Enabling companies to improve cybersecurity and reduce costs,
by bringing predictability to the randomness of data breach,
using data analytics and A.I.
Call or book a free peer comparison.
Aggregate 3rd Party Assessments
Regulators and management need 3rd party assessment that are accurate and not based upon opinions or assumptions. VivoSecuiry enables our customers to satisfy regulators by assessing true 3rd party risk, which is the probability that one of their vendors will have a data breach, obsoleting the use of questionnaires, maturity scores and SOC2 reports.
The risk from 3rd parties is from breaches caused by the sheer number of vendors. VivoSecurity quantifies this risk twice per year, with an aggregate forecast. We help senior management set risk appetite goals with a testable forecast of data breach frequency. We help cybersecurity teams identify the few vendors that represent most of the risk, we then quantify the value of mitigation. Finally, we satisfy regulators with an accurate and documented process for vendor assessment using an empirical and transparent regression model for probability of data breach.
Data Breach Impact Report
The cost of a data breach is predictable. By understanding the causes and cost of data breaches, VivoSecurity allows our customers to make informed decisions around cybersecurity investments. We use an empirical regression model, which means that it is based upon factors that predict cost. The model is easy to understand, and provides insights into how to manage and reduce costs. The report provides the median and 80% confidence interval for a data breach caused by a malicious outsider, a malicious insider, a lost & stolen device, and/or an accident. The model forecasts the sum of all costs including investigation costs, notification costs and reputation damage and the probability for lawsuit, providing a complete and detailed breakdown of costs.
Senior management would like more than green/yellow/red. They would like to know the probability for data breach and the cost of reducing this probability. They would like to know how they compare with peers and they would like to be able to weigh cybersecurity risks against other business priorities. They would like to know how the cost of risk transfer compares with the cost of reducing cyber-risk.
VivoSecurity brings predictability to the randomness of cybersecurity incidents by enabling our customers understand the probability of having a data breach. Our report will help senior management set risk appetite goals for their internal cybersecurity, in terms of data breach frequency and data breach size, and, more importantly, weigh the cost of cybersecurity against the cost of risk transfer. Our report will also show senior management how they compare with their industry and size in terms of cybersecurity spend and management culture.
VivoSecurity develops rigorous statistical and AI models, that meet the Federal Reserves and office of the controller guidance for model risk management (SR11-7), to forecast the cost and probability of data breach. The vivo team has PhD level scientists and statisticians who have developed novel, yet rigorous methods to leverage from the numerous state and federal reporting requirements regarding data breach.
Nagaraja Kumar Deevi
CISSP, CISA & 32 additional certifications
David Hann, Thomas Lee, PhD
David Hann, Thomas Lee, PhD
Rick Lucas, Thomas Lee, PhD
Paul Steiner PhD, CQA, Thomas Lee, PhD
A new protocol for Internal Audit to assure that third-party data breach risk is within management's risk-tolerance
Axel Troike, Thomas Lee, PhD, David Hann
An editorial response to ISACA’s white paper on digital trust
Thomas Lee, PhD
A talk given to ISACA Philadelphia, May 5th, 2023
Speaker was Thomas Lee, PhD
Financial • Banking
The Federal Reserve and Office of the Comptroller of the Currency (OCC) has special requirements for banks regarding models and assessing model risk (see SR11-7).
VivoSecurity assists our customers to meet this standard with empirical regression models that are fully compliant. Our models bring non-technical insights to senior management and new technical insights to the subject matter expert. With each use, our Aggregate 3rd Party Assessments make a testable forecast to validate our results.. We support model validation, provide model-documents, and support model maintenance to aid assessment of model risk. Our models help banks, financial institutions and transaction processors to quantify and manage the risk from 3rd and 4th parties, demonstrate an advanced approach for risk management to regulators and bring certainly to the randomness of data breach.
Biotech • Pharma • Medical
Good policies and procedures are the foundation of quality assurance (QA). We support our customer’s QA teams with a HIPAA compliant, CLIA compliant and NIST 800.30 compliant Aggregate 3rd Party Assessment process.
Our Aggregate 3rd Party Assessments apply to both IT/technology and business critical clinical vendors. We help our customers save money—while also reducing cyber-risk, by identifying the few vendors that account for most of the risk. Our customers save money by focusing mitigation efforts, which can be justified by quantifying the value with a model and process that is credible to regulators.
Our customer’s QA teams gain non-technical, yet actionable insights into the risk posed by each vendor, and by the risk from the sheer number of vendors. We support our QA customers with a template SOP and training for vendor assessments and new vendor onboarding. We support our customers when they face CAP and OCR auditors with our credible, accurate and testable empirical regression model that quantifies cybersecurity risk.
Industries with PII
Companies continue to outsource services and infrastructure, with 3rd party risk being the cybersecurity blind spot. We find that about 50% of larger data breaches are caused by 3rd parties. This 3rd party risk is due to the sheer number of vendors, which cannot be assessed with maturity or compliance models, or SOC 2 reports. We help all of our customers quantify and manage this cybersecurity risk with empirical statistical models that forecast data breach for all their vendors, not only the vendors missed by maturity or compliance models.