A retail bank used the Cyber Loss Model to assess the risk and financial impact of a major data breach involving personal financial information of 325,000 individuals. The model estimated a median cost of $3.6M with a 10% chance of a costly lawsuit. The bank purchased $25M of insurance coverage based on the higher 80% confidence level. This demonstrated strong risk management to regulators and allowed the bank to adjust security budgets and preventative measures.
How to Use a Cyber Loss Model within a Retail Bank
1. A
Worked
Example
Use
of
the
Cyber
Loss
Model
within
a
Retail
Bank
Following is an example of how a
retail bank can use the Cyber Loss
Model to characterize the risk and
assess cyber insurance needs for a
major data breach and demonstrate
a strong risk management culture to
the board of directors and the
Federal Reserve.
2. Worked
Example,
the
Questions:
• What
is
the
bank’s
risk
from
a
major
data
breach?
• How
much
insurance
coverage
should
be
purchased?
• What
should
be
covered?
VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-‐3050
3. Worked
Example,
the
Bank
Bank
Details:
• 425,000
accounts
for
300,000
individual
account
holders.
• Archived
data
on
40,000
accounts
for
25,000
past,
individual
account
holders.
• 24,000
accounts
for
10,000
businesses
account
holders.
• Archived
data
on
1,200
accounts
for
800
past,
businesses
account
holders.
• No
credit
card
data.
• 2,500
employees.
4. Parameter Input
Number
Affected Number
of
people
affected
by
a
data
breach
for
whom
the
reporting
requirement
is
triggered
by
the
various
state’s
attorneys
general.
Data
Type PII – Personal
Identifiable
Information,
which
includes
drivers
license,
SSN
etc.
PFI – Personal
Financial
Information,
which is
PII
+
any financial
information,
bank
account
etc.
CHD – Card
Holder
Data,
which
is
PII
+
payment
information
such
as
credit
cards
number
PHI – Protected
Health
Information,
which is
PII
+
diagnostic,
treatment
or
health
payment
information
Incident
Type Malicious
Outsider –perpetrated
by
people
not
known
by the
company,
such
as
phishing
or hacking.
Malicious
Insider – unauthorized
access
to
data
by
individuals
within the
company
which
could
trigger
state
reporting
requirements,
such
as
unauthorized access
to
bank
accounts by
employees.
Accident – accidental
exposure
of
data
by
the
company
or
partner,
such
as
deployment
of
a
software
upgrade
that
allowed unauthorized
access
to
personal
data, or
emailing
personal
information
to
the
wrong
party.
Lost/Stolen – exposure
of
data
caused
by
any
lost
or
stolen
device
such
as
a
laptop,
tape
drive,
USB
drive.
Modeling
of
historical
industry
data
finds
that
1)
Data
Type,
2)
Incident
Type
and
3)
Number
of
Affected
people
are
the
factors
that
best
predict
the
cost
of
a
data
breach.
Worked
Example,
the
Model
5. Worked
Example,
Bank
Inputs
Following
are
the
model
inputs
provided
by
the
bank.
Parameter Chosen
Input
Number
Affected 325,000 -‐-‐ The major cost to a data breach is the reporting requirement, which is not required for business
accounts. Since reporting requirements scale with the number of individuals, not accounts or records, the
bank decided to use the sum total of current and past individual account holders, for which the bank
maintains electronic records.
Data
Type PFI -‐-‐ The bank does not deal with credit card data so the data type that could be breached is PFI. The bank
also has PHI for employees but the number of employees is not significant compared with the number of
customers.
Incident
Type Malicious Outsider – modeling finds that a data breach caused by a malicious outsider is more costly than
any other cause, even though this incident type is also relatively rare. For the purpose of insurance
coverage, the cost of malicious outsider was the incident type considered.
6. Worked
Example,
Results
&
Considerations
The model shows that the median
cost of a data breach is small: just
$3.6M. With such a breach, the
model also shows a 10% chance of a
lawsuit.
Since modeling shows that a lawsuit
can double the cost, the bank intends
to keep probability of lawsuits low by
offering Experian Lifelock credit
monitoringin the event of a breach.
Data
Entered
into
the
Model
7. Worked
Example,
Results
&
Considerations
(continued)
The bank chose to purchase $25M insurance
coverage based upon the 80% confidence interval,
for the followingreasons:
• The bank has a strong intrusion detection program
so the probability of exposing all data is remote, and
the probability of the 90% confidence interval is
even more remote.
• The probability density has a very long tail (see
graph), suggesting that the bank can influence the
cost by their actions.
• Notification costs are a significant cost of a data
breach so the bank has engaged a law firm and
negotiated the cost of notification in the event of a
data breach.
• The bank has engaged with Experian to negotiate
the cost of Lifelock in the event of a data breach.
• The bank has a rehearsed plan to orchestrate the
response, minimize disruption, reassure customers
in a timely manner and control costs.
8. Worked
Example,
Actions
Taken
The model and decisions were presented to Fed
examiners in the context of DFAST, to demonstrate a
strong risk management culture. The banks assets are
too small for CCAR.
A report was given to the board of directors who
understood, for the first time, that the cost of a data
breach was manageable and less than expected.
Security budget was adjusted as follows:
• More effort will be spent on responding in the event
of a breach
• More resources will be allocated to prevent incidents
other than Malicious Outsider (see graph).
VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-‐3050