyncratic Scenarios.
How to prevent data breach risk from impacting capital ratios
1. How to Prevent Data Breach Risk
from Impacting Capital Ratios
Authors: Srinivas Peri, Thomas Lee PhD
2. How to Prevent Data Breach Risk from Impacting Capital Ratios
Authors: Srinivas Peri (linkedIn), Thomas Lee (linkedIn)
The Federal Reserve is beginning to focus on cybersecurity and the impact that a data breach could have
on the stability of the banking system (see MarketPlace.org). Although expert judgment is allowed for
assessing the financial impact of a data breach, some banks are finding significant value using SR 11-7
compliant regression models (see SlideShare). We have explained elsewhere how these models can support
Internal Audit and demonstrate a stronger risk management culture. Here we explain how these same
models can be combined with the security team’s Incident Response Plan to argue for a substantially lower
loss reserve in the context of CCAR Idiosyncratic Scenarios.
The cost of a data breach, as characterized by a model trained on cross-industry data breaches, is best
described as a lognormal distribution with a long tail. The lognormal distribution characterizes the
probability versus cost relationship and it shows that the most probable cost is not high. But using
confidence intervals in the CCAR stress test that are commonly used for credit loss can result in a very high
cost forecast and a significant impact to capital ratios.
For example, the median cost of a data breach caused by a malicious outsider affecting 50 million
households is just $61 million, while the 80% confidence interval is a staggering third-of-a-billion dollars.
But unlike credit loss which is a strong function of the overall economy, factors controlling the cost of a
data breach are within the control of the
bank.
Modeling reveals two costs that dominate:
1) fines and lawsuits, when they occur and
2) investigation costs. Investigation costs
are the costs related to forensic
investigation which consist of using server
and data access logs, to determine the
identity of the intruders, how they entered
and what data was exposed. Investigation
costs are reduced when 1) all logging is
enabled for workstations, servers and data
repositories, 2) logs are formatted
uniformly and 3) logs are saved in a read only fashion so that intruders cannot delete them. If the
investigation is to be carried out by a third-party, a pre-negotiated contract could also control costs.
Both probability and cost of lawsuits can also be managed and an experienced law firm can help identify
mitigation activities. For example, being careful with contracts and advertising promises, notifying victims
and offering identity theft insurance in a timely manner, and being responsive through call centers.
These activities which reduce the investigation cost and probability of lawsuit are considered part of the
Incident Response Plan which is normally part of cybersecurity and the office of the CISO. A financial
institution could therefore build a credible, well documented case for using a smaller confidence interval,
by simply combining the security teams Incident Response Plan with model based observations. The
Incident Response Plan may however, need to be bolstered with supporting documentation of readiness
assessments, rectified deficiencies and demonstrable governance.
For example, to demonstrate that investigation costs are well managed, a third-party security company
experienced in investigations could be engaged to write a report evaluating data logging and other readiness
indicators. Remediation recommendations could be carried out, documented and signed-off by
management. A Standard Operating Procedure (SOP) could be approved by management outlining
quarterly maintenance to ensure logging remains turned-on and these maintenance activities can be
documented and signed-off by management. This extra level of documentation may seem burdensome, but
3. these activities are likely already carried out and the security team might even welcome further justification
for the Incident Response Plan.
For CCAR banks (Cybersecurity breaches are operational risk events - 14A A.6), all of these activities
could be included as model-enhanced expert judgement in the supporting documentation for 14A Schedule
E - Operational Risk Loss.
The possibility of a massive data breach is scary. The biggest risk is the unknown unknown, and a model
that can accurately forecast costs, trained on a history of data breaches reveals that this risk is more in the
bank’s control than most other risks. The cost of mitigating this risk can payoff in substantially lower
operational risk loss reserves that affect a bank’s capital ratios.
For more information, contact:
Srinivas Peri Srinivas.Peri@PrincetonStrategyGroup.com
Thomas Lee ThomasL@VivoSecurity.com