Arx Nimbus: The Financially Quantitative Leader

Comprehensive Digital Risk Management

shutterstock_77887618 cropped

Risk Management matters.

But why? First, because entire segments of our society simply wouldn't run without it. Our transportation systems only work because of sophisticated Risk Management - monitoring, traffic controls, and insurance - it all helps greatly to reduce risk. The US Federal Reserve manages and reduces the risks of all financial institutions. Hospitals review their data constantly to eliminate risk of procedural errors, infections and other issues. And airlines are examined, monitored, and required to report tons of data to manage risk. Every accident is scrutinized thoroughly to isolate the specific causal factors of any loss. But what about Risk Management for what many call "the biggest risk facing business today" - Cybersecurity Risk?

This is the risk that wipes out billions in enterprise value overnight. It attacks often without warning, leaving organizations unable to anything but simply react, assess the damage (most of whom had not assessed the risk), and prepare for the inevitable lawsuits. It's the one risk that can be perpetrated by threats against whom you will have no recourse because conventional law enforcement cannot reach them. It's the risk that has produced direct monetary losses up to $1.4 bn for single companies - and global annual losses of $700 bn. And it's growing faster than the defenses against it. Might we want to manage this particular type of risk?

Establishing real Risk Management means starting with measuring risk. In the past, actuarial science was used across society to measure all manner of risks - fires, floods, accidents - even rare but catastrophic circumstances. So why has it been so hard to measure - and therefore manage - cyber risk?

The answer lies in the data. Until recently, the data needed to apply known mathematical models to cyber risk was simply not available. The field was too new, the data collection methods were not uniform, and a host of other limitations.

So, if you were going to determine your own cyber risks, what would you do? Where would you start?

For starters, collecting and aggregating a sufficient volume of data. This would of course have to include historical data, since actual observed losses are very informative as to all types of risk, not just cyber risk. So we need a lot of cyber risk data - especially loss data.

Then we would need data on the specific enterprise - financial indicators like revenue, asset value, and organization headcount. But we'd also need to know most, if not all, of the top indicators of cyber risk. How about the company's industry? Maybe their own specific controls and vulnerabilities? And also data that show how attractive a target they may be? Possibly validated against actual attacks? Lots of data needed here - probably from dozens of sources.

But now, we would have a pile of data - so don't we also need a way to organize that data? And then a way to analyze it and draw meaning from it? Ok - so we would need a powerful set of algorithms to really get meaning from this data. But not just any algorithms - not just something anyone could craft in a spreadsheet, for example. And not only that, would these algorithms and formulas need to be statistically valid? Mathematically correct? Would they need to be in alignment with accepted standards and frameworks? Would they need to abide by regulatory requirements? They might have to be reviewed by regulators, actuaries, economists, and auditors. It seems like a lot, and of course too many requirements to build all this in a short time, even with the brightest minds on a full-time team.

Clearly the data, the processes, the technology and the algorithms are all needed - if one one intends to properly quantify risk, and then further to provide the functionality to manage those same risks toward the reduction path that all organizations are ultimately seeking. It's a lot. 

Fast forward to 2021, and with the sum total of meaningful data now available, Arx Nimbus and its team of computer scientists, engineers, statisticians, actuaries, economists and accountants have spent years developing just these processes, methodologies and technologies. Working with the best customer minds in the DoD, Finance, Insurance and Computing, the Thrivaca(c) technology is now the recognized leader in quantitative and financial analysis of cyber risk. With a 72-hour SLA for initial implementation, Arx Nimbus' Thrivaca platform relies on scanned data and a portfolio of data sources, organized by insurance-grade algorithms, to provide the first financially-relevant digital risk management platform.

Product Summary:

  • Historical database derived from 22 sources recording 100,000+ public and private records of specific losses, by organization
  • Statistician-developed and actuary-reviewed processes, statistical distributions and probability models
  • Strict adherence to widely accepted security audit controls frameworks including NIST and ISO
  • Data-driven results dependent on passive-scan data and publicly available records, along with comprehensive vulnerabilities of the organization
  • Threat trend-tracking on your industry derived from over 70 million attacks per week
  • Advanced machine learning algorithm that simulating actual threat actor patterns against specific target-organization conditions
  • Industry-specific risk probability patterns derived from multi-year history
  • Comprehensive view across risk domains including core enterprise storage, servers, and networks; cloud; mobile; OT and ICS; recently acquired entities; and IoT
  • Detailed documentation of Threats, Risks, Vulnerabilities, Controls status and interaction between variables, solutions outcomes and processes provides audit-readiness without the need for recurring “re-assembly” of documentation
  • Published REST API
  • Implemented and licensed in Healthcare, Banking, Fintech, Bio-pharma, Consumer Products, Higher Education, Diagnostic Services and Defense
  • Named as top data-driven Risk Analytics solution by Gartner (
  • Delivered via SOC1 / SOC2 certified cloud platform hosted in Microsoft Azure©
  • Economic model developed with University of Chicago PhD economists (
  • Top public-accounting firm validation of controls
  • Arx Nimbus Solutions Navigator© provides financial value-driven interactive exploration of planned technologies, processes and technologies for optimal selection of cybersecurity solutions to advance enterprise security
  • Insurance-grade quantitative models that utilize actuarially-based risk valuations
  • Thrivaca M&A provides pre and post merger analyses, identifying specific mitigation strategies, solutions, and cost-of-risk effects
  • Arx Nimbus recognized as top-eight Risk Management / Risk Analytics solution by Momentum Partners’ Cyberscape© (
  • Thrivaca CI© provides Cyber Insurance industry - underwriters and brokers - with the most rapid turnaround of any actuarially-driven risk valuation solution, with the least invasive data collection attainable
  • Fully auditable and traceable results, based on "Zero-Trust" principles throughout
  • Acknowledged market leader in financially quantitative digital risk management
  • Cause-and-effect traceability throughout providing detailed support in the event of litigation
  • Algorithmic results based on comprehensive portfolio of data sources:
    • Internet-Protocol scans of organization’s external threat surface
    • NIST and/or ISO established controls
    • Risk Register data
    • AI-enabled known attacker pattern simulations
    • Historical loss patterns derived from 22 published sources including Verizon, FBI, and Homeland Security
    • 80,000 social media posts per day
    • Established and regulator-defined relationships between 48,000 interactions of Threats and Vulnerabilities known to rigger specific Risk Types
    • Attack velocity for subject organization and industry peers/competitors
    • Key organizational metrics including financial reports
    • 170,000+ darkweb posts per day
    • Organization’s 6-digit NAICS industry-code patterns
  • Interactive/exploratory relationships between Threats, Risks, Vulnerabilities and Capabilities
  • Economic valuation of alternative solutions, processes and controls, supporting strategy development and testing
  • Meets or exceeds latest data-driven, objective risk management requirements of NIST 800-53, NIST CSF, ISO 27001, GDPR, SEC and HHS
  • 24/7 multi-user interactive portal access with complete cloud scalability capacity and security of Microsoft Azure©
  • Detailed insurance planning, focused on weighted specific-risk transfer, scaling of limitations of liabilities, and premium pricing
  • Multi-business unit support with consolidated enterprise-wide Risk Profiles
  • Over 600 NIST-proscribed and regulator pre-approved process/controls/implementation remediation plans, tied to customers’ own risks by economic impact
  • Unlimited modeling of “what-if” analyses including cloud migration, digital transformation, production scaling, geographic expansion and M&A
  • 14-day free trial and 4X Results Performance Guarantee available to qualified customers

Show Me What I Can Gain

Establish your regulator-approved and audit-ready Digital Risk Management program today. Get compliance with current requirements, and bring your organization the vital insights needed to get safely past risk and gain competitive advantage.

Understand the Results


White Paper

Threat persist and expand. Business advances and more risks emerge quickly. How can you get ahead of risk? Change the game now. Get real, data-driven risk in place to advance and leverage your efforts now, and take the battle to where the risk originates.



Today’s enterprise requires fundamental advances in recovering the cost of risk. Get the data. Get the analysis. Identify unfunded liabilities and recover the costs now – while attacking risks at their origins.