For CISO · Board · GC

Security Breach Exposure.

A board-readable estimate of your financial blast radius from a major breach. Six inputs: records at risk, regulated fraction, notification cost per record, expected legal/PR cost, downtime cost per day × likely days, annual probability. Output: expected annual loss + worst-case single-event loss.

Your inputs

Use the IBM Cost of a Data Breach Report as a sanity check on your per-record assumption. Sector severity scales the regulated-record multiplier.

Records at risk (count)

customer accounts, patient records, employee files, etc.

Fraction that are regulated (0–100%)

PHI under HIPAA, PII under state laws, PCI cardholder, etc.

Notification + investigation cost per record ($)

forensics, notification, credit monitoring offer. Sane band: $50–$400.

Expected legal + PR + class-action settlement ($K)

use mid-of-range; sector severity multiplier applies

Downtime cost per day ($K/day)

lost revenue + SLA credits + recovery labor

Likely days of downtime

how long until normal ops, not until "fully restored"

Annual probability of a major breach (0–100%)

industry baseline is ~10–35% over 3 yr depending on sector; divide accordingly

Sector severity

Expected annual loss

~$0 worst-case single event

The math, openly

Notification component = records × regulatedFrac × perRecord × sectorSeverity

Legal/PR component = legal × sectorSeverity

Downtime component = downtimeCostPerDay × likelyDays

Worst-case single event = notification + legal/PR + downtime — the loss IF a breach happens.

Expected annual loss = worstCase × annualProbability — what you'd budget on an actuarial basis.

Cyber-insurance carriers will use a more granular model. This is meant for the conversation BEFORE the underwriter call — translating "we should probably patch that" into "annual exposure is mid-six-figures, here's the math." Not a substitute for a quantitative risk assessment. Per the standing public-language guardrail, this is a posture/readiness calculator, not an attestation.