- December 8, 2023: Updated to reflect UI changes.
- September 21, 2022: Quantification drafts can be saved.
- May 24, 2022: Published.
Only Admin and Group Admin can run a quantification. See Financial Quantification user permissions.
There is a short survey to complete before the quantification runs. This survey allows you to:
- Complete a business profile. This determines your peer group.
- Provide operation inputs. This provides insight into the scale of potential losses at your company and any mitigating controls you have in place.
- Provide cyber insurance details and details of previous cyber events. This helps identify coverage gaps and increases the accuracy of exposure estimates.
Inputs are automatically saved after each step. You can also select Save draft to save your progress. Drafts are shared among Admins.
Select Run Quantification when the survey is complete. The quantification will take up to 2 business days to return results.
A small number of inputs are required to run the quantification.
|Countries of Operation
|The countries where the organization is located.
|U.S. States of Operation
|Required if US
|The U.S. states where the organization is located (if applicable).
|Industries of Operation
|The industries in which the organization operates.
|The currency of the organization’s annual revenue, which will be used for the model output.
|Annual revenue (turnover) of the organization.
|Number of Employees
|The number of people employed by the organization, bucketed into ranges.
|Amount of PII (Personally Identifiable Information) records
|The number of PII data records possessed by the organization.
|Amount of PCI (Payment Card Industry) records
|The number of PCI data records possessed by the organization.
|Amount of PHI (Protected Health Information) records
|The number of PHI data records possessed by the organization.
|Amount of other record types
|The number of other data records possessed by the organization.
|Select all security certifications that your organization has obtained
|Security certifications held by the organization.
|Select all security controls your organization has in place
|Security controls / products that are implemented within the organization. The type and prevalence of security controls are important in assessing both the likelihood of particular cyber events and the magnitude of impact of those events. The security controls and procedures listed here are taken from the CIS 20 (version 7) framework. Learn more about CIS 20.
|Select all regulatory requirements that apply to your organization
|The regulatory frameworks that the organization is subject to due to the location or type of business activity. These inputs are critical to assessing the organization's financial exposure to different geographic and industry-related regulatory fines and compliance-related risks.
|The deductible amount for the cyber insurance purchased by the organization.
|The coverage limit for cyber insurance purchased by the organization.
|The amount of loss at which excess or supplemental insurance begins to pay out.
|Annual premium for the organization’s cyber insurance coverage.
|Previous Cyber Incidents
Providing a history of cyber incidents that have had a material impact on the organization increases the accuracy of exposure estimates by helping to calibrate the magnitude of loss from prior events and informing likelihood of specific incident scenarios.
When you add an event, you'll be prompted to:
Rerunning a Quantification
Because your overall threat environment, security controls, and technology footprint do not change rapidly, you should not expect quantifications that are run close together to have materially different results. In general, running monthly or quarterly will provide the most meaningful changes.
To rerun a quantification:
- Use the Rerun button on the input card.
- Select the Rerun Quantification button at the bottom of the Quantification Inputs card in the Financial Quantification tab.
You can modify your inputs or rerun the quantification as configured.