Quantifying Cyber Risk in Dollars CFOs Can Defend
- Harshil Shah
- 2 days ago
- 4 min read
A CFO-ready method to turn technical cyber exposure into financial language you can present to the CEO, Audit Committee, and investors—complete with a 90-day rollout plan, formulas, and decision templates.
Audience: CFOs, CAEs, Risk, Audit Chairs • Time to implement: 60–90 days • Dependencies: security, FP&A, legal
“If it doesn’t tie to the P&L or the balance sheet, it won’t survive capital allocation. Cyber is no exception.”— Harshil Shaw
Why quantify cyber in dollars
Financial materiality & disclosure: SEC rules require public companies to disclose material cyber incidents on Form 8-K Item 1.05 within four business days of determining materiality and describe the impact on financial condition and results of operations (i.e., dollars).
Budget defensibility: Dollarized risk enables apples-to-apples trade-offs against other initiatives and supports capital allocation, insurance decisions, and control investments.
External benchmarking: IBM’s 2025 Cost of a Data Breach analysis cites a global average breach cost of about USD 4.44M—a useful anchor for sanity checks, not a substitute for your model.
Threat reality check: Verizon’s 2025 DBIR continues to show credential-driven and web-app attacks as dominant patterns, which heavily influence frequency assumptions.
Framework that passes audit: FAIR + NIST, explained in 60 seconds
FAIR (Factor Analysis of Information Risk) is the leading quantitative model for cyber/operational risk. It decomposes loss into frequency and magnitude, then uses probability distributions to estimate expected and tail losses. Use FAIR to produce metrics like Expected Loss, 95th Percentile Loss, and Cyber VaR.
NIST SP 800-30 is the risk assessment guide most boards and auditors recognize. Use it to evidence your process: scope → identify threats/assets → likelihood/impact → communicate risk to decision-makers.
Plain-English formula:
Cyber Risk ($) = Loss Event Frequency × Loss Magnitude ($)(analyzed across scenarios; report both expected and tail outcomes)
The minimum viable dataset (MVD) you actually need
Frequency inputs
Recent incidents (internal + peer set)
Control posture: MFA coverage, PAM, EDR, patch SLAs
Exposure: internet-facing apps/APIs, vendors with privileged access
Identity risks: % users without phishing-resistant MFA
Magnitude inputs (map to financials)
Downtime impact: revenue per hour/day; gross margin
IR/forensics/legal spend rate cards
Regulatory & contractual penalties
Customer churn elasticity & CAC payback for reacquisition
Loss Category | Examples | Where it hits |
Response costs | Forensics, PR, notifications | Opex (SG&A) |
Operational disruption | Plant/website downtime, WIP scrap | Revenue, COGS, gross margin |
Legal/regulatory | Fines, settlements | Below-the-line charges |
Customer loss | Churn, concessions | Net revenue, CAC payback |
Third-party impact | Vendor breach pass-through | Working capital, opex |
Step-by-step quantification (repeatable and auditable)
Pick 3–5 scenarios that matter: Ransomware on crown-jewel apps, Credential theft → ERP fraud, Vendor breach → data exfil.
Define the asset + impact window: e.g., “E-commerce checkout outage > 24h in Q4.”
Estimate frequency as a distribution (e.g., 0.2–0.6 events/year) informed by internal incidents and external reports.
Estimate magnitude in four buckets: response cost, downtime loss, legal/regulatory, churn impact. Use ranges—not points.
Run 10k+ simulations (Monte Carlo) to get Expected Loss, VaR@95, and a Loss Exceedance Curve.
Stress test peak period, vendor failure, and delayed detection.
Map to SEC thresholds for potential Item 1.05 8-K triggers (materiality narrative + dollar ranges).
Translate to decisions: accept, mitigate (control), transfer (insurance), avoid (process change).
Review quarterly with CFO/CISO/CAE; update inputs from new incidents and control changes.
Worked example (numbers you can sanity-check)
Illustrative only—replace with your data. Use external studies for bounds; do not lift averages into budgets without scenario context.
Scenario: Ransomware on order-management system (OMS)
Assumption | Value |
Frequency (events/yr) | Pert(0.15, 0.35, 0.7) |
Downtime (hours) | Tri(12, 36, 96) |
Revenue/hr at risk | $220,000 (30% GM) |
Response cost | Tri($400k, $650k, $1.1M) |
Legal/regulatory | Tri($0, $250k, $2.0M) |
Churn/concessions | Tri($0, $500k, $3.0M) |
Metric | Result | How to use |
Expected Loss (ALE) | $2.9M / year | Budget anchor for control investments/insurance |
VaR@95 (one-year) | $11.4M | Capital at risk; informs liquidity/disclosures |
Loss Exceedance | 20% ≥ $5M, 5% ≥ $10M | Board risk appetite discussion |
Prioritize controls by ROI (risk-reduction ÷ cost)
Quantify the delta between current-state loss and post-control loss, then divide by total cost of ownership (TCO). Rank by Risk-Adjusted ROI.
Control | TCO (Yr-1) | Effect on Frequency/Magnitude | Δ Expected Loss | Risk-Adj ROI | Status |
Phishing-resistant MFA + PAM hardening | $900k | Frequency −45% for credential paths | $1.6M | 1.8× | Fund |
Immutable backups + 1h restore runbooks | $600k | Magnitude −35% (downtime reduced) | $1.2M | 2.0× | Fund |
Cyber insurance uplift | $450k | Transfers tail loss; improves liquidity coverage | $500k | 1.1× | Negotiate |
SASE + EDR expansion to long-tail devices | $1.4M | Frequency −15%, detection + dwell time ↓ | $800k | 0.57× | Defer |
Board & 8-K-ready reporting pack
Artifacts
Loss Exceedance Curve (per scenario & consolidated)
Expected Loss, VaR@95, tail narratives
Control portfolio ranked by Risk-Adj ROI
Materiality decision memo template (includes nature, scope, timing, impact ranges) aligned to SEC Item 1.05
Operating metrics
MFA coverage (% phishing-resistant)
Critical vuln MTTR; identity hygiene (standing admin %)
Backup restore RTO/RPO tested
Vendor high-risk counts; contract indemnities
90-day implementation plan
Phase | Weeks | Deliverables |
Scope & governance | 1–2 | Scenarios, owners, FAIR/NIST method brief, data request list |
Data & modeling | 3–6 | Input ranges, Monte Carlo workbook, first loss curves |
Control economics | 7–9 | Risk-Adj ROI table, budget asks, insurance posture review |
Board pack & 8-K playbook | 10–12 | Slides, decision memos, disclosure templates |
Common pitfalls to avoid
Using industry averages as your loss estimate (use them only to bound ranges)
Reporting a single number without confidence intervals
Mixing control inventory with risk (keep economics separate)
Skipping identity risks despite DBIR trendlines
Materiality blur—build a standing memo template now
Quick FAQ
What’s the fastest way to start?Pick three scenarios, pull last 12 months of incidents and downtime metrics, and run a simple simulation (10k trials) in a spreadsheet. You can harden later.
How do I defend this to the Audit Committee?Anchor your method to FAIR and NIST SP 800-30, cite data sources, store assumptions in the model, and present ranges with business narratives.
How does this relate to SEC cyber disclosures?Dollarized loss ranges and impact narratives accelerate materiality judgments and populate 8-K Item 1.05 or 8.01 disclosures when appropriate.
Comments