Jack and Jack talk Risk Modeling at Cyber Risk NA

I had a great time this week at Risk.Net’s Cyber Risk NA conference this week. I moderated a panel on Modeling Cyber Risk with Jack Jones (EVP RiskLens), Ashish Dev (Principal Economist at the Federal Reserve), Manan Rawal (Head of US Model Risk Mgmt, HSBC USA), and Sidhartha Dash (Research Director, Chartis Research).

We only had 45 minutes and ran out of time before we could get to all the topics I had on my list, so I wanted to included some notes here of things we covered:

  • I opened with a scenario where I asked the panelists if they were presenting to the board would it be more honest to disclose the following top risks: 1) IOT, GDPR, and Spectre/Meltdown or 2) Our Top Risk is that we aren’t modeling cyber risk well enough. Most everyone chose option 2 :-)
  • We talked about whether there was a right way to model
    • Poisson, Negative Binomial, Log Normal
    • Frequentist vs Bayesian
  • Which model for scenarios makes more sense: BASEL II categories or CIA Triad?
  • Level of abstraction required for modeling
    • Event funnel: Event of interest vs incident vs loss event
    • Top Down vs. Bottoms Up
  • What are key variables necessary to model cyber risk (everyone agreed that some measure of frequency of loss and impact/magnitude are necessary)

Things we wanted to get to but ran out of time:

  • What is necessary to get modeling approved and validated by Model Risk Management
  • Should you purchase an external model or build your own?
  • Can we use our Cyber Models for stress testing/ CTE calculations?
  • Do we combine cyber scenarios with other operational risk scenarios?
  • One audience question that we ran out of time for was “How was the FAIR approach different than LDA & AMA and how does it address their weaknesses (Frequency and severity correlation)”
    • This was a good question but to be fair, FAIR wasn’t designed to be a stress testing model. However, many of the inputs used for FAIR are also used for LDA and AMA.
  • There were lots of other audience questions about the use of FAIR which is always encouraging!

New Book: Fintech Growth and Deregulation

A new book I had the pleasure of editing, along with Diane Maurice and David Fairman, has been recently released. I received my copies today and I’m very happy with the results. This was an interesting project to work on and a problem space that is very modern and moving fast. I was very pleased with the authors I got to work with (Tony Martin-Vegue and Patrick McConnell). They did a great job covering their perspective of the topic (Quantification and Governance).

You can pick up a copy here.

@tdmv

Article on Cyber Risk Taxonomy on Risk.Net

I wrote a piece for risk.net that discusses techniques for integrating a cyber risk taxonomy with an operational risk taxonomy.

It’s behind a paywall, so apologies for that up front, but they do have a free trial.

Its a great article for those that are struggling with aligning the need for cyber risk granularity with an overall operational risk program.

 

OpRisk Book Chapter on Cyber Published

I’m pleased to announce that a new book has been published that includes a chapter that I wrote on Cybersecurity and Technology Risk. I was approached by the good folks at Risk Books on contributing some original Cyber content in their new publication on Operational Risk. I choose to address the general risks in the domain and paid special attention on how to define risks (risk syntax) to avoid the problems of defining control deficiencies as risk.

The other chapters in the book are really great too! There are discussions of blockchain, Big Data, Privacy, OpRisk modeling and quantification, and emerging risk.

 

You can pick up your copy of Operational Risk Perspectives: Cyber, Big Data, and Emerging Risks at the Risk Books website (including eBook).

Speaking at OpRisk North America 2015

ORNA logoIt’s a busy week for me. In addition to the webinar this Friday, next Monday (23 March) I’ll be holding a workshop at 11:00 AM in the Data Quality track of the OpRisk North America conference. I’ll be talking about financial metrics, risk appetite, volatility trends, and scenario analysis. You can’t have quality data without quantification, so that will be a big part of my presentation.