Enabling companies to improve cybersecurity and reduce costs,
by bringing predictability to the randomness of data breach,
using data analytics and A.I.
Call or book a free peer comparison.
https://meetings.hubspot.com/thomasl4
Products
Aggregate 3rd Party Assessments
Regulators and management need 3rd party assessment that are accurate and not based upon opinions or assumptions. VivoSecuiry enables our customers to satisfy regulators by assessing true 3rd party risk, which is the probability that one of their vendors will have a data breach, obsoleting the use of questionnaires, maturity scores and SOC2 reports.
The risk from 3rd parties is from breaches caused by the sheer number of vendors. VivoSecurity quantifies this risk twice per year, with an aggregate forecast. We help senior management set risk appetite goals with a testable forecast of data breach frequency. We help cybersecurity teams identify the few vendors that represent most of the risk, we then quantify the value of mitigation. Finally, we satisfy regulators with an accurate and documented process for vendor assessment using an empirical and transparent regression model for probability of data breach.
Data Breach Impact Report
The cost of a data breach is predictable. By understanding the causes and cost of data breaches, VivoSecurity allows our customers to make informed decisions around cybersecurity investments. We use an empirical regression model, which means that it is based upon factors that predict cost. The model is easy to understand, and provides insights into how to manage and reduce costs. The report provides the median and 80% confidence interval for a data breach caused by a malicious outsider, a malicious insider, a lost & stolen device, and/or an accident. The model forecasts the sum of all costs including investigation costs, notification costs and reputation damage and the probability for lawsuit, providing a complete and detailed breakdown of costs.
Peer Comparison
Senior management would like more than green/yellow/red. They would like to know the probability for data breach and the cost of reducing this probability. They would like to know how they compare with peers and they would like to be able to weigh cybersecurity risks against other business priorities. They would like to know how the cost of risk transfer compares with the cost of reducing cyber-risk.
VivoSecurity brings predictability to the randomness of cybersecurity incidents by enabling our customers understand the probability of having a data breach. Our report will help senior management set risk appetite goals for their internal cybersecurity, in terms of data breach frequency and data breach size, and, more importantly, weigh the cost of cybersecurity against the cost of risk transfer. Our report will also show senior management how they compare with their industry and size in terms of cybersecurity spend and management culture.
Partners
Partners are independent individuals or organizations that help Vivo deliver our offerings. Partners have access to our backend data and may develop their own reports, provide their own interpretations and add additional data. Partners can provide consulting services to help you integrate the management of third-party data breach risk into existing processes.
Christine Dewhurst, CISA, CPA, Bachelor of Mathematics from the University of Waterloo, is the leading authority for management of cumulative third-party risk, defining such terms as “Tail-vendor”, discovering thresholds for tail-vendors, defining appropriate risk-appetites and working out methodologies for mitigating cumulative third-party data breach risk that integrate into current processes for Third-Party Risk Management (TPRM).
Christine advises companies on governance-strategies, risk management and auditing, and is a key collaborator with VivoSecurity. She has more than 27 years experience in senior roles at KPMG, Deloitte, Manulife and Bank of Montreal (BMO), addressing cybersecurity assurance, vulnerability fortification, identity & access management, business resiliency capabilities and TPRM. Christine is a frequent presenter at ISACA Toronto and Canadian Cyber Threat Exchange (CCTX).
Michael Stoyanovich CDPSE, MPA, He is a leading expert at managing third-party data breach risk including 1) strategies and policies for managing risk-budgets, 2) methods for evaluating risk-budgets and 3) integration of the management of third-party data breach risk within current TPRM frameworks and practices. He is also an expert for assessing third-parties based upon information security (“InfoSec”) team size and training, IT-training, and evaluation of a third-parties outsourced cybersecurity.
Michael has over 30 years of experience in technology and has served as Chief Information Officer (CIO) and Chief Operating Officer (COO) at Associated Third Party Administrators (ATPA) and CIO of BeneSys. He earned a Certified Data Privacy Solutions Engineer (CDPSE) credential, issued by ISACA. Stoyanovich received a bachelor of arts degree from the University of Michigan and a master of public administration degree from Michigan State University. Michael is a vice president and senior consultant in Segal’s Administration & Technology Consulting practice.
About
VivoSecurity develops rigorous statistical and AI models, that meet the Federal Reserves and office of the controller guidance for model risk management (SR11-7), to forecast the cost and probability of data breach. The vivo team has PhD level scientists and statisticians who have developed novel, yet rigorous methods to leverage from the numerous state and federal reporting requirements regarding data breach.
Thomas Lee
CEO
BS, Electrical Engineering, Univ. of Washington
BS, Physics, Univ. of Washington
PhD, Biophysics, Univ. of Chicago
Paul Borchardt
Board of Directors, IP Advisor
PhD, Biomedical Science, Univ. of Texas
JD, Univ. of San Francisco
Spencer Graves
Head of Modeling
MA, Mathematics, Univ. of Missouri
PhD, Mathematical Statistics, Univ. of Wisconsin
Shawn Wilde
Board of Directors
Former CIO,
GDPR HIPAA CCPA Advisor
Nagaraja Kumar Deevi
Advisor
Aaron Arutunian
Cybersecurity Advisor
CISSP, CISA & 32 additional certifications
Resources
Case Studies
Publications
How to Improve Third-Party Risk Management using Statistical Models
David Hann, Thomas Lee, PhD
An Enhanced Approach to Vendor Due-Diligence
David Hann, Thomas Lee, PhD
The Quantified Value of CISSP and CISA Certified Employees
Rick Lucas, Thomas Lee, PhD
Why Include Cybersecurity as part of GXP Vendor Qualification
Paul Steiner PhD, CQA, Thomas Lee, PhD
Assessing the Effectiveness of Third-Party Risk Management using Quantitative Models
A new protocol for Internal Audit to assure that third-party data breach risk is within management's risk-tolerance
Axel Troike, Thomas Lee, PhD, David Hann
How ISACA can unleash a Digital Trust revolution
An editorial response to ISACA’s white paper on digital trust
Thomas Lee, PhD
Talks
A talk given to ISACA Philadelphia, May 5th, 2023
Speaker was Thomas Lee, PhD
Industries
Financial • Banking
The Federal Reserve and Office of the Comptroller of the Currency (OCC) has special requirements for banks regarding models and assessing model risk (see SR11-7).
VivoSecurity assists our customers to meet this standard with empirical regression models that are fully compliant. Our models bring non-technical insights to senior management and new technical insights to the subject matter expert. With each use, our Aggregate 3rd Party Assessments make a testable forecast to validate our results.. We support model validation, provide model-documents, and support model maintenance to aid assessment of model risk. Our models help banks, financial institutions and transaction processors to quantify and manage the risk from 3rd and 4th parties, demonstrate an advanced approach for risk management to regulators and bring certainly to the randomness of data breach.
Biotech • Pharma • Medical
Good policies and procedures are the foundation of quality assurance (QA). We support our customer’s QA teams with a HIPAA compliant, CLIA compliant and NIST 800.30 compliant Aggregate 3rd Party Assessment process.
Our Aggregate 3rd Party Assessments apply to both IT/technology and business critical clinical vendors. We help our customers save money—while also reducing cyber-risk, by identifying the few vendors that account for most of the risk. Our customers save money by focusing mitigation efforts, which can be justified by quantifying the value with a model and process that is credible to regulators.
Our customer’s QA teams gain non-technical, yet actionable insights into the risk posed by each vendor, and by the risk from the sheer number of vendors. We support our QA customers with a template SOP and training for vendor assessments and new vendor onboarding. We support our customers when they face CAP and OCR auditors with our credible, accurate and testable empirical regression model that quantifies cybersecurity risk.
Industries with PII
Companies continue to outsource services and infrastructure, with 3rd party risk being the cybersecurity blind spot. We find that about 50% of larger data breaches are caused by 3rd parties. This 3rd party risk is due to the sheer number of vendors, which cannot be assessed with maturity or compliance models, or SOC 2 reports. We help all of our customers quantify and manage this cybersecurity risk with empirical statistical models that forecast data breach for all their vendors, not only the vendors missed by maturity or compliance models.
Contact
VivoSecurity Inc.
Los Altos, California
Telephone 650-919-3050
