Cyber Risk Measurement Expert Group Meeting

Cyber Risk Measurement: Evolving loss-based risk models and identifying key data sets in the financial services sector and beyond

Tuesday, March 1st & Wednesday, March 2nd, 2022
By invitation only

Hosted by the Federal Reserve Board of Governors, Federal Reserve Bank of Richmond, and the Massachusetts Institute of Technology

Understanding the impact of cyber attacks on our financial system remains an essential goal for the private sector, policy-makers and academic researchers. MIT, the Federal Reserve Bank of Richmond, and the Federal Reserve Board are sponsoring a multi-part series dedicated to exploring the relationship between cyber incidents, measurable associated losses, and cyber risk modeling. For this initial, smaller session, subject matter experts from financial services firms (banks, insurance firms, etc.) and third-party data providers are invited to share existing best practices, common challenges, and areas of opportunity for cyber risk measurements with fellow practitioners, as well as computer scientists and economists with expertise in risk modeling. Our goal is to identify common approaches to data collection, relevant definitions, and risk measurements, along with computational techniques that enable necessary data insights while preserving sensitive, proprietary information. A second conference-style meeting will be held at a later date in mid-2022, bringing together a broader set of leaders from industry, academia, the Federal Reserve and other supervisory agencies to address key themes identified by Research Roundtable participants.

The Research Roundtable will take place virtually across two half-day sessions and cover the following topics:

During the discussion, attendees will have the opportunity to share informative cyber risk resources and key learnings with their peers and associated partners.

If you have any questions, please do not hesitate to reach out to cyber-risk-2022@mit.edu.

Format: Chatham House Rule
“The Chatham House Rule helps create a trusted environment to understand and resolve complex problems. Its guiding spirit is: share the information you receive but do not reveal the identity of who said it. When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”

Day 1 - Research Roundtable (Tuesday, March 1st, 2022)

10:00 AM (EST)

(:25)

Welcome and introductions

Background and goals

Jeff Gerlach (FRB Richmond)
Danny Weitzner (MIT, IPRI)

Cyber risk data, measurement, and decision-making approaches

External approaches

10:25 AM

(:45)

Third-party data providers

– Incident metrics
– Loss data and methodologies
– Risk measures
– Data validation methods

Initial discussants:

Steve Bishop (ORX)
Jack Jones (FAIR)
Michael Daniel (Cyber Threat Alliance)

Cyber risk data, measurement, and decision-making approaches

Financial service internal approaches

11:10 AM

(:60)

Bank Session 1

– Tracking and categorizing incidents / event triage
– Measuring losses (thresholds / methodologies)
– Internal risk metrics, decision making, and governance

Moderator: Patricia Mosser (Columbia, SIPA)

Initial discussants:

Evan Wheeler (Capital One)
Mahi Dontamsetti (State Street)
Steve Hill (Credit Suisse)

12:10 (:10)

Short Break

12:20

(:60)

Other financial service firms

– Tracking and categorizing incidents / event triage
– Measuring losses (thresholds / methodologies)
– Internal risk metrics, decision making, and governance

Initial discussants:

Ajoy Kumar (DTCC)
Rich Seiersen (Resilience)
Owen Barton (Vanguard)

13:20 (:10)

Day 1 Summary - Taylor Reynolds (MIT, IPRI)

13:30

End of Day 1

Day 2 - Research Roundtable (Wednesday, March 2nd, 2022)

10:00 AM (EST)

Welcome & brief recap of Day 1:

Stacey Schreft (FRB)

10:10AM

(1:15)

Bank Session 2

Tracking and categorizing incidents / event triage
Measuring losses (thresholds / methodologies)
Internal risk metrics, decision making, and governance

Initial discussants:

Nedim Baruh (JPMC)
John DeLong (Morgan Stanley)
Craig Froelich (BoA)

11:25 (:10)

Short break

Consensus data metrics and methodologies for loss and risk measurement

11:35

(1:15)

Discussion around widely-used metrics

– Opportunities for standardized metrics (public and private)
– Requirements for confidentiality, handling sensitive, prietary
information
– Private computation opportunities
– Data aggregation pools / benchmarking

12:50

(:25)

Discussion of next steps and conclusion:

Danny Weitzner (MIT)

13:15

End of Day 2 and end of event