Live & Free

2026 US Cyber Liability Risk Calculator (FAIR & NIST CSF 2.0 Underwriting)

The only professional Cyber Risk Quantification (CRQ) engine built for US CFOs and risk managers. Model Single Loss Expectancy (SLE) for ransomware, BEC, and PII/PHI breaches using FAIR framework logic. Quantify your cyber insurance underwriting gap, calculate Annual Loss Expectancy (ALE), and simulate the ROI of NIST CSF 2.0 security controls—no email required.

💻 Multi-Threat Cyber Exposure ⚡ Ransomware & Data Breach Costs 📊 Security Control ROI Simulator 📈 Insurance Coverage Gap Analysis ⚖ Compliance & Downtime Impact ✅ No Email Required 📄 Free PDF Export
Select View
💻
Step 1 — Business Profile
💡 Use your latest fiscal year revenue and approximate counts of records and employees. Benchmarks are based on IBM Cost of a Data Breach and industry studies, not your insurer.
$
Last 12 months gross revenue
PII / PHI / PCI records

📊
Cyber Risk Dashboard
Modeled Worst-Case Single Incident
$0
Run the calculator
Annual Loss Expectancy (ALE)
$0
Probability-weighted annual “budget” for cyber risk
Insurance Coverage Gap
$0
Difference between exposure and policy limit
Enter your details and click Calculate. This tool is for planning only, not a quote.
📈
Threat Exposure Breakdown
📋
Detailed Financial Breakdown
MetricValueNotes
No calculation yet.
🎯
Scenario Snapshot
Single Incident
$0
Annual Exposure
$0
Verdict
⚙️

Cyber Insurance Underwriting & FAIR Risk Quantification Logic

This tool utilizes a multi-layered analytical pipeline to transform raw business profile data into a board-ready **Cyber Risk Quantification (CRQ)** estimate, aligned with US insurance carrier underwriting standards for 2026.

1
🏢
Risk Profile
Revenue, industry sector, PII/PHI records, and threat focus
2
🛡️
Security Controls
Modeling mitigation impact via NIST CSF 2.0 & CIS v8
3
📊
Underwriting Gap
Comparing policy limits against Probable Maximum Loss (PML)
4
📜
Regulatory Math
Penalty modeling for HIPAA, CCPA/CPRA, SEC, and GDPR
5
Business Impact
Quantifying downtime revenue loss and productivity disruption

🔬

Cyber Risk Assessment Methodology (NIST 800-53 & CIS Controls)

Our formulas draw from the **FAIR (Factor Analysis of Information Risk)** framework, utilizing actuarial data from the IBM/Ponemon cost of a data breach research and **CISA** threat frequency benchmarks.

🔒
Ransomware & Business Disruption

Models the **Single Loss Expectancy (SLE)** by combining revenue-based ransom demands with business interruption costs for recovery periods (21-28 days avg per Coveware data).

⚠️ Exposure = Ransom Demand + (Daily Revenue × Recovery Days)
📧
Business Email Compromise (BEC)

Wire fraud losses are calculated using **FBI IC3 median loss figures** ($125,000 for SMBs), scaled by organizational revenue and industry-specific threat weighting.

💰 BEC Loss = Baseline Loss × Revenue Multiplier
👤
Insider & Third-Party Risk

Models malicious and negligent insider events using Ponemon benchmarks ($15.38M avg organization cost), scaled proportionally by your reported employee count.

👥 Insider Cost = (Employees / Benchmark) × Industry Factor
📈
Annual Loss Expectancy (ALE)

Using the FAIR framework, we calculate the annual risk budget by multiplying SLE for each threat by its **Annualized Rate of Occurrence (ARO)** derived from Verizon DBIR data.

📊 ALE = ∑ (SLE × ARO) — Mitigated by Security Controls
🛡️
Security Controls Efficiency (NIST CSF)

Reductions from controls (MFA, EDR, Backups) are applied **multiplicatively** rather than additively to maintain actuarial integrity and avoid overestimating control efficacy.

🛡️ Residual Risk = ALE × ∏(1 - Security Control Effectiveness)

📚

US Cybersecurity Benchmarks & Actuarial Data Sources (2025-2026)

Every financial metric and threat frequency estimate is anchored in high-authority, publicly available actuarial data from major US security and regulatory bodies.

Actuarial Data PointOfficial SourceRevision
Cost per Record (US) IBM / Ponemon — Cost of a Data Breach Report 2025. US average record cost: $9.36M total breach impact. 2025
ARO / Threat Frequency Verizon — Data Breach Investigations Report (DBIR) 2025. Analysis of 10,626 confirmed incidents. 2025
Ransomware Severity Coveware — Quarterly Ransomware Report. Median US recovery disruption: 21–28 days. Q4 2024
BEC Financial Loss FBI IC3 — Internet Crime Report 2024. Total US losses exceeding $2.9 Billion. 2024
Regulatory Penalty Schedules HHS OCR (HIPAA); California AG (CCPA/CPRA); SEC (17 CFR 229.106); FTC Safeguards Rule guidelines. Current 2026
Quantitative Standard **Open FAIR™ Standard** (O-RA) for Information Risk Analysis. Quantitative risk modeling baseline. Open Standard

💡

Key Model Assumptions & Cyber Underwriting Limitations

This tool provides **Cyber Risk Quantification** estimates based on industry benchmarks. It is designed for strategic planning, not real-time threat detection.

📊 Benchmark-driven CRQ modeling 💰 2026 Inflation-adjusted cost basis 🏢 Single-entity enterprise risk focus 🔒 Independent incident probability 📈 NIST-mapped control reductions 📜 Statutory max penalty modeling
⚠️
Critical Risk Disclosure
  • This tool does NOT provide a binding cyber insurance quote (requires broker underwriting).
  • Models do not account for zero-day vulnerabilities or specific supply-chain cascading risks.
  • Security control efficacy assumes “Proper Implementation” per NIST CSF 2.0 standards.
⚖️

US Federal Regulatory Penalty Reference (HIPAA, SEC & FTC Safeguards)

This tool models statutory exposure for major US and international frameworks. Below are the current penalty ranges and key thresholds used in our compliance cost estimates.

Regulation Agency Penalty per Violation Annual Statutory Cap
HIPAA HHS OCR $145 – $73,011 $2,190,294
PCI-DSS 4.0 Card Brands $5K – $100K/mo Escalating
CCPA / CPRA CA CPPA & AG $2,628 – $7,884 No Cap
GLBA FTC Up to $46,517/day $100K per Inst.
SEC Rules SEC $1M – $5M $5M+ Caps
GDPR EU DPAs €10M – €20M 4% Turnover

🏥

HIPAA Breach Penalty Tiers (2026 Inflation-Adjusted Rates)

HHS OCR civil monetary penalties updated effective January 2026 under the HITECH Act. These are the exact tier ranges our calculator applies to PHI exposure scenarios.

Tier 1
Did Not Know
$145 – $36,298
Tier 2
Reasonable Cause
$1,461 – $73,011
Tier 3
Willful Neglect
$14,602 – $73,011
Tier 4
Uncorrected Neglect
$73,011+ (Cap $2.19M)

🕔

Federal & State Breach Notification Deadlines (SEC, GDPR & CCPA)

Statutory deadlines directly affect your incident response costs. Faster discovery and notification cycles are required by new 2024-2026 US regulations.

SEC Form 8-K (Public Companies)
⏱ 4 Business Days

Material incidents must be reported within 4 days of determination under SEC Item 1.05 rules.

GDPR Authority Notice
⏱ 72 Hours

Article 33 requires notification to DPAs without undue delay, and no later than 72 hours.

FTC Safeguards Rule (GLBA)
⏱ 30 Days

Financial institutions must notify the FTC within 30 days of discovering a breach affecting 500+ records.

State Breach Notification Laws
⏱ 30 – 90 Days

Varies by state (e.g., Colorado/Florida: 30 days). All 50 states now have active notification statutes.

🚨

5 US Cyber Incident Case Studies: Ransomware Impact & Cost Recovery

These are not hypothetical scenarios. Each case below is a documented US cyber incident involving **SEC reporting**, **regulatory enforcement**, and massive **class-action settlements**. Use these to benchmark your probable maximum loss (PML) estimates.

1
Change Healthcare — PHI Ransomware & Supply Chain Risk
🏥 Healthcare Sector 📅 2024 Incident 🔒 ALPHV/BlackCat Ransomware
Risk Level

In early 2024, a ransomware attack on Change Healthcare disrupted claims processing for nearly the entire US provider network. This incident demonstrated the **Cascading Risk** inherent in healthcare SaaS dependencies, leading to billions in liquidity advances.

Total Recovery Cost
$2.87B+
PHI Records Exposed
190M
System Downtime
45+ Days
Ransom Payment
$22M
🔒
Root Cause: MFA Failure

Compromised credentials on a Citrix remote portal that lacked multi-factor authentication (MFA). A single password leak facilitated full network lateral movement.

💰
Financial Liability Breakdown

Direct costs reached $2.87B, including IT forensics, provider financial assistance, and the largest **HIPAA violation investigation** in HHS history.

⚖️
Regulatory & Legislative Fallout

Triggered multiple Congressional hearings and proposals to mandate cybersecurity standards for any healthcare entity receiving federal CMS funding.

💡
CRQ Lesson: MFA Risk Reduction

Our calculator models a ~30% risk reduction when MFA is toggled. For Change Healthcare, this $2.87B loss was technically preventable with a basic identity control on a single remote portal.

2
MGM Resorts — Social Engineering & Vishing Attack
🎲 Hospitality/Gaming 📅 Q3 2023 🔒 Scattered Spider (Social Eng)
Risk Level

Attackers utilized a “Vishing” (Voice Phishing) call to an IT help desk to reset MFA credentials. This resulted in an operational shutdown of the Las Vegas Strip, highlighting **Business Interruption (BI)** severity.

Operational Loss
$100M+
Cyber Insurance Claim
Under Review
Ransom Payment
$0
📞
Root Cause: Vishing

Attacker impersonated an employee via phone. By leveraging LinkedIn data, they convinced a help desk agent to reset MFA tokens, bypassing technical controls.

⚖️
SEC Form 8-K Disclosure

MGM filed detailed disclosures under the new **SEC Cyber Rules**, reporting a $100 million negative impact on EBITDAR for the third quarter of 2023.

3
T-Mobile — FCC Enforcement & Repeat Breach Penalties
📱 Telecom Sector 📅 2021–2024 🔒 Multiple API/System Exploits
Risk Level

A series of breaches culminated in a landmark **FCC Consent Decree**, forcing the company to invest hundreds of millions into Zero Trust architecture and data minimization.

Class-Action Settlement
$350M
FCC Civil Penalty
$15.75M
Mandatory Cyber Spend
$165M+
4
MOVEit Transfer — Zero-Day SQL Injection & Mass Exfiltration
💻 SaaS Supply Chain 📅 2023 Zero-Day 🔒 Clop Ransomware (SQLi)
Risk Level

The exploitation of a zero-day vulnerability in MOVEit file transfer software affected over 2,700 organizations, proving that **Third-Party Risk** is a primary driver of Annual Loss Expectancy (ALE).

Total Organizations Impacted
2,770+
Records Exfiltrated
95M+
5
Equifax — Statutory Penalties & Consumer Restitution
🏦 Financial Services 📅 Legacy Benchmark 🔒 Unpatched Web Exploit
Risk Level

A failure to patch a known Apache Struts vulnerability led to the exposure of 147 million Americans’ Social Security Numbers, resulting in the gold-standard example of **Regulatory Compliance Overlap** costs.

FTC/Multi-State Settlement
$575M
Total Breach Cost
$1.4B+

📊

Cyber Insurance Claim Analysis: Cross-Case Comparison

Analyzing the common denominators in US cyber insurance claims reveals that unpatched systems and identity failures drive **~80% of total loss magnitude**.

US Cyber Incident Primary Attack Vector Total Financial Loss Critical Control Gap
Change Healthcare Ransomware (ALPHV) $2.87B+ MFA Implementation
MGM Resorts Vishing / Social Eng. $100M+ Security Awareness Training
T-Mobile API Vulnerability $531.5M Data Minimization / Zero Trust
Equifax Apache Struts Exploit $1.4B+ Patch Management Lifecycle

💡

5 Expert Strategies to Lower Cyber Insurance Premiums & Residual Risk

Actionable strategies from CISOs and insurance underwriters. These controls align with **CISA** and **NIST** benchmarks to reduce your **Annual Loss Expectancy (ALE)** and improve policy eligibility for 2026.

Identity-First Security: MFA + EDR Deployment
Underwriting Priority #1 (Carrier Mandate)
⚡ CISA Secure Our World 🛡️ Mandatory Control

In 2026, US insurers view **Multi-Factor Authentication (MFA)** and **Endpoint Detection & Response (EDR)** as the “seatbelts” of cybersecurity. Policies are increasingly denied or subject to massive surcharges if these two controls are not implemented across 100% of the environment.

✅ Do This (Underwriting Best Practice)
  • Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all remote access and cloud admin portals.
  • Deploy EDR/XDR with 24/7 Managed Detection (MDR) to satisfy “Active Monitoring” clauses.
❌ Avoid This
  • SMS-only MFA (vulnerable to SIM-swapping/MGM-style social engineering).
  • Legacy signature-based Antivirus (fails “modern threat” underwriting criteria).
📊
CRQ Modeling Impact

Toggling these two controls reduces your modeled **Annual Loss Expectancy (ALE)** by ~47% in this calculator, reflecting the actuarial efficacy of identity-first security.

2
Policy Sizing: Using ALE to Determine Coverage Limits
CFO & Risk Manager Strategic Alignment
📊 FAIR Methodology 🏛️ Board-Level Reporting

Avoid the “Gut Feeling” approach to insurance. Use the **Annual Loss Expectancy (ALE)** produced by this calculator to justify your aggregate policy limit to the board of directors.

1
Quantify Probable Maximum Loss (PML)

Your aggregate limit should cover at least 1.5x your worst-case single incident estimate.

2
Validate the Underwriting Gap

Enter your current policy limits in Step 3 to identify the dollar-amount gap in your transfer strategy.

3
Ransomware Resiliency: The 3-2-1-1 Backup Standard
Business Continuity & Disaster Recovery (BCDR)

Tested, **Immutable Backups** are the single most effective control for lowering Ransomware Loss Magnitude. Insurers now specifically ask for “air-gapped” or “immutable” verification during the renewal process.

✅ The 3-2-1-1 Rule
  • 3 Copies of Data | 2 Different Media | 1 Offsite | 1 Immutable Copy.
📊
Financial Impact

Tested backups reduce downtime costs by an average of 75% in our model, significantly narrowing your **Business Interruption (BI)** exposure.

4
Translate Vulnerabilities into Financial Exposure ($$$)
CISO to Board Communication Strategy

Boards respond to **Cyber Risk Quantification (CRQ)**, not technical jargon. Present your security roadmap as a financial ROI calculation using the delta between “Unmitigated” and “Mitigated” ALE.

CFOs don’t care about CVSS scores; they care about how a $200k security investment reduces a $2M annual loss expectancy. Use dollars to speak the language of the business.
— US Cyber Underwriting Guidance (2026)
5
NIST CSF 2.0 Roadmap: Phased Risk Mitigation
Continuous Risk Improvement Lifecycle

Avoid “Panic-Buying” tools before renewal. Implement a phased roadmap aligned with the **NIST Cybersecurity Framework 2.0** baseline to prove consistent “Duty of Care” to regulators and insurers.

Q1
Identify & Protect

Asset Inventory + MFA + EDR + Immutable Backups.

Q2
Detect & Respond

SIEM/SOC Integration + Incident Response (IR) Tabletop Exercises.


📈

Security Control ROI: Estimated Financial Impact of Implementation

Organizations that align with the expert strategies above typically realize these quantified improvements in their risk and insurance profiles.

💰
70% ALE Drop
Reduction in Annual Loss Expectancy when all 10 NIST-mapped controls are implemented.
🛡️
10–25% Savings
Average reduction in cyber insurance premiums for businesses with “Underwriter-Ready” documentation.
75% Faster RTO
Reduction in system downtime duration with tested immutable backups vs. legacy recovery methods.

Cyber Liability & Data Compliance FAQ: Underwriting, Claims & CRQ Logic

32 expert-verified answers covering everything from what cyber insurance costs to how breach notification laws work, what this calculator measures, and how to qualify for better coverage in 2026.

Cyber Insurance Fundamentals: First-Party vs. Third-Party Coverage

8 Questions
  • Cyber liability insurance is a financial risk transfer product that reimburses your business for costs arising from cyber incidents — data breaches, ransomware attacks, business email compromise, and regulatory investigations. It typically covers first-party costs (forensics, data restoration, business interruption, ransom payments, notification) and third-party liability (lawsuits, regulatory fines, settlements).

    Every business that stores customer data, processes payments, uses email, or operates online faces cyber risk. In 2026, 43% of cyberattacks target small businesses, and the average cost of a data breach for companies with fewer than 500 employees is over $3.3 million. Cyber insurance doesn’t replace good security, but it ensures a single incident doesn’t bankrupt the business.

    Calculator Tie-In: Enter your business details in Step 1 and toggle your security controls in Step 2. The “Worst-Case Single Incident” figure shows the financial exposure cyber insurance would need to cover.
  • Median annual premiums by company size in 2026:

    • 1–10 employees: $500–$2,000/year
    • 11–50 employees: $1,500–$6,000/year
    • 51–250 employees: $6,000–$25,000/year
    • 250+ employees: $25,000–$500,000+/year

    For businesses under $10M in revenue, the median annual premium is approximately $1,740 in 2026, down from $2,100 in 2024 — the first meaningful rate decrease since the market hardened in 2020. However, premiums vary significantly based on your industry, revenue, record count, security posture, and claims history. Healthcare organizations and financial services companies typically pay 2–3x the median.

  • Typically Covered:

    • Data breach notification and credit monitoring costs
    • Forensic investigation and incident response
    • Ransomware payments and negotiation costs
    • Business interruption / loss of income during downtime
    • Legal defense, settlements, and regulatory fines
    • Public relations and crisis management
    • Data restoration and system recovery
    • Social engineering / wire transfer fraud (with sublimit)

    Common Exclusions:

    • Pre-existing known vulnerabilities you failed to patch
    • Breaches caused by end-of-life / unsupported software (new in 2026)
    • Acts of war / state-sponsored attacks (war exclusion clauses)
    • Infrastructure failures (power outages, ISP downtime)
    • Losses from failure to maintain minimum security controls
    • Bodily injury or property damage (covered by general liability)
    • Reputational damage beyond covered PR costs
    Important 2026 Change: Many carriers now add “Unsupported Software Exclusions.” If you’re breached because you run Windows Server 2012 or other unpatched end-of-life systems, the claim may be denied.
  • First-party coverage reimburses your direct costs: forensics, data restoration, ransom payments, business interruption, notification, and crisis PR. It protects your own balance sheet.

    Third-party coverage pays for other people’s claims against you: lawsuits from customers whose data was breached, regulatory fines from agencies like HHS or the FTC, contractual liability to business partners, and payment card industry (PCI) fines and assessments.

    Most standalone cyber policies bundle both. However, cyber endorsements added to general liability policies typically have very low aggregate limits ($25,000–$50,000) and may only cover third-party liability, leaving your first-party costs uncovered. Always purchase a standalone cyber policy from a carrier rated A- or better by A.M. Best.

  • Almost certainly not adequately. Most general liability policies explicitly exclude electronic data and cyber events. Some Business Owner’s Policies (BOPs) offer a small cyber endorsement, but coverage is typically capped at $25,000–$50,000 — a fraction of the $200,000+ average breach cost for small businesses.

    A standalone cyber liability policy provides $1M+ in coverage, a dedicated breach response team, 24/7 claims hotlines, and pre-approved vendor panels for forensics, legal, and PR. The price difference between a BOP endorsement and a proper standalone policy is often just a few hundred dollars per year.

  • Your policy limit should be based on quantified risk exposure, not industry averages or broker defaults. Follow this framework:

    • Step 1: Run this calculator with your real business data to find your “Worst-Case Single Incident” cost
    • Step 2: Set your aggregate policy limit to at least 1–2× that worst-case figure
    • Step 3: Check sublimits — ransomware, social engineering, and business interruption often have lower sublimits than the headline aggregate
    • Step 4: Enter your policy details in Step 3 of this calculator to see if a coverage gap exists

    Common mistake: buying a $1M policy when your modeled worst case is $4M. That’s not insurance — that’s a down payment on a catastrophe.

  • Yes, in most cases. Standard cyber policies cover breaches caused by employee negligence, including clicking phishing links, misconfiguring cloud storage, accidentally emailing sensitive data, or falling for social engineering scams. Employee-caused incidents are among the most common claim triggers.

    However, coverage may be denied if the insurer determines you lacked reasonable controls (e.g., no security awareness training, no email filtering, no MFA) that could have prevented the incident. Intentional acts by employees (insider threats acting maliciously) may be handled differently — check your policy’s “dishonest acts” or “crime” exclusion.

  • Carriers frequently recommended by brokers, Reddit communities, and industry reports for SMB cyber coverage include:

    • Coalition — Tech-forward underwriting, free security monitoring, popular with startups
    • At-Bay — Strong SMB focus, risk-based pricing, active security scanning
    • CFC Underwriting — Global carrier with robust SMB cyber product
    • Hiscox — Well-known small business insurer with competitive cyber policies
    • Hartford Steam Boiler (HSB / Munich Re) — Strong for technology and IoT risks
    • Corvus — Data-driven, AI-powered risk assessment

    Always verify the carrier has an A.M. Best rating of A- or better (financial strength). Compare at least 3 quotes before binding coverage. Use an independent broker who works with multiple carriers, not a captive agent.

💰

Risk Mitigation & Premium Optimization: Qualifying for Underwriting

6 Questions
  • The 2026 application process has evolved into what insurers call a “technical audit.” Most carriers now require proof of these minimum controls before issuing coverage:

    • Multi-Factor Authentication (MFA) on email, VPN, remote access, admin portals, and cloud applications — SMS-only MFA may no longer qualify
    • Endpoint Detection & Response (EDR/XDR) centrally managed across all devices
    • Tested, immutable backups with documented recovery procedures
    • Email security with anti-phishing, DMARC/DKIM/SPF, and inbound link scanning
    • Patch management with SLAs (critical patches within 14–30 days)
    • End-of-life software removal — no unsupported operating systems or applications
    • Security awareness training for all employees (at least annually)
    • Privileged Access Management (PAM) — separate admin accounts, least-privilege enforcement
    Calculator Tie-In: Every control above maps to a toggle in Step 2 of this calculator. Enabling each one reduces your modeled ALE and mirrors what the insurer evaluates on your application.
  • Increasingly difficult. As of 2026, approximately 80% of cyber insurance carriers list MFA as a hard requirement — meaning your application will be declined if you cannot demonstrate MFA is enforced on email, VPN, and all remote access. Some carriers offer a 60–90 day grace period to implement MFA after binding, but this is becoming rare.

    If you don’t have MFA yet, implement it before starting the insurance application process. Authenticator app-based MFA (Microsoft Authenticator, Google Authenticator) can be deployed across most environments in 1–2 weeks.

  • Insurers price policies based on risk. Demonstrable security maturity directly lowers your premium by 10–25%. Specific actions:

    • Implement all 10 security controls in this calculator’s Step 2 and document them
    • Conduct annual penetration testing and share the report with your broker
    • Adopt a recognized security framework (NIST CSF 2.0 or CIS Controls)
    • Maintain a written Incident Response Plan with defined roles and tested annually via tabletop exercises
    • Increase your deductible (higher deductible = lower premium, but more out-of-pocket in a claim)
    • Demonstrate a clean claims history
    • Compare at least 3 carriers at every renewal — pricing varies significantly
    • Start the renewal process 60–90 days early so you’re not pressured into accepting a higher quote
  • Modern applications are 8–12 pages of technical questions. Common areas include:

    • Is MFA enforced on all remote access, email, and admin accounts?
    • Do you use EDR/XDR on all endpoints?
    • Do you have immutable offline backups tested within the last 90 days?
    • What is your patch management cadence for critical vulnerabilities?
    • Do you run any end-of-life operating systems or software?
    • Do you encrypt data at rest and in transit?
    • Do you use a Security Information and Event Management (SIEM) or 24/7 monitoring?
    • What is your annual security awareness training frequency?
    • Do you have a documented, tested incident response plan?
    • Do you have network segmentation between operational and IT networks?
    • How many records containing PII, PHI, or financial data do you store?
    • What is your annual revenue?
    • Have you experienced a cyber incident in the past 3 years?
    Pro Tip: Use this calculator to prepare for these questions. Every toggle in Step 2 corresponds to a question the insurer will ask. If you can’t answer “yes” to a toggle, you probably can’t answer “yes” on the application either.
  • Yes, and this is one of the most common reasons claims are denied. If you stated on your application that MFA is enforced everywhere but the breach investigation reveals MFA was not enabled on the compromised account, the insurer can void the claim — and potentially the entire policy — for material misrepresentation.

    In 2024–2025, claim denial rates for misrepresentation reached approximately 15–20%. Always answer application questions truthfully. If a control is partially implemented, say so. A policy with an accurate assessment of your security posture is infinitely more valuable than a cheaper policy based on false answers that won’t pay out when you need it.

  • Yes. Carriers view a documented, tested incident response plan as a strong signal of security maturity. According to IBM’s Cost of a Data Breach Report, organizations with a tested IR plan save an average of $2.66 million per breach compared to those without one. Insurers know this data and price accordingly.

    The key word is “tested.” A plan that sits in a SharePoint folder untouched since 2022 doesn’t count. Conduct at least one tabletop exercise per year where key stakeholders (CEO, legal, IT, comms) walk through a realistic breach scenario. Document the results and share the summary with your broker.

⚖️

US Regulatory Compliance: Data Breach Notification Laws & Statutory Fines

7 Questions
  • No — not a single comprehensive federal law. The US uses a patchwork approach. There are 50 separate state breach notification laws, plus sector-specific federal rules: HIPAA (healthcare), GLBA (financial services), FERPA (education), and the SEC’s 2023 cyber disclosure rule (public companies).

    This means a single breach can trigger notification obligations under multiple state laws simultaneously — each with different timelines, definitions, and requirements. If you have customers in California, New York, Florida, and Texas, you must comply with four different sets of rules for the same incident.

    Key Timelines (2026): 20 states specify numeric deadlines: California, Colorado, Florida, New York, and Washington require notification within 30 days. Alabama, Arizona, Ohio, Oregon require 45 days. Texas, Connecticut, and Delaware allow 60 days. The remaining states use “without unreasonable delay.”
  • The Health Insurance Portability and Accountability Act (HIPAA) governs how Protected Health Information (PHI) is stored, transmitted, and disclosed. It applies to healthcare providers, health plans, clearinghouses, and their business associates (any vendor that touches PHI on their behalf).

    HIPAA requires:

    • Annual security risk analysis and ongoing risk management
    • Encryption of PHI in transit and at rest
    • Business associate agreements (BAAs) with all vendors
    • Employee HIPAA training at least annually
    • Breach notification to HHS within 60 days for breaches of 500+ individuals, or annually for smaller breaches
    • Notification to affected individuals and media (for 500+ individual breaches in a state)

    HIPAA penalties range from $100 to $2.1 million per violation category, with a calendar-year cap of $2.1 million per identical violation. The Change Healthcare breach in 2024 prompted Congress to consider removing that cap entirely.

  • The Payment Card Industry Data Security Standard (PCI DSS) applies to any business that accepts, processes, stores, or transmits credit card data. PCI DSS 4.0 (effective since March 2024) requires MFA for all access to the cardholder data environment, encryption everywhere, regular vulnerability scanning, and strong access controls.

    If you experience a breach and are found non-compliant with PCI DSS at the time of the incident, consequences include:

    • Fines of $5,000–$100,000 per month until compliance is achieved
    • Increased transaction processing fees or loss of card processing privileges
    • Mandatory forensic investigation at your expense ($20,000–$200,000+)
    • Liability for fraudulent charges made with stolen card data
    • Card brands (Visa, Mastercard) can fine your acquiring bank, which passes the fines to you

    Cyber insurance can cover PCI fines and assessments, but only if your policy explicitly includes PCI coverage — check the policy wording.

  • Since December 2023, the SEC requires all publicly traded companies to disclose material cybersecurity incidents on Form 8-K within 4 business days of determining materiality (Item 1.05). Companies must also disclose board-level cyber governance and risk management practices in annual 10-K filings.

    If your company is private, the SEC rule doesn’t apply directly. However, if you are a vendor or service provider to public companies, your clients may now contractually require you to have incident notification procedures, cyber insurance, and security controls that align with their SEC obligations.

  • Yes, in most states and sectors. The specific requirements depend on what data was compromised and where your customers are located:

    • State Attorney General: 47 of 50 states require notification to the AG or a designated state agency, typically when 500+ residents are affected
    • HHS (HIPAA): Mandatory for any breach of protected health information
    • SEC (Public Companies): 8-K filing within 4 business days of materiality determination
    • FBI IC3: Recommended (not required) for all cyber crimes — especially ransomware, BEC, and wire fraud. FBI’s recovery asset team has a 71% success rate in freezing fraudulent wires
    • Credit Reporting Agencies: Required when 1,000+ individuals are notified in most states
    • FTC: Required for entities covered by the Health Breach Notification Rule (non-HIPAA health apps and devices)
  • The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA) effective January 2023, gives California residents strong data rights and creates a private right of action for data breaches. This means individual consumers can sue your business directly — without waiting for the Attorney General to act.

    Statutory damages range from $100–$750 per consumer, per incident. For a breach affecting 50,000 California residents, that’s a potential exposure of $5M–$37.5M in statutory damages alone — before legal fees, notification costs, and regulatory fines.

    CCPA/CPRA applies to for-profit businesses that collect California residents’ data and meet any one of these thresholds: annual gross revenue over $25M, buy/sell/share personal information of 100,000+ consumers, or derive 50%+ of revenue from selling personal information.

  • Yes, if you handle EU residents’ personal data. GDPR has extraterritorial reach — it applies to any organization worldwide that offers goods or services to, or monitors the behavior of, individuals in the EU/EEA. Having a US-based website that accepts orders from EU customers can trigger GDPR obligations.

    GDPR fines can reach up to 4% of global annual revenue or €20 million, whichever is higher. Additionally, GDPR requires breach notification to the relevant Data Protection Authority within 72 hours — one of the tightest timelines globally. Your cyber insurance policy should cover GDPR regulatory proceedings if you have any EU exposure.

📊

CRQ Methodology: How the FAIR-Based Risk Calculator Works

6 Questions
  • This calculator uses a FAIR-based (Factor Analysis of Information Risk) quantitative model. FAIR is the only international standard (OpenFAIR) for quantifying information risk in financial terms. The model calculates:

    • Single Loss Expectancy (SLE): The estimated cost of a single cyber incident, based on your industry per-record cost, record count, revenue-based multipliers, and downtime assumptions
    • Annual Rate of Occurrence (ARO): The estimated probability of one or more incidents per year, based on industry threat frequency, company size, and data sensitivity
    • Annual Loss Expectancy (ALE): SLE × ARO — the annualized expected cost of cyber risk
    • Control Effectiveness: Each security control reduces the ALE by an empirically-calibrated percentage, applied multiplicatively (not additively)

    The model uses per-record breach cost data from IBM/Ponemon, industry benchmarks from Verizon DBIR, and control effectiveness data from NIST, CIS, and actuarial sources.

  • ALE = Single Loss Expectancy × Annual Rate of Occurrence. It represents the average annual financial impact of cyber risk for your business. Think of it like an actuarial calculation — not every year will you suffer a breach, but over a long enough period, the average annual cost converges to the ALE.

    ALE matters because it gives you a dollar figure to benchmark everything else against:

    • If your ALE is $480,000 and a security control costs $50,000/year but reduces ALE by 30% ($144,000), the ROI is obvious
    • If your cyber insurance premium is $5,000/year and your ALE is $480,000, the insurance is an obvious purchase
    • If your policy limit is $500,000 but your worst-case single incident is $2M, you’re significantly underinsured
  • The per-record cost benchmarks in this calculator are derived from:

    • IBM / Ponemon Institute Cost of a Data Breach Report — The industry-standard annual study analyzing 604+ real breach investigations globally. Per-record costs vary by industry (healthcare: $10.93, financial services: $6.08, technology: $5.45)
    • Verizon Data Breach Investigations Report (DBIR) — Provides incident frequency, attack vector distribution, and threat landscape data from 30,000+ real incidents
    • NetDiligence Cyber Claims Study — Analyzes actual cyber insurance claims, providing real-world payout data by company size, industry, and incident type

    All data sources are cited in the Data Sources & Compliance section of this calculator with direct links to the original reports.

  • This calculator provides a directional estimate using industry benchmarks and the FAIR methodology. It’s designed for initial risk awareness, insurance sizing conversations, and board-level communication — not to replace a professional risk assessment.

    A professional assessment (typically $15,000–$75,000 for SMBs) would include:

    • Detailed asset inventory and data mapping specific to your environment
    • Threat modeling tailored to your industry and threat landscape
    • Control testing (penetration testing, vulnerability scanning, configuration audits)
    • Monte Carlo simulation producing probability distributions rather than point estimates

    For most small and mid-market businesses, this calculator’s output is sufficient to make informed insurance purchasing decisions, prioritize security spending, and communicate risk to leadership. Use it as a starting point, then refine with a professional assessment as your security program matures.

  • If MFA reduces risk by 30% and EDR reduces risk by 25%, the combined reduction is not 55%. Instead, MFA reduces the baseline by 30% (leaving 70%), and EDR reduces that remaining 70% by 25% (removing another 17.5%), for a combined reduction of 47.5%.

    This multiplicative model reflects reality: security controls work in layers. Each layer reduces the residual risk left over after the previous layers, not the original baseline. This prevents the mathematical impossibility of adding up to 100%+ reduction and accurately models how defense-in-depth actually functions.

  • No. All calculations run entirely in your browser using client-side JavaScript. No data is sent to any server, stored in any database, or shared with any third party. When you close the browser tab, your inputs are gone. The PDF export is also generated locally in your browser — the report never touches a server.

🔒

Incident Response (IR) Strategy: Ransomware Recovery & Forensic Analysis

5 Questions
  • The FBI and CISA strongly recommend against paying ransoms. Here’s why:

    • Payment does not guarantee data recovery — only 65% of data is recovered on average after payment
    • Paying funds criminal organizations and incentivizes future attacks
    • Paying may violate OFAC sanctions if the threat actor is in a sanctioned country (Russia, North Korea, Iran), exposing you to federal penalties
    • Companies that pay are 80% more likely to be attacked again

    However, the decision is complex. If you have no backups, the business faces bankruptcy, and lives are at risk (healthcare), payment may be the least-bad option. This is exactly why tested immutable backups are the most important control — they make the decision to not pay easy.

    If you are under active attack: Contact the FBI’s IC3 immediately. Also call your cyber insurance carrier’s 24/7 breach hotline — they have pre-negotiated rates with forensic firms and ransomware negotiators.
  • Most policies do, with conditions. Ransomware coverage typically includes the ransom payment itself, negotiation costs, forensic investigation, data restoration, and business interruption during the recovery period. However, critical conditions apply:

    • You must contact the insurer before paying — unauthorized payments may not be reimbursed
    • The insurer will usually engage a professional negotiator who often reduces the demand by 40–60%
    • Payment to OFAC-sanctioned entities may void coverage
    • Some policies have ransomware sublimits that are lower than the overall aggregate
    • If you misrepresented your backup or MFA status on the application, the claim can be denied
  • The first 24 hours are critical. Follow this sequence:

    • Hour 0–1: Contain the incident. Isolate affected systems (disconnect from network, but do NOT power off — forensic evidence lives in RAM). Do not wipe or reimage anything yet
    • Hour 1–2: Call your cyber insurance carrier’s 24/7 breach hotline. They will assign a breach coach (attorney), forensic firm, and crisis PR firm from their pre-approved panel
    • Hour 2–4: Engage the assigned forensic team. Report to the FBI’s IC3 if ransomware or wire fraud is involved
    • Hour 4–12: Begin evidence preservation and scope assessment. Determine what data was accessed. Start legal notification timeline analysis (which state laws apply?)
    • Hour 12–24: Communicate internally (C-suite, legal, HR). Draft initial holding statements. Do NOT make public statements until forensics has initial findings
    Critical Mistake to Avoid: Do not engage your own IT team to “fix” things before forensics arrives. Well-intentioned cleanup destroys evidence, makes the investigation harder, and can give the insurer grounds to reduce the payout.
  • Recovery timelines vary significantly based on the attack type, your preparedness, and whether backups are available:

    • Ransomware (with tested backups): 3–7 days to restore critical operations
    • Ransomware (without backups or untested): 21–28 days average, with some taking 60+ days
    • Data breach / exfiltration: Operational recovery in days, but legal/notification process takes 3–6 months
    • Business Email Compromise: Immediate financial loss, but operational impact is usually minimal
    • Full identity of breach scope: Average of 204 days to detect + 73 days to contain (IBM 2024)

    Business interruption coverage in your cyber policy covers lost income during this recovery period — but check the waiting period (deductible expressed in hours, typically 8–12 hours before coverage kicks in) and the indemnity period (maximum duration of coverage, typically 120–365 days).

  • According to the latest IBM / Ponemon research, the global average cost of a data breach in 2024 was $4.88 million. However, costs vary dramatically by company size and industry:

    • Small businesses (<500 employees): Average breach cost is approximately $3.3 million
    • Healthcare: Highest per-record cost at $10.93/record — the most expensive industry for 14 consecutive years
    • Financial services: $6.08/record
    • Technology: $5.45/record
    • Retail: $3.91/record

    These figures include direct costs (forensics, notification, legal) and indirect costs (business interruption, customer churn, reputational damage). For a small business with 50,000 customer records in healthcare, this calculator would model a worst-case incident of approximately $546,500 — which aligns closely with real-world small healthcare breach costs.

    Calculator Tie-In: Enter your industry in Step 1. The calculator automatically applies the correct per-record cost benchmark for your sector, so your output reflects industry-specific exposure, not a generic average.