Cyber Loss Model for the cost of a data breach.
- 1. VivoSecurity Inc., Los Altos, CA. Email: ThomasL@VivoSecurity.com Carl Friedrich Gauss who discovered the Normal (Gaussian) distribution, which characterizes random events. A CYBER LOSS MODEL For Demonstrating Cyber Insurance Adequacy Demonstrate a strong risk management culture Through CCAR/DFAST idiosyncratic scenarios for operational risk. Compliant with SR 11-7 and SR 15-18.
- 2. The Federal Reserve Requires Credible Evidence of Insurance Adequacy for a Large Data Breach Large data breaches are rare events and any single company does not have sufficient historical data to predict the cost. A statistical analysis of historical industry data across many companies is therefore the only credible way to address the risk posed by a large data breach. VivoSecurity helps financial institutions demonstrate a strong risk management culture by addressing operational risk posed by data breach, using statistical models built on historical industry data. These models have the additional benefit of bringing cyber risk under the bank's financial risk management framework. ✓ Strengthen Idiosyncratic Scenarios for CCAR/DFAST operational risk. ✓ Challenge Models for the banks Champion Models ✓ Champion Models if the bank has no models ✓ Justify a stance not to use cyber insurance ✓ Demonstrate better control over risks to tier 1 capital
- 3. VivoSecurity Inc, 1247 RussellAve, Los Altos California; Contact:ThomasL@VivoSecurity.com, (650)919-3050 What is a Cyber-Loss Model? The Cyber-Loss Model is essentially a complex formula that can explain the variability in cost of historical data breaches. It was trained upon a large set of data breaches and tested for accuracy on a randomly selected set of validation cases. It was developed in the statistical language R using standard statistical techniques such as linear regression and Bayesian Model Averaging. The Cyber-Loss Model is deployed in an easy to use Excel Spreadsheet which requires a small number of variable inputs that have been found to be predictive of cost. No information is needed about a banks security posture. What is Model Validation? Federal Reserve has created guidance for model management (SR11-7 & SR15-18). This guidance assures that models are developed following sound statistical practices. Many banks have an internal validation process for establishing compliance for bank models. We can supply all documentation needed for model validation, including quarterly maintenance, and we can support internal validation efforts.
- 4. Possible data breach cost is break down by incident and data type. The model also provides a probability distribution for the range of costs, and the probability of lawsuits. $0 $20 $40 $60 $80 $100 MeanDataBreachCosts Millions Incident & Data Type 0% 20% 40% 60% 80% 100% 0 >0 1 2 3 4 5 Probability Number of Lawsuits Model Outputs $0 $5 $10 $15 $20 $25 Likelihood Breach Cost Millions $19.8M 80% Confidence Interval
- 5. What Does the Cyber-Loss Model Include? VivoSecurity Inc, 1247 RussellAve, Los Altos California; Contact:ThomasL@VivoSecurity.com, (650)919-3050 Included Detail Deployment Models are deployed as an easy to use Excel Spreadsheet. Training We provide training on the use of the spreadsheet, how to think about confidence intervals, and how to guide insurance purchases. Documentation We provide complete model documentation in the bank’s own format. Validation Support We provide support for the bank’s model validation team, including data turnover, troubleshooting R and SQL code, and discussions on modeling methodology. Quarterly Maintenance We provide new data as it becomes available, model re-evaluation, all required validation documentation, validation team support, re-deployment, and evidence of testing.
- 6. Investigation Notification Call center Remediation o Business Loss o Damage to personal credit o Theft of money & goods o Credit card replacement costs Business loss; theft of money & goods Credit monitoring & privacy insurance. Fines & settlements Public & Other BusinessesBreach Company Totalcosts Mitigate Transfer via suits VivoSecurity Inc, 1247 RussellAve, Los Altos California; Contact:ThomasL@VivoSecurity.com, (650)919-3050 Data Breach Costs Covered by the Cyber-Loss Model ResponseCostsDamagecosts Function of Incident Type Functionofpeopleaffected Term Meaning Investigation Cost of investigating what happened in a data breach including data that was exposed. Costs ofupdating agencies ofinvestigationprogress. Remediation Cost to preventingfuture data breach. Notification Legal costs ofnotifying federal agencies and states attorney general. Call Center Cost of hiring or expanding call centers to handle calls from people affected by data breach. Business Loss, theft of money & goods Loss of business and customers, fraud costs, cost of goods purchased with stolen cards Credit Monitoring & Privacy Insurance Cost of providing credit monitoring such as Experian, insurance to cover personal loss by people affected by the data breach. Fines & Settlements Government fines, lawsuit awards and settlements, defense costs. Glossary
- 7. Evaluation Bank receives the model as an Excel spreadsheet and performs initial evaluation using approximate model inputs. VivoSecurity provides training for how to use the model, how to think about confidence intervalsand apply results to insurance purchases. Model Owner The owner (sponsor) of the risk model is decided. The owner might be, for example, the CFO or CRO group. The model owner might draft documents to officially sponsor the model as preparation for model validation. Validation Support Data Owner VivoSecurity produces SR11-7 compliant validation documentation, following the bank’s format. VivoSecurity then works with the bank’s validationteam to support validate activities. Departments are identified that will produce validated numbers that will be entered into the model. This might include creating and approving SQL to query systems and to generate the numbers. Insurance Adequacy The model owner receives validated numbers from data owners and performs a model based evaluation of insurance adequacy. Considerations are documented and approved. Adjust Insurance Insurance coverage can be adjusted and premiums lowered using model based arguments and historical industry data. Note that neither carriers nor brokers have models as rigorous as ours, giving the bank an advantage in negotiations. Document Considerations for insurance adequacy along with validated models and evidence of insurance are incorporated into regulator reporting documentation, e.g., FR Y-14A. Use Case The diagram below shows the process for a typical retail bank that uses the Cyber-Loss Model in satisfying regulatory requirements. Activities need not proceed sequentially. For example, after a model owner is determined, model validation (which takes the most time) can be performed concurrently with other activities.
- 8. About VivoSecurity ✓ Silicon Valley Startup since 2012 ✓ PhD level scientists & statisticians ✓ Advanced data analysis techniques ✓ Strong cyber security domain knowledge ✓ Strong software, hardware and enterprise knowledge VivoSecurity Inc, 1247 RussellAve, Los Altos California; Contact:ThomasL@VivoSecurity.com, (650)919-3050