Methodology & sources
This calculator estimates cyber-attack cost the way insurers price cyber cover: as an expected annual loss, calibrated to real cyber-insurance claims data. We are transparent about every assumption so you can judge — and challenge — the numbers. It is an estimate for guidance, not a quote.
Expected Annual Loss = Σ Probability(incident) × Cost(incident)
Summed across five independent scenarios. This is the actuarial "pure premium" an insurer starts from before adding expenses and margin.
How the estimate is built
1. Severity — what an incident costs
Revenue is the primary driver of incident cost: cyber-insurance claims data (NetDiligence) shows total cost scales with revenue and is only weakly related to the number of records, so we scale each scenario's cost from your revenue and adjust for sector, size and the sensitivity of the data you hold (records are a minor add-on for notification costs). Ransomware combines a probability-weighted ransom payment with recovery cost; a data breach combines forensics, legal and notification; business interruption is modelled from your daily revenue and typical downtime.
2. Frequency — how likely it is
Each scenario has a base annual probability of a material incident, grounded in large random-sample surveys (e.g. the UK Cyber Security Breaches Survey) rather than vendor headlines. Most attacks never cause material loss, so these rates are far below raw 'attack' rates. We scale them by your size and sector, and raise them if you've had a recent incident — the single strongest predictor underwriters use.
3. Controls — how much you reduce it
Each security control you enable multiplies down the frequency and/or severity of the scenarios it affects, based on the measured effect of that control in the source reports. The benchmark compares you against an identical business with no controls.
4. Indicative premium
Insurers price a premium above the expected loss to cover their own costs, profit and risk margin — typically a target loss ratio of 55–80%. We show that band. Real quotes are usually lower because policies cap the payout at a chosen limit and carry a deductible.
Why controls matter
Strong identity (MFA), endpoint detection, tested backups, staff training, an incident-response plan and encryption are repeatedly shown to be the highest-impact, lowest-cost ways to reduce cyber loss. The model reflects their measured effect — toggle them to see your exposure fall.
Sources
All figures are modelled from these public reports and regulations. We use medians and averages, not worst-case headlines.
- Cost of a Data Breach Report 2024 — IBM Security / Ponemon Institute (2024)
- Data Breach Investigations Report (DBIR) 2024 — Verizon (2024)
- The State of Ransomware 2024 — Sophos (2024)
- Quarterly Ransomware Report (Q4 2024) — Coveware (2024)
- Cyber Claims Study 2024 — NetDiligence (2024)
- Cyber Security Breaches Survey — UK Government (DSIT) (2025)
- One simple action to prevent 99.9% of account attacks (MFA) — Microsoft Security (2023)
- ENISA Threat Landscape 2024 — European Union Agency for Cybersecurity (ENISA) (2024)
- Internet Crime Report 2023 — FBI Internet Crime Complaint Center (IC3) (2023)
- Hiscox Cyber Readiness Report 2023 — Hiscox (2023)
- GDPR Article 83 — administrative fines — EUR-Lex (Regulation (EU) 2016/679) (2016)
- UK GDPR / Data Protection Act 2018 penalties — UK Information Commissioner's Office (ICO) (2018)
Important
This tool produces estimates from public industry averages and your inputs. It is for guidance only and is not an insurance quote, an actuarial valuation, or financial or legal advice. Your actual exposure depends on factors specific to your organisation.