Skip to content
CyberCosts

How insurers price cyber risk, and why you should budget the same way

Expected annual loss is the number underneath every cyber insurance quote. Here is how it is built, what controls do to it, and how to use it to decide what security is worth paying for.

Published on 5 min read
cyber insuranceexpected annual lossrisk managementsecurity budget

Underwriters do not price your worst day. They price your average year.

That distinction is the whole game, and it is also the most useful idea a business owner can borrow from the insurance industry. When you ask "what would a cyber attack cost us," your brain reaches for the catastrophe: the company-ending ransomware event, the breach on the front page. Insurers do not think that way, because they cannot afford to. They think in expected annual loss, and once you do too, a lot of security decisions that felt like guesswork become arithmetic.

The formula underneath every quote

Strip away the jargon and the model is almost embarrassingly simple:

Expected Annual Loss = Σ Probability(incident) × Cost(incident)

summed across the scenarios that actually cause loss. For an SME that is roughly five: ransomware, data breach, business interruption, business email compromise, and regulatory exposure. For each one you ask two questions. How much does it cost if it happens? How likely is it in a year?

A 2-million-euro breach that is 10% likely this year contributes 200,000 euros of expected loss. A 50,000-euro wire fraud that is 30% likely contributes 15,000. You do this for every scenario and add them up. That total is the pure premium, the actuarially fair price of the risk before anyone adds margin. The insurer then grosses it up for their own expenses, for the uncertainty in their estimate, and for profit, and that is your quote.

This is not a metaphor for what insurers do. It is what they do. The probabilities come from claims experience (which is why insurer datasets like NetDiligence are worth more than vendor surveys), the severities from the same place, and the loadings from how confident they are in the numbers.

Why controls now change the price

For years cyber insurance was priced lazily, almost by headcount. That ended when the ransomware loss ratios blew up around 2020 and 2021 and insurers got religion about controls. Now the application asks whether you have MFA, EDR, tested offline backups, an incident-response plan. Not because they are box-ticking, but because each of those changes a term in the formula above.

MFA does not reduce what a breach costs. It reduces how often you get breached in the first place, the probability term, by blocking the credential attacks that start most incidents. Tested offline backups barely touch frequency but slash the severity of ransomware, because you restore instead of paying and instead of being down for two weeks. Encryption makes a breach less reportable and less damaging. An incident-response plan, in IBM's data, is one of the single largest cost reducers, because competent response is the difference between a contained event and a sprawling one.

Stack a few of these and the expected loss can drop by something like a third to a half, for a fraction of the cost of a single incident. That is the real argument for security spending, and it is an argument you can put numbers on instead of vibes.

How to actually use this

Here is where it gets practical, and where most businesses leave money on the table.

Once you have an expected annual loss, every proposed control has a measurable payoff: how much does it lower the expected loss, and what does it cost per year. That ratio is your prioritization. The control that drops expected loss by 40,000 a year and costs 5,000 wins over the shiny tool that drops it by 8,000 and costs 30,000, no matter which one the vendor is louder about.

It also tells you, honestly, when to stop. There is a point where the next control costs more than the risk it removes, and a rational budget stops there and transfers the residual risk to an insurer. That is what cyber insurance is for: the tail you cannot economically engineer away. Expected loss tells you where that line is instead of letting fear set the budget, which is how companies end up over-buying tools and under-buying the boring controls that actually move the number.

One honest caveat. Expected annual loss is an average, and averages hide tails. A small firm can be wiped out by a single event that the expected-value math says is unlikely, and "unlikely" is cold comfort if it is you. So use expected loss to size the budget and prioritize controls, and use the worst-case to decide how much insurance to carry on top. They answer different questions. The mistake is using either one alone.

See your own number

The calculator runs exactly this decomposition for your sector, size, revenue, region and current controls, and shows you the breakdown across all five scenarios plus what each control is doing to the total. Every probability and cost is sourced and laid out in the methodology so you can challenge the assumptions, which you should.

Stop asking what a cyber attack would cost on your worst day. Ask what it costs on an average year, then spend until the next control is no longer worth it. That is the discipline the insurance industry already runs on, and there is no reason your budget should not.

Related articles

How much should a small business spend on cybersecurity?
Forget the percent-of-IT-budget rule of thumb. A practical way to size an SME security budget against actual risk, and which controls give you the most reduction per dollar.
security budgetSMErisk managementMFA
Is cyber insurance worth it for a small business?
What cyber insurance actually covers, what it costs, the exclusions that bite at claim time, and how to decide whether your SME needs it or should self-insure.
cyber insuranceSMErisk transferransomware