Large data breaches are rare, but they do happen and the Federal Reserve is looking for evidence that a bank has enough capital to withstand the event. Some banks are demonstrating a strong risk management culture by using statistical models and VivoSecurity is helping by creating strong SR 11-7 and SR 15-18 compliant models using cross-company data.

1. VivoSecurity Inc.,
Los
Altos,
CA.
Email:
ThomasL@VivoSecurity.com
Carl
Friedrich
Gauss
who
discovered
the
Normal
(Gaussian)
distribution,
which
characterizes
random
events.
OPERATIONAL
RISK
MODEL
for
CCAR
Data
Breach
Idiosyncratic
Scenarios
Demonstrate
strong
risk
management
culture
for
tier-­‐1
capital;
prove
insurance
adequacy;
champion
or
challenger
model;
maintain
strong
Model
Risk
Management
with
a
SR
11-­‐7
and
SR
15-­‐18
compliant
model

2. The
Federal
Reserve
is
Focusing
on
Cybersecurity
Large data breaches are rare, but they do happen and the Federal Reserve is looking
for evidence that a bank has enough capital to withstand the event. But because they
are rare, any single company does not have sufficient data to predict the cost. An
analysis of cross-­‐company data is the only credible way to characterize the risk.
Some banks are demonstrating a strong risk management culture by using statistical
models and VivoSecurity is helping by creating strong SR 11-­‐7 compliant models using
cross-­‐company data. These models have the additional benefit of 1) bringing cyber
risk under the bank's model risk management framework, 2) providing a clearer
understand of what should be transferred with insurance and 3) allowing a bank to
benefit from cost reductions brought about from a mature incident response.
ü Strengthen Idiosyncratic Scenarios for CCAR/DFAST operational risk.
ü Challenge Models for Champion Models
ü Champion Models if no models
ü Justify a stance not to use cyber insurance
ü Demonstrate better management of risks to tier 1 capital

3. VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-­‐3050
What
is
a
Cyber-­‐Loss
Model?
The Cyber-­‐Loss Model is essentially a complex formula that can explain the
variability in cost of historical data breaches. It was trained upon a large set of
data breaches and tested for accuracy on a randomly selected set of validation
cases. It was developed in the statistical language R using standard statistical
techniques such as linear regression and Bayesian Model Averaging.
The Cyber-­‐Loss Model is deployed in an easy to use Excel Spreadsheet which
requires a small number of variable inputs that have been found to be predictive
of cost. No information is needed about a banks security posture.
What is Model Validation? Federal Reserve has created guidance for model
management (SR11-­‐7 & SR15-­‐18). This guidance assures that models are
developed following sound statistical practices. Many banks have an internal
validation process for establishing compliance for bank models. We can supply all
documentation needed for model validation, including quarterly maintenance,
and we cansupport internal validation efforts.

4. The graphs below are a pro forma example of breach cost characterizations.
Possible data breach cost is break down by incident and data type. The model also
provides a probability distribution for the range of costs, and the probability of
lawsuits.
$0
$20
$40
$60
$80
$100
Mean
Data
Breach
Costs
Millions
Incident
&
Data
Type
0%
20%
40%
60%
80%
100%
0 >0 1 2 3 4 5
Probability
Number
of
Lawsuits
Model
Outputs
$0
$5
$10
$15
$20
$25
Likelihood
Breach
Cost
Millions
$19.8M
80%
Confidence
Interval
Value
of
Incident
Response
Controls
Most
companies
would
experience
a
cost
of
under
$5M.

5. What
Does
the
Cyber-­‐Loss
Model
Include?
VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-­‐3050
Included Detail
Deployment Models are deployed as an easy to use Excel
Spreadsheet.
Training We provide training on the use of the spreadsheet,
how to think about confidence intervals, and how to
guide insurance purchases.
Documentation We provide complete model documentation in the
bank’s own format.
Validation
Support We provide support for the bank’s model validation
team, including data turnover, troubleshooting R and
SQL code, and discussions on modeling methodology.
Quarterly
Maintenance We provide new data as it becomes available, model
re-­‐evaluation, all required validation documentation,
validation team support, re-­‐deployment, and evidence
of testing.

6. Investigation
Notification
Call
center
Remediation
o Business
Loss
o Damage
to
personal
credit
o Theft
of
money
&
goods
o Credit
card
replacement
costs
Business
loss;
theft
of
money
&
goods
Credit
monitoring
&
privacy
insurance.
Fines &
settlements
Public
&
Other
BusinessesBreach
Company
Total
costs
Mitigate
Transfer
via
suits
Costs
Covered
by
the
Operational
Risk
Model
Response
CostsDamage
costs
Term Meaning
Investigation Cost of investigating what happened in a data breach including data
that was exposed. Costs of updating agencies of investigation progress.
Remediation Cost to preventing future data breach.
Notification Legal costs of notifying federal agencies and states attorney general.
Call
Center Cost of hiring or expanding call centers to handle calls from people
affected by data breach.
Business
Loss,
theft
of
money
&
goods
Loss of business and customers, fraud costs, cost of goods pur chased
with stolen cards
Credit
Monitoring
&
Privacy
Insurance
Cost of providing credit monitoring such as Experian, insurance to
cover personal loss by people affected by the data breach.
Fines
&
Settlements Government fines, lawsuit awards and settlements, defense costs.
Glossary
The Operational Risk Model calculates the cost of a data breach exposing custodial data. Custodial
data is any PII data which triggers reporting requirements of various government agencies (also
known as risk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a
graphical breakdown of costs included in Total Costs.

7. Evaluation
Bank receives themodel as an Excel spreadsheet and performs initial evaluation using approximate
model inputs. VivoSecurity provides training for how to use the model, how to think about
confidenceintervals and apply results to insurancepurchases.
Model
Owner
The owner (sponsor) of the risk model is decided. The owner might be, for example, the CFO or
CRO group. Themodel owner might draft documents to officially sponsor themodel as preparation
for model validation.
Validation
Support
Data
Owner
VivoSecurity produces SR11-­‐7 compliant validation documentation, following the bank’s format.
VivoSecurity then works with thebank’s validation team to support validateactivities.
Departments are identified that will produce validated numbers that will be entered into the
model. This might include creating and approving SQL to query systems and to generate the
numbers.
Insurance
Adequacy
The model owner receives validated numbers from data owners and performs a model based
evaluation ofinsuranceadequacy. Considerations aredocumented and approved.
Adjust
Insurance
Insurance coverage can be adjusted and premiums lowered using model based arguments and
historical industry data. Note that neither carriers nor brokers have models as rigorous as ours,
giving thebank an advantage in negotiations.
Document Considerations for insurance adequacy along with validated models and evidence of insuranceare
incorporated into regulator reporting documentation, e.g., FR Y-­‐14A.
Use
Case
The diagram below shows the process for a typical retail bank that uses the Operational Risk Model in satisfying regulatory requirements.
Activities need not proceed sequentially. For example, after a model owner is determined, model validation (which takes the most time) can be
performed concurrently with other activities.

8. About
VivoSecurity
VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-­‐3050
VivoSecurity provides data analytics and statistical modeling to companies in the financial and
high tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists and
statisticians. We use advanced data analytic techniques to model the probability and cost of
cybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge of
software applications, strong knowledge of operating systems and hardware and a strong
understanding of enterprise operations.
Model Description
Peer
Risk
Model Characterizes
cyber
risk
in
dollars
and
comparison
with
peers.
Probability
for
Fraud, personal
customers Calculates
probability
for
a
cyber
attach
that
leads
to
fraud.
Probability
for
Fraud,
corporate
customers Calculates
probability
for
a
cyber
attach
that
leads
to
fraud.
3rd party
(vendor)
Risk Calculates
risk
in
dollars
posed
by
3rd party
partners.
Additional
Offerings