How to quantify cyber risk
You know you need cyber insurance. What you don’t know is how much coverage you actually need.
Choosing an indemnity limit without rigorous analysis, because “100k sounds reasonable” or “1M is what a similar company has,” means making a critical decision without truly understanding your financial exposure to risk. There may be no immediate consequences, but in the event of an incident, the differences between an arbitrary estimate and a well-calculated coverage can be substantial.
In this post we will explain how to truly quantify cyber risk, what tools exist to estimate potential losses, and how to translate it all into a concrete financial decision: what coverage limit you need so you are neither underinsured nor over-insured.
And the best part: you don’t have to do it alone. At Axyom, we help startups and SMEs set their indemnity limit using data, risk models, and sector benchmarking. Because making decisions with numbers is better than making decisions driven by fear.
Why put a number on risk
Most leadership teams already know that cyber risk is real. What many have not yet done is put a price on it. And that has consequences: without quantification, the problem is underestimated, investment is made blindly, and insurance is purchased that protects against too little… or too much.
Quantifying risk allows you to:
- Speak the language of business: euros, not technical jargon.
- Allocate budget with purpose: invest where the risk is most expensive.
- Negotiate insurance from a position of strength: with data in hand, not guesswork.
- Demonstrate due diligence: because regulators and boards already demand risk-based decisions.
Qualitative vs. quantitative: the leap that makes the difference
Qualitative assessments classify risks on scales such as high, medium, or low. They are quick, inexpensive, and subjective. Quantitative assessments, on the other hand, express them in euros. They are more costly but allow strategic decisions to be made on solid ground. Measuring in euros changes the game. You cannot set a serious indemnity limit if you do not know how much an attack could cost you.
How cyber risk is quantified
There are several approaches. Some are quick and indicative. Others are thorough and defensible before auditors. At Axyom we use a mixed approach that combines methodologies such as:
FAIR (Factor Analysis of Information Risk): a standard framework that breaks down each loss scenario by its frequency and economic impact. It allows you to model risks such as a ransomware attack with GDPR implications or an internal failure that halts operations. At Axyom we have adapted FAIR so it can be applied to SMEs and startups in an agile and automated way, without requiring highly technical profiles.
CyVaR (Cyber Value at Risk): a methodology inspired by finance that estimates the maximum expected loss at a given confidence level (for example, 95%) over a specified period. It is especially useful for defining coverage ceilings in companies with consolidated metrics.
Actuarial models and Monte Carlo simulations: these are used to project thousands of possible scenarios based on historical claims data. This allows you to understand not only the average expected loss but also the extremes (what could happen in a “really bad year”).
Technical analysis and real threats: we complement the above approaches with a study of each company’s attack surface, evaluating vulnerabilities, public exposure, technology dependencies, and active threats in their sector. This allows us to adjust the models to the reality of the business and the current cybercrime landscape.
How to turn that risk into a sensible indemnity limit
Once you have your annual Value at Risk (for example, 600,000 euros), you can set your insurance limit using different approaches: adding a safety margin of 10% to 50%; using a multiple based on revenue or EBITDA; comparing with other companies in your sector; stress-testing extreme scenarios; or combining coverage layers with self-retentions.
At Axyom we combine at least two methods so you have a confidence range rather than an arbitrary figure.
Simplified real-world case
Imagine a technology startup with annual revenue of 10 million euros. It has a presence in several EU countries, manages customer data, and depends almost entirely on its digital systems to operate. It does not have an internal CISO but does have an external IT provider and cloud backups. It has never suffered a serious incident but has experienced phishing attempts and detected critical vulnerabilities.
Applying a simplified FAIR analysis and Monte Carlo simulations, its annual Value at Risk (at a 95% confidence level) is estimated at around 450,000 euros. In an extreme scenario, combining a ransomware attack with a personal data breach and GDPR penalties, losses could scale up to 850,000 euros.
Sector benchmarking indicates that similar companies work with limits between 500,000 and 1,500,000 euros.
Based on all of this, at Axyom we propose coverage of 750,000 euros with a self-retention of 50,000. In other words, the company would internally absorb the first minor losses, and the insurance would come into play from that threshold onward, covering serious and catastrophic situations.
This figure protects the financial balance without over-sizing the insurance. It is aligned with the actual risk and with what similar companies are doing.
Conclusion: insurance should not be a gamble
Cyber insurance must be a strategic tool, not a blind bet. Quantifying your risk and translating it into an adequate limit can mean the difference between a scare and a catastrophe.
We do it with you
At Axyom we analyze your exposure, model your critical scenarios, and define together the coverage you need. No templates, no guessing. With data, metrics, and experience in cybersecurity policies for companies like yours.
Want to validate your current coverage or start from scratch? Talk to us. Because protecting your company starts with understanding your risk.