TL
Uploaded byThomas Lee
PDF, PPTX124 views

Cyber Op Risk Model, banks v7p4

Vivosecurity Inc. specializes in providing statistical modeling and analysis for operational risk related to cybersecurity events, particularly focusing on banks' compliance with Federal Reserve guidance. They offer a cyber-loss model that quantifies breach costs and aids in insurance adequacy while ensuring SR 11-7 and SR 15-18 compliance. The company's services include model validation support, documentation, and training, leveraging advanced data analytic techniques and cross-company data to enhance risk management culture in financial institutions.

Embed presentation

Download as PDF, PPTX
VivoSecurity Inc.,  Los  Altos,  CA.  Email:  ThomasL@VivoSecurity.com Carl  Friedrich  Gauss  who  discovered  the  Normal  (Gaussian)   distribution,   which  characterizes  random  events. OPERATIONAL  RISK  MODEL for  CCAR  Data  Breach  Idiosyncratic  Scenarios Demonstrate  strong  risk  management  culture  for  tier-­‐1  capital;  prove  insurance  adequacy;  champion  or   challenger  model;  maintain  strong  Model  Risk  Management  with  a  SR  11-­‐7  and  SR  15-­‐18  compliant  model
The  Federal  Reserve  is  Focusing  on  Cybersecurity Large data breaches are rare, but they do happen and the Federal Reserve is looking for evidence that a bank has enough capital to withstand the event. But because they are rare, any single company does not have sufficient data to predict the cost. An analysis of cross-­‐company data is the only credible way to characterize the risk. Some banks are demonstrating a strong risk management culture by using statistical models and VivoSecurity is helping by creating strong SR 11-­‐7 compliant models using cross-­‐company data. These models have the additional benefit of 1) bringing cyber risk under the bank's model risk management framework, 2) providing a clearer understand of what should be transferred with insurance and 3) allowing a bank to benefit from cost reductions brought about from a mature incident response. ü Strengthen Idiosyncratic Scenarios for CCAR/DFAST operational risk. ü Challenge Models for Champion Models ü Champion Models if no models ü Justify a stance not to use cyber insurance ü Demonstrate better management of risks to tier 1 capital
VivoSecurity  Inc,  1247  Russell  Ave,  Los  Altos  California;   Contact:   ThomasL@VivoSecurity.com,   (650)  919-­‐3050 What  is  a  Cyber-­‐Loss  Model? The Cyber-­‐Loss Model is essentially a complex formula that can explain the variability in cost of historical data breaches. It was trained upon a large set of data breaches and tested for accuracy on a randomly selected set of validation cases. It was developed in the statistical language R using standard statistical techniques such as linear regression and Bayesian Model Averaging. The Cyber-­‐Loss Model is deployed in an easy to use Excel Spreadsheet which requires a small number of variable inputs that have been found to be predictive of cost. No information is needed about a banks security posture. What is Model Validation? Federal Reserve has created guidance for model management (SR11-­‐7 & SR15-­‐18). This guidance assures that models are developed following sound statistical practices. Many banks have an internal validation process for establishing compliance for bank models. We can supply all documentation needed for model validation, including quarterly maintenance, and we cansupport internal validation efforts.
The graphs below are a pro forma example of breach cost characterizations. Possible data breach cost is break down by incident and data type. The model also provides a probability distribution for the range of costs, and the probability of lawsuits. $0 $20 $40 $60 $80 $100 Mean  Data  Breach  Costs Millions Incident  &  Data  Type 0% 20% 40% 60% 80% 100% 0 >0 1 2 3 4 5 Probability Number  of  Lawsuits Model  Outputs $0 $5 $10 $15 $20 $25 Likelihood Breach  Cost Millions $19.8M 80%  Confidence  Interval Value  of  Incident   Response  Controls   Most  companies  would   experience  a  cost  of   under  $5M.
What  Does  the  Cyber-­‐Loss  Model  Include? VivoSecurity  Inc,  1247  Russell  Ave,  Los  Altos  California;   Contact:   ThomasL@VivoSecurity.com,   (650)  919-­‐3050 Included Detail Deployment Models are deployed as an easy to use Excel Spreadsheet. Training We provide training on the use of the spreadsheet, how to think about confidence intervals, and how to guide insurance purchases. Documentation We provide complete model documentation in the bank’s own format. Validation  Support We provide support for the bank’s model validation team, including data turnover, troubleshooting R and SQL code, and discussions on modeling methodology. Quarterly  Maintenance We provide new data as it becomes available, model re-­‐evaluation, all required validation documentation, validation team support, re-­‐deployment, and evidence of testing.
Investigation Notification Call  center Remediation o Business  Loss o Damage  to  personal  credit o Theft  of  money  &  goods o Credit  card  replacement  costs Business  loss;  theft  of   money  &  goods Credit  monitoring  &   privacy  insurance. Fines &  settlements Public  &  Other  BusinessesBreach  Company Total  costs Mitigate Transfer   via  suits Costs  Covered  by  the  Operational  Risk  Model   Response  CostsDamage  costs Term Meaning Investigation Cost of investigating what happened in a data breach including data that was exposed. Costs of updating agencies of investigation progress. Remediation Cost to preventing future data breach. Notification Legal costs of notifying federal agencies and states attorney general. Call  Center Cost of hiring or expanding call centers to handle calls from people affected by data breach. Business  Loss,  theft   of  money  &  goods Loss of business and customers, fraud costs, cost of goods pur chased with stolen cards Credit  Monitoring  &   Privacy  Insurance Cost of providing credit monitoring such as Experian, insurance to cover personal loss by people affected by the data breach. Fines  &  Settlements Government fines, lawsuit awards and settlements, defense costs. Glossary The Operational Risk Model calculates the cost of a data breach exposing custodial data. Custodial data is any PII data which triggers reporting requirements of various government agencies (also known as risk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a graphical breakdown of costs included in Total Costs.
Evaluation Bank receives themodel as an Excel spreadsheet and performs initial evaluation using approximate model inputs. VivoSecurity provides training for how to use the model, how to think about confidenceintervals and apply results to insurancepurchases. Model  Owner The owner (sponsor) of the risk model is decided. The owner might be, for example, the CFO or CRO group. Themodel owner might draft documents to officially sponsor themodel as preparation for model validation. Validation  Support Data  Owner VivoSecurity produces SR11-­‐7 compliant validation documentation, following the bank’s format. VivoSecurity then works with thebank’s validation team to support validateactivities. Departments are identified that will produce validated numbers that will be entered into the model. This might include creating and approving SQL to query systems and to generate the numbers. Insurance  Adequacy The model owner receives validated numbers from data owners and performs a model based evaluation ofinsuranceadequacy. Considerations aredocumented and approved. Adjust  Insurance Insurance coverage can be adjusted and premiums lowered using model based arguments and historical industry data. Note that neither carriers nor brokers have models as rigorous as ours, giving thebank an advantage in negotiations. Document Considerations for insurance adequacy along with validated models and evidence of insuranceare incorporated into regulator reporting documentation, e.g., FR Y-­‐14A. Use  Case The diagram below shows the process for a typical retail bank that uses the Operational Risk Model in satisfying regulatory requirements. Activities need not proceed sequentially. For example, after a model owner is determined, model validation (which takes the most time) can be performed concurrently with other activities.
About  VivoSecurity VivoSecurity  Inc,  1247  Russell  Ave,  Los  Altos  California;   Contact:   ThomasL@VivoSecurity.com,   (650)  919-­‐3050 VivoSecurity provides data analytics and statistical modeling to companies in the financial and high tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists and statisticians. We use advanced data analytic techniques to model the probability and cost of cybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge of software applications, strong knowledge of operating systems and hardware and a strong understanding of enterprise operations. Model Description Peer  Risk  Model Characterizes  cyber  risk  in  dollars  and  comparison  with   peers. Probability  for  Fraud, personal  customers Calculates  probability  for  a  cyber  attach  that  leads  to   fraud. Probability  for  Fraud,  corporate  customers Calculates  probability  for  a  cyber  attach  that  leads  to   fraud. 3rd party  (vendor)  Risk Calculates  risk  in  dollars  posed  by  3rd party  partners. Additional  Offerings

More Related Content

PDF
Cyber loss model for all industries
byThomas Lee
 
PDF
Cyber Loss Model for the cost of a data breach.
byThomas Lee
 
PDF
How to Use a Cyber Loss Model within a Retail Bank
byThomas Lee
 
PDF
Half the Picture
byThomas Lee
 
PPTX
Winning Tactics for Data Governance
byColleen Beck-Domanico
 
PPSX
P&C Claims Automation Solution - A Competitive Advantage
byParagon Solutions
 
PDF
State of Security Operations 2016 report of capabilities and maturity of cybe...
byat MicroFocus Italy ❖✔
 
PDF
Financial Risk Management: Integrated Solutions to Help Financial Institution...
byIBM Banking
 
Cyber loss model for all industries
byThomas Lee
 
Cyber Loss Model for the cost of a data breach.
byThomas Lee
 
How to Use a Cyber Loss Model within a Retail Bank
byThomas Lee
 
Half the Picture
byThomas Lee
 
Winning Tactics for Data Governance
byColleen Beck-Domanico
 
P&C Claims Automation Solution - A Competitive Advantage
byParagon Solutions
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
byat MicroFocus Italy ❖✔
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
byIBM Banking
 

What's hot

PDF
Risk Dashboard
byMichel Rochette
 
PDF
Proactive IT management: eliminating mean time to surprise
byKishore Jethanandani, MBA, MA, MPhil,
 
PDF
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
byWolfPAC - Integrated Risk Management
 
PDF
Streamlining Submission Intake in Commercial Underwriting for Middle Market S...
byCognizant
 
PDF
My blogs on big data and compliance in financial services and health industry
byKishore Jethanandani, MBA, MA, MPhil,
 
PDF
My blogs on big data and cybersecurity in banks
byKishore Jethanandani, MBA, MA, MPhil,
 
PPTX
17 domains
byAllison Giddens
 
PDF
A safe approach to growing your loan book in wealth management
byRockall Technologies
 
PDF
Whitepaper : Building a disaster ready infrastructure
byJake Weaver
 
PDF
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
byCTRM Center
 
PPTX
Riscos Sistêmicos e o Impacto na Subscrição de RC: Um Novo Enfoque de Modelag...
byCNseg
 
PDF
Adopting a Top-Down Approach to Model Risk Governance to Optimize Digital Tra...
byJacob Kosoff
 
PPTX
Justifying Security Investment
byJojo Colina
 
PDF
Richmond reprint 20151106
byTed Richmond
 
PDF
Using Data Analytics to Conduct a Forensic Audit
byFraudBusters
 
PDF
Detecting and Auditing for Fraud in Financial Statements Using Data Analysis
byFraudBusters
 
PPTX
OFSAA - BIGDATA - IBANK
byibankuk
 
PPTX
Oracle erf overview v4
byDavid Clement
 
PPTX
5 Risks in Commercial Lending
byColleen Beck-Domanico
 
Risk Dashboard
byMichel Rochette
 
Proactive IT management: eliminating mean time to surprise
byKishore Jethanandani, MBA, MA, MPhil,
 
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
byWolfPAC - Integrated Risk Management
 
Streamlining Submission Intake in Commercial Underwriting for Middle Market S...
byCognizant
 
My blogs on big data and compliance in financial services and health industry
byKishore Jethanandani, MBA, MA, MPhil,
 
My blogs on big data and cybersecurity in banks
byKishore Jethanandani, MBA, MA, MPhil,
 
17 domains
byAllison Giddens
 
A safe approach to growing your loan book in wealth management
byRockall Technologies
 
Whitepaper : Building a disaster ready infrastructure
byJake Weaver
 
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
byCTRM Center
 
Riscos Sistêmicos e o Impacto na Subscrição de RC: Um Novo Enfoque de Modelag...
byCNseg
 
Adopting a Top-Down Approach to Model Risk Governance to Optimize Digital Tra...
byJacob Kosoff
 
Justifying Security Investment
byJojo Colina
 
Richmond reprint 20151106
byTed Richmond
 
Using Data Analytics to Conduct a Forensic Audit
byFraudBusters
 
Detecting and Auditing for Fraud in Financial Statements Using Data Analysis
byFraudBusters
 
OFSAA - BIGDATA - IBANK
byibankuk
 
Oracle erf overview v4
byDavid Clement
 
5 Risks in Commercial Lending
byColleen Beck-Domanico
 

Similar to Cyber Op Risk Model, banks v7p4

PDF
Peer Risk Model for Cyber Security Risk
byThomas Lee
 
PDF
How to prevent data breach risk from impacting capital ratios
byThomas Lee
 
PDF
Rcs triumfant watchful_webinar_final
byPatrick Florer
 
PDF
Isaca houston presentation 12 4 12
byPatrick Florer
 
PDF
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
byThomas Lee
 
PDF
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
byHernan Huwyler, MBA CPA
 
PDF
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
byHernan Huwyler, MBA CPA
 
PDF
Cyber Insurance - What you need to know
byFitCEO, Inc. (FCI)
 
PPTX
CyberTechEurope.pptx
byMichael Roytman
 
PDF
Prof m02 v2
bySelectedPresentations
 
PPTX
Assessing Quality in Cyber Risk Forecasting
byJack Freund, PhD
 
PPTX
Economically driven Cyber Risk Management
byOsama Salah
 
PDF
2 factor authentication beyond password : enforce advanced security with au...
byNetwayClub
 
PDF
Evidence-Based Risk Management
byEnergySec
 
PPTX
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
byInterset
 
PDF
Credit Union Cyber Security
byStacy Willis
 
PDF
How close is your organization to being breached | Safe Security
byRahul Tyagi
 
PDF
Data Science ATL Meetup - Risk I/O Security Data Science
byMichael Roytman
 
PDF
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
byNorth Texas Chapter of the ISSA
 
PDF
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
byEC-Council
 
Peer Risk Model for Cyber Security Risk
byThomas Lee
 
How to prevent data breach risk from impacting capital ratios
byThomas Lee
 
Rcs triumfant watchful_webinar_final
byPatrick Florer
 
Isaca houston presentation 12 4 12
byPatrick Florer
 
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
byThomas Lee
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
byHernan Huwyler, MBA CPA
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
byHernan Huwyler, MBA CPA
 
Cyber Insurance - What you need to know
byFitCEO, Inc. (FCI)
 
CyberTechEurope.pptx
byMichael Roytman
 
Prof m02 v2
bySelectedPresentations
 
Assessing Quality in Cyber Risk Forecasting
byJack Freund, PhD
 
Economically driven Cyber Risk Management
byOsama Salah
 
2 factor authentication beyond password : enforce advanced security with au...
byNetwayClub
 
Evidence-Based Risk Management
byEnergySec
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
byInterset
 
Credit Union Cyber Security
byStacy Willis
 
How close is your organization to being breached | Safe Security
byRahul Tyagi
 
Data Science ATL Meetup - Risk I/O Security Data Science
byMichael Roytman
 
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
byNorth Texas Chapter of the ISSA
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
byEC-Council
 

Recently uploaded

PPTX
GENPHYSICS-2.pptx this about general physics. Grade 11 lesson
byGwynMorata
 
PDF
SF User Group - Account-Contact Relationship Feb 2026
byLukas Lunow
 
PDF
Content Strategy Presentation.pdfjjjjhhhhh
byCerineAmmarkhodja1
 
PDF
Machine_Psychology_2050_Strategic_Scenarios.pdf
byKambs Consulting
 
PDF
Whitepaper / No code end-user app development (2026)
byOptymyze
 
PPTX
Basic-Strategies-for-Developing-Literacy_021301.pptx
byMarkAnthonyMLotivio
 
PPTX
Internship ppt about multiple disease prediction
byGOUTHAMTr2
 
PPT
Data Warehousing and Data Mining – Concepts, Architecture and Applications
bystark317700
 
PDF
Data Science vs Machine Learning vs AI | Industry Skills Explained
bymuhsinam9074
 
PPTX
Audit_of_Construction_Companies (1).pptx
bykylezambale
 
PPTX
Quartiles_Ungrouped_Data_Grade_10-1.pptx
byxiandexter21
 
PDF
What is Context Engineering for Agentforce Developer and Architect
byParis Salesforce Developer Group
 
PDF
제 23회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [MBOAX] : ABSA를 활용한 소비자 반응 분석 기반 운영 효율화 대시보드 설계
byBOAZ Bigdata
 
PDF
"Master Excel with CA Suvidha Chaplot: 40 Must-Know Tips for Efficiency"
byCA Suvidha Chaplot
 
PPTX
Smart Crop prediction presentation for final year
bySurya386647
 
PDF
Plainte française dans le cadre de l'affaire Epstein
bySociété Tripalio
 
DOCX
CBLM SETUP COMPUTER NETWORK (2).docxMKKKKKKKKKKKKKKKKKKKKK
byCathyrineLazona
 
PDF
Baltic Startup Funding Report 2025 by FIRSTPICK and Practica Capital
byFIRSTPICK VC
 
PDF
Khan Traders Fish Meal – MSDS Material Safety Data Sheet
byKhan Traders Karachi
 
PDF
Whitepaper Optymyze / Expand further (2026)
byOptymyze
 
GENPHYSICS-2.pptx this about general physics. Grade 11 lesson
byGwynMorata
 
SF User Group - Account-Contact Relationship Feb 2026
byLukas Lunow
 
Content Strategy Presentation.pdfjjjjhhhhh
byCerineAmmarkhodja1
 
Machine_Psychology_2050_Strategic_Scenarios.pdf
byKambs Consulting
 
Whitepaper / No code end-user app development (2026)
byOptymyze
 
Basic-Strategies-for-Developing-Literacy_021301.pptx
byMarkAnthonyMLotivio
 
Internship ppt about multiple disease prediction
byGOUTHAMTr2
 
Data Warehousing and Data Mining – Concepts, Architecture and Applications
bystark317700
 
Data Science vs Machine Learning vs AI | Industry Skills Explained
bymuhsinam9074
 
Audit_of_Construction_Companies (1).pptx
bykylezambale
 
Quartiles_Ungrouped_Data_Grade_10-1.pptx
byxiandexter21
 
What is Context Engineering for Agentforce Developer and Architect
byParis Salesforce Developer Group
 
제 23회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [MBOAX] : ABSA를 활용한 소비자 반응 분석 기반 운영 효율화 대시보드 설계
byBOAZ Bigdata
 
"Master Excel with CA Suvidha Chaplot: 40 Must-Know Tips for Efficiency"
byCA Suvidha Chaplot
 
Smart Crop prediction presentation for final year
bySurya386647
 
Plainte française dans le cadre de l'affaire Epstein
bySociété Tripalio
 
CBLM SETUP COMPUTER NETWORK (2).docxMKKKKKKKKKKKKKKKKKKKKK
byCathyrineLazona
 
Baltic Startup Funding Report 2025 by FIRSTPICK and Practica Capital
byFIRSTPICK VC
 
Khan Traders Fish Meal – MSDS Material Safety Data Sheet
byKhan Traders Karachi
 
Whitepaper Optymyze / Expand further (2026)
byOptymyze
 

Cyber Op Risk Model, banks v7p4

  • 1.
    VivoSecurity Inc.,  Los  Altos,  CA.  Email:  ThomasL@VivoSecurity.com Carl  Friedrich  Gauss  who  discovered  the  Normal  (Gaussian)   distribution,   which  characterizes  random  events. OPERATIONAL  RISK  MODEL for  CCAR  Data  Breach  Idiosyncratic  Scenarios Demonstrate  strong  risk  management  culture  for  tier-­‐1  capital;  prove  insurance  adequacy;  champion  or   challenger  model;  maintain  strong  Model  Risk  Management  with  a  SR  11-­‐7  and  SR  15-­‐18  compliant  model
  • 2.
    The  Federal  Reserve  is  Focusing  on  Cybersecurity Large data breaches are rare, but they do happen and the Federal Reserve is looking for evidence that a bank has enough capital to withstand the event. But because they are rare, any single company does not have sufficient data to predict the cost. An analysis of cross-­‐company data is the only credible way to characterize the risk. Some banks are demonstrating a strong risk management culture by using statistical models and VivoSecurity is helping by creating strong SR 11-­‐7 compliant models using cross-­‐company data. These models have the additional benefit of 1) bringing cyber risk under the bank's model risk management framework, 2) providing a clearer understand of what should be transferred with insurance and 3) allowing a bank to benefit from cost reductions brought about from a mature incident response. ü Strengthen Idiosyncratic Scenarios for CCAR/DFAST operational risk. ü Challenge Models for Champion Models ü Champion Models if no models ü Justify a stance not to use cyber insurance ü Demonstrate better management of risks to tier 1 capital
  • 3.
    VivoSecurity  Inc,  1247  Russell  Ave,  Los  Altos  California;   Contact:   ThomasL@VivoSecurity.com,   (650)  919-­‐3050 What  is  a  Cyber-­‐Loss  Model? The Cyber-­‐Loss Model is essentially a complex formula that can explain the variability in cost of historical data breaches. It was trained upon a large set of data breaches and tested for accuracy on a randomly selected set of validation cases. It was developed in the statistical language R using standard statistical techniques such as linear regression and Bayesian Model Averaging. The Cyber-­‐Loss Model is deployed in an easy to use Excel Spreadsheet which requires a small number of variable inputs that have been found to be predictive of cost. No information is needed about a banks security posture. What is Model Validation? Federal Reserve has created guidance for model management (SR11-­‐7 & SR15-­‐18). This guidance assures that models are developed following sound statistical practices. Many banks have an internal validation process for establishing compliance for bank models. We can supply all documentation needed for model validation, including quarterly maintenance, and we cansupport internal validation efforts.
  • 4.
    The graphs beloware a pro forma example of breach cost characterizations. Possible data breach cost is break down by incident and data type. The model also provides a probability distribution for the range of costs, and the probability of lawsuits. $0 $20 $40 $60 $80 $100 Mean  Data  Breach  Costs Millions Incident  &  Data  Type 0% 20% 40% 60% 80% 100% 0 >0 1 2 3 4 5 Probability Number  of  Lawsuits Model  Outputs $0 $5 $10 $15 $20 $25 Likelihood Breach  Cost Millions $19.8M 80%  Confidence  Interval Value  of  Incident   Response  Controls   Most  companies  would   experience  a  cost  of   under  $5M.
  • 5.
    What  Does  the  Cyber-­‐Loss  Model  Include? VivoSecurity  Inc,  1247  Russell  Ave,  Los  Altos  California;   Contact:   ThomasL@VivoSecurity.com,   (650)  919-­‐3050 Included Detail Deployment Models are deployed as an easy to use Excel Spreadsheet. Training We provide training on the use of the spreadsheet, how to think about confidence intervals, and how to guide insurance purchases. Documentation We provide complete model documentation in the bank’s own format. Validation  Support We provide support for the bank’s model validation team, including data turnover, troubleshooting R and SQL code, and discussions on modeling methodology. Quarterly  Maintenance We provide new data as it becomes available, model re-­‐evaluation, all required validation documentation, validation team support, re-­‐deployment, and evidence of testing.
  • 6.
    Investigation Notification Call  center Remediation o Business  Loss o Damage  to  personal  credit o Theft  of  money  &  goods o Credit  card  replacement  costs Business  loss;  theft  of   money  &  goods Credit  monitoring  &   privacy  insurance. Fines &  settlements Public  &  Other  BusinessesBreach  Company Total  costs Mitigate Transfer   via  suits Costs  Covered  by  the  Operational  Risk  Model   Response  CostsDamage  costs Term Meaning Investigation Cost of investigating what happened in a data breach including data that was exposed. Costs of updating agencies of investigation progress. Remediation Cost to preventing future data breach. Notification Legal costs of notifying federal agencies and states attorney general. Call  Center Cost of hiring or expanding call centers to handle calls from people affected by data breach. Business  Loss,  theft   of  money  &  goods Loss of business and customers, fraud costs, cost of goods pur chased with stolen cards Credit  Monitoring  &   Privacy  Insurance Cost of providing credit monitoring such as Experian, insurance to cover personal loss by people affected by the data breach. Fines  &  Settlements Government fines, lawsuit awards and settlements, defense costs. Glossary The Operational Risk Model calculates the cost of a data breach exposing custodial data. Custodial data is any PII data which triggers reporting requirements of various government agencies (also known as risk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a graphical breakdown of costs included in Total Costs.
  • 7.
    Evaluation Bank receives themodelas an Excel spreadsheet and performs initial evaluation using approximate model inputs. VivoSecurity provides training for how to use the model, how to think about confidenceintervals and apply results to insurancepurchases. Model  Owner The owner (sponsor) of the risk model is decided. The owner might be, for example, the CFO or CRO group. Themodel owner might draft documents to officially sponsor themodel as preparation for model validation. Validation  Support Data  Owner VivoSecurity produces SR11-­‐7 compliant validation documentation, following the bank’s format. VivoSecurity then works with thebank’s validation team to support validateactivities. Departments are identified that will produce validated numbers that will be entered into the model. This might include creating and approving SQL to query systems and to generate the numbers. Insurance  Adequacy The model owner receives validated numbers from data owners and performs a model based evaluation ofinsuranceadequacy. Considerations aredocumented and approved. Adjust  Insurance Insurance coverage can be adjusted and premiums lowered using model based arguments and historical industry data. Note that neither carriers nor brokers have models as rigorous as ours, giving thebank an advantage in negotiations. Document Considerations for insurance adequacy along with validated models and evidence of insuranceare incorporated into regulator reporting documentation, e.g., FR Y-­‐14A. Use  Case The diagram below shows the process for a typical retail bank that uses the Operational Risk Model in satisfying regulatory requirements. Activities need not proceed sequentially. For example, after a model owner is determined, model validation (which takes the most time) can be performed concurrently with other activities.
  • 8.
    About  VivoSecurity VivoSecurity  Inc,  1247  Russell  Ave,  Los  Altos  California;   Contact:   ThomasL@VivoSecurity.com,   (650)  919-­‐3050 VivoSecurity provides data analytics and statistical modeling to companies in the financial and high tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists and statisticians. We use advanced data analytic techniques to model the probability and cost of cybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge of software applications, strong knowledge of operating systems and hardware and a strong understanding of enterprise operations. Model Description Peer  Risk  Model Characterizes  cyber  risk  in  dollars  and  comparison  with   peers. Probability  for  Fraud, personal  customers Calculates  probability  for  a  cyber  attach  that  leads  to   fraud. Probability  for  Fraud,  corporate  customers Calculates  probability  for  a  cyber  attach  that  leads  to   fraud. 3rd party  (vendor)  Risk Calculates  risk  in  dollars  posed  by  3rd party  partners. Additional  Offerings