Cyber Risk Measurement Expert Group Meeting
Cyber Risk Measurement: Evolving loss-based risk models and identifying key data sets in the financial services sector and beyond
Tuesday, March 1st & Wednesday, March 2nd, 2022
By invitation only
Hosted by the Federal Reserve Board of Governors, Federal Reserve Bank of Richmond, and the Massachusetts Institute of Technology
Understanding the impact of cyber attacks on our financial system remains an essential goal for the private sector, policy-makers and academic researchers. MIT, the Federal Reserve Bank of Richmond, and the Federal Reserve Board are sponsoring a multi-part series dedicated to exploring the relationship between cyber incidents, measurable associated losses, and cyber risk modeling. For this initial, smaller session, subject matter experts from financial services firms (banks, insurance firms, etc.) and third-party data providers are invited to share existing best practices, common challenges, and areas of opportunity for cyber risk measurements with fellow practitioners, as well as computer scientists and economists with expertise in risk modeling. Our goal is to identify common approaches to data collection, relevant definitions, and risk measurements, along with computational techniques that enable necessary data insights while preserving sensitive, proprietary information. A second conference-style meeting will be held at a later date in mid-2022, bringing together a broader set of leaders from industry, academia, the Federal Reserve and other supervisory agencies to address key themes identified by Research Roundtable participants.
The Research Roundtable will take place virtually across two half-day sessions and cover the following topics:
- Overview and goals for cyber risk classification and metric creation in the context of cyber incidents
- Financial firm and external vendor-specific approaches to cyber risk data collection, measurement, and risk-based decision-making
- Notable consensus data, metrics and methodologies for loss and risk measurement
During the discussion, attendees will have the opportunity to share informative cyber risk resources and key learnings with their peers and associated partners.
If you have any questions, please do not hesitate to reach out to cyber-risk-2022@mit.edu.
Format: Chatham House Rule
“The Chatham House Rule helps create a trusted environment to understand and resolve complex problems. Its guiding spirit is: share the information you receive but do not reveal the identity of who said it. When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”
Day 1 - Research Roundtable (Tuesday, March 1st, 2022)
10:00 AM (EST)
(:25)
Welcome and introductions
Background and goals
– Jeff Gerlach (FRB Richmond)
– Danny Weitzner (MIT, IPRI)
Cyber risk data, measurement, and decision-making approaches
External approaches
10:25 AM
(:45)
Third-party data providers
– Incident metrics
– Loss data and methodologies
– Risk measures
– Data validation methods
Initial discussants:
– Steve Bishop (ORX)
– Jack Jones (FAIR)
– Michael Daniel (Cyber Threat Alliance)
Cyber risk data, measurement, and decision-making approaches
Financial service internal approaches
11:10 AM
(:60)
Bank Session 1
– Tracking and categorizing incidents / event triage
– Measuring losses (thresholds / methodologies)
– Internal risk metrics, decision making, and governance
Moderator: Patricia Mosser (Columbia, SIPA)
Initial discussants:
– Evan Wheeler (Capital One)
– Mahi Dontamsetti (State Street)
– Steve Hill (Credit Suisse)
12:10 (:10)
Short Break
12:20
(:60)
Other financial service firms
– Tracking and categorizing incidents / event triage
– Measuring losses (thresholds / methodologies)
– Internal risk metrics, decision making, and governance
Initial discussants:
– Ajoy Kumar (DTCC)
– Rich Seiersen (Resilience)
– Owen Barton (Vanguard)
13:20 (:10)
Day 1 Summary - Taylor Reynolds (MIT, IPRI)
13:30
End of Day 1
Day 2 - Research Roundtable (Wednesday, March 2nd, 2022)
10:00 AM (EST)
Welcome & brief recap of Day 1:
10:10AM
(1:15)
Bank Session 2
– Tracking and categorizing incidents / event triage
– Measuring losses (thresholds / methodologies)
– Internal risk metrics, decision making, and governance
Initial discussants:
– Nedim Baruh (JPMC)
– John DeLong (Morgan Stanley)
– Craig Froelich (BoA)
11:25 (:10)
Short break
Consensus data metrics and methodologies for loss and risk measurement
11:35
(1:15)
Discussion around widely-used metrics
– Opportunities for standardized metrics (public and private)
– Requirements for confidentiality, handling sensitive, prietary
information
– Private computation opportunities
– Data aggregation pools / benchmarking
12:50
(:25)
Discussion of next steps and conclusion:
– Danny Weitzner (MIT)