# Operational Risk Model

#### for CCAR Data Breach Idiosyncratic Scenarios.

Demonstrate strong risk management culture for tier-‐1 capital; prove insurance adequacy; champion or challenger model; maintain strong Model Risk Management with a SR 11-‐7 and SR 15-‐18 compliant model.

Carl Friedrich Gauss who discovered the Normal (Gaussian) distribution, which characterizes random events.

## The Federal Reserve is Focusing on Cybersecurity

While large data breaches are rare, they do happen and the Federal Reserve is looking for evidence that a bank has enough capital to withstand the event. But because they are rare, any single company does not have sufficient data to predict the cost. An analysis of cross-‐company data is the only credible way to characterize the risk.

Some banks are demonstrating a strong risk management culture by using statistical models and VivoSecurity is helping by creating strong SR 11-‐7 compliant models using cross-‐company data. These models have the additional benefit of 1) bringing cyber risk under the bank's model risk management framework, 2) providing a clearer understand of what should be transferred with insurance and 3) allowing a bank to benefit from cost reductions brought about from a mature incident response.

Strengthen Idiosyncratic Scenarios for CCAR/DFAST operational risk.

Challenge Models for Champion Models

Champion Models if no models

Justify a stance not to use cyber insurance

Demonstrate better management of risks to tier 1 capital

## What is a Cyber-‐Loss Model?

The Cyber-‐Loss Model is essentially a complex formula that can explain the variability in cost of historical data breaches. It was trained upon a large set of data breaches and tested for accuracy on a randomly selected set of validation cases. It was developed in the statistical language R using standard statistical techniques such as linear regression and *Bayesian Model Averaging*.

The Cyber-‐Loss Model is deployed in an easy to use **Excel Spreadsheet** which requires a small number of variable inputs that have been found to be predictive of cost. No information is needed about a banks security posture.

## What is Model Validation?

Federal Reserve has created guidance for model management (SR11-‐7 & SR15-‐18). This guidance assures that models are developed following sound statistical practices. Many banks have an internal validation process for establishing compliance for bank models. We can supply all documentation needed for model validation, including quarterly maintenance, and we can support internal validation efforts.

## Model Outputs

The graphs below are a pro forma example of breach cost characterizations. Possible data breach cost is break down by incident and data type. The model also provides a probability distribution for the range of costs, and the probability of lawsuits.

## What Does the Cyber-Loss Model Include?

Included | Detail |
---|---|

Deployment | Models are deployed as an easy to use Excel Spreadsheet. |

Training | We provide training on the use of the spreadsheet, how to think about confidence intervals, and how to guide insurance purchases. |

Documentation | We provide complete model documentation in the bank’s own format. |

Validation Support | We provide support for the bank’s model validation team, including data turnover, troubleshooting R and SQL code, and discussions on modeling methodology. |

Quarterly Maintenance | We provide new data as it becomes available, model re-evaluation, all required validation documentation, validation team support, re-deployment, and evidence of testing. |

## Costs Covered by the Operational Risk Model

The Operational Risk Model calculates the cost of a data breach exposing custodial data. Custodial data is any PII data which triggers reporting requirements of various government agencies (also known as risk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a graphical breakdown of costs included in Total Costs.

## Use Cases

The diagram below shows the process for a typical retail bank that uses the Operational Risk Model in satisfying regulatory requirements. Activities need not proceed sequentially. For example, after a model owner is determined, model validation (which takes the most time) can be performed concurrently with other activities.

## Additional Offerings

Characterizes cyber risk in dollars and comparison with peers.

Calculates probability for a cyber attach that leads to fraud.

Calculates risk in dollars posed by 3rd party partners.

# About VivoSecurity

VivoSecurity provides data analytics and statistical modeling to companies in the financial and high tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists and statisticians. We use advanced data analytic techniques to model the probability and cost of cybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge of software applications, strong knowledge of operating systems and hardware and a strong understanding of enterprise operations.