While large data breaches are rare, they do happen and the Federal Reserve is looking for evidence that a bank has enough capital to withstand the event. But because they are rare, any single company does not have sufficient data to predict the cost. An analysis of cross-‐company data is the only credible way to characterize the risk.
Some banks are demonstrating a strong risk management culture by using statistical models and VivoSecurity is helping by creating strong SR 11-‐7 compliant models using cross-‐company data. These models have the additional benefit of 1) bringing cyber risk under the bank's model risk management framework, 2) providing a clearer understand of what should be transferred with insurance and 3) allowing a bank to benefit from cost reductions brought about from a mature incident response.