Cyber loss model for all industries

VivoSecurity Inc., Los Altos, CA. Email: [email protected]

Carl Friedrich Gauss who discovered the Normal (Gaussian) distribution, which characterizes random events.

CYBER-‐LOSS MODELCalculate Maximum Financial Loss from Data BreachCommunicate cyber-‐exposure to the board and senior management; Calculate the value of incident response; Calculate insurance adequacy, guide insurance coverage.

Simple QuestionIt is a simple question—but hard to answer: how much money will your company lose in a largedata breach. The answer can inform the amount and kind of cyber insurance; it can demonstrate astrong understanding of risk to the board of directors and senior management; it can justifyinvestments into security controls and incident response.

A Cyber-‐Loss Model answers this question using factors that are predictive of the cost. Predictivefactors were discovered through a rigorous statistical analysis of historical industry data breaches.

6,600 10,000

$0

$500

$1,000

$1,500

$2,000

$2,500

$3,000

$3,500

$4,000

$4,500

$5,000

JB DT AA JS MK RS

Total Breach Co

stThousands

Six Experts

Affected:220,000Incident: Malicious OutsiderData: PIILawsuits:0

Expert guess(blue bars)

Model Prediction (green line) Actual Cost

(red line)

Expert Average

Much research shows that peopleare not good at estimating theimpact of rare events—and largedata breaches are rare events.

The graph to the right shows anexample from a study conductedwith Stanford University in whichwe asked industry experts toestimate the cost of known databreaches. Experts consistentlyguessed high, by an average of2000%. This is compared with ourmodel which was within 40% onaverage.

Six experts guess at the cost of a single data breach, compared with the Cyber-‐Loss Model.

Investigation

Notification

Call center

Remediation

o Business Losso Damage to personal credito Theft of money & goodso Credit card replacement costs

Business loss; theft of money & goods

Credit monitoring & privacy insurance.

Fines & settlements

Public & Other BusinessesBreach Company

Total costs

Mitigate

Transfer via suits

Costs Covered by the Cyber-‐Loss Model Re

sponse Costs

Damage c

osts

Term MeaningInvestigation Cost of investigating what happened in a data breach including data

that was exposed. Costs of updating agencies of investigationprogress.

Remediation Cost to preventing future data breach.

Notification Legal costs of notifying various government agencies and peopleaffected by the data breach.

Call Center Cost of hiring or expanding call centers to handle calls from peopleaffected by data breach.

Business Loss, theft of money & goods

Loss of business and customers , fraud costs, cost of goodspurchased with stolen cards

Credit Monitoring & Privacy Insurance

Cost of providing credit monitoring such as Experian, insurance tocover personal loss by people affected by the data breach.

Fines & Settlements Government fines, lawsuit awards and settlements, defense costs.

Glossary

The Cyer-‐Loss Model calculates the cost of a data breach exposing custodial data. Custodial data isany PII data which triggers reporting requirements of various government agencies (also known asrisk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a graphicalbreakdown of costs included in Total Costs.

VivoSecurity Inc, 1247 Russell Ave, Los Altos California; Contact: [email protected], (650) 919-‐3050

What is a Cyber-‐Loss Model?

The Cyber-‐LossModel is essentially a complex formula that can explain the variability in costof historical data breaches. It was trained upon a large set of data breaches and tested foraccuracy on a randomly selected set of validation cases. It was developed in the statisticallanguage R using standard statistical techniques such as linear regression and BayesianModel Averaging.

The Cyber-‐Loss Model is deployed in an easy to use Excel Spreadsheet which requires asmall number of variable inputs that have been found to be predictive of cost. Noinformation is needed about a company’s security posture.

What is Model Validation? Federal Reserve has created guidance for model management(SR11-‐7 & SR15-‐18). This guidance assures that models are developed following soundstatistical practices. Many banks have an internal validation process for establishingcompliance with Federal Reserves guidelines. Our Cyber-‐Loss Model complies with theFederal Reserve’s guidance and can pass a bank’s validation process.

The graphs below are a pro forma example of breach cost characterizations.Possible data breach cost is break down by incident and data type. The model alsoprovides a probability distribution for the range of costs, and the probability oflawsuits.

$0

$20

$40

$60

$80

$100

Mean Da

ta Breach Co

sts

Millions

Incident & Data Type

0%

20%

40%

60%

80%

100%

0 >0 1 2 3 4 5

Prob

ability

Number of Lawsuits

Model Outputs

$0 $5 $10

$15

$20

$25

Likelih

ood

Breach CostMillions

$19.8M80% Confidence Interval

Value of Incident Response Controls

Most companies would experience a cost of under $5M.

$0 $10

$20

$30

$40

$50

$60

$70

Prob

ability of B

reach Co

st

Breach CostMillions

For a given set of parameters, the cost follows a probability distribution, with the probabilitydeclining exponentially with cost. The 80% and 90% confidence intervals mark cost pointswhere 80% and 90% of data breaches, will fall below. But the difference between 80% and 90%is large and 10% of companies will experience costs which fall within this cost interval. Thisextra cost is driven primarily by incident response and a large cost interval justifies investmentsinto incident response activities.

80% Confidence 90% Confidence10% of breaches fall here.

Value of Incident Response.

Investigation

Notification

Fines & settlements

Breach Costs affected by Incident Response

Turn on logs to capturing information that can speed the investigation. Engaging a security firm early can save millions.

Engage a law firm early, negotiate costs and be prepared.

Reduce probability of alawsuit by engaging a lawfirm to review contractsand advertising promises.

What Does the Cyber-‐Loss Model Include?


Included DetailDeployment Models are deployed as an easy to use Excel Spreadsheet.

Training We provide training on the use of the spreadsheet, how tothink about confidence intervals, and how to guide insurancepurchases.

Documentation We provide complete model documentation in the bank’s ownformat.1

Validation Support We provide support for the bank’s model validation team,including data turnover, troubleshooting R and SQL code, anddiscussions on modeling methodology. 1

Quarterly Maintenance We provide new data as it becomes available, model re-‐evaluation, all required validation documentation, validationteam support, re-‐deployment, and evidence of testing. 1

1. Required by banks and insurance companies, not recommended for other industries.

EvaluationBank receives themodel as an Excel spreadsheet and performs initial evaluation using approximatemodel inputs. VivoSecurity provides training for how to use the model, how to think aboutconfidence intervals and apply results to insurancepurchases.

Model Owner The owner (sponsor) of the risk model is decided. The owner might be, for example, the CFO orCROgroup. Themodel owner might draft documents to officially sponsor themodel as preparationfor model validation.

Validation Support

Data Owner

VivoSecurity produces SR11-‐7 compliant validation documentation, following the bank’s format.VivoSecurity then workswith thebank’s validation team to support validate activities.

Departments are identified that will produce validated numbers that will be entered into themodel. This might include creating and approving SQL to query systems and to generate thenumbers.

Insurance AdequacyThe model owner receives validated numbers from data owners and performs a model basedevaluation of insuranceadequacy. Considerations aredocumented and approved.

Adjust InsuranceInsurance coverage can be adjusted and premiums lowered using model based arguments andhistorical industry data. Note that neither carriers nor brokers have models as rigorous as ours,giving thebank an advantage in negotiations.

Document Considerations for insurance adequacy alongwith validated models and evidence of insuranceareincorporated into regulator reporting documentation, e.g., FR Y-‐14A.

Use CaseThe diagram below shows the process for a typical retail bank that uses the Cyber-‐Loss Model in satisfying regulatory requirements. Activitiesneed not proceed sequentially. For example, after amodel owner is determined, model validation (which takes themost time) can be performedconcurrently with other activities.

About VivoSecurity


VivoSecurity provides data analytics and statistical modeling to companies in the financial andhigh tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists andstatisticians. We use advanced data analytic techniques to model the probability and cost ofcybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge ofsoftware applications, strong knowledge of operating systems and hardware and a strongunderstanding of enterprise operations.

Model DescriptionPeer Risk Model Characterizes cyber risk in dollars in comparison with

peers.

Probability for Fraud, personal customers Calculates probability for a cyber attach that leads to fraud.

Probability for Fraud, corporate customers Calculates probability for a cyber attach that leads to fraud.

3rd party (vendor) Risk Calculates risk in dollars posed by 3rd party partners.

Additional Offerings