Stop guessing about your Cyber Risk!

Cyber attacks a plague on the business community that just won't go away this time. It's British Airways boots and the BBC who are having to explain why their employee's personal information was compromised. They're not alone. A slew of companies across the world have been affected, at least eight of them in the UK so far. British Airways boots and the BBC have confirmed the attack. Each one employees need. Russian,
Russian hacker groups, kni Re Will and Anonymous Sudan began their long anticipated attack on European banking. The attack was announced last week with the cyber criminals to saying they are going to take down major European hackers, took down the websites of the European Investment Bank with what appears to be DDoS attacks. The bank admitted that two of its websites are currently down and said they're responding to the
Incident.
So as you can see, these are not fake news. So, so these are mostly things that have happened recently and I, I think at this stage, every one of you is aware of how real this is. So companies need to be asking if they're going to be attacked, but when they're going to be attacked. And one of the main challenges that companies are facing today is really understanding their cyber effect. What is their exposure, particularly the board, the c-level. The c-suite is asking these questions in terms of what is my cyber exposure? What will be my loss, my financial loss? If we are attacked, what will be the return investment? Are we over investing or are we under investing in cybersecurity? Traditionally people know that they have a high risk or they have a a high risk score, but it's not telling them in numbers in euros, in dollars, what is actually the financial impact.
So with cyber risk quantification, we are providing companies in the business, in the language of business, what will be the impact, what will be the financial impact of a cyber attack Yesterday, I dunno who, if you follow one of the last presentations towards the end of the day about surviving along the, the cyber exposure cyber lines. The speaker were, was were talking about how important it's to inform the board. And he was referring to the example of using geopolitics as, as a good anchor, a good trigger. That's one way. But of course there are other ways like having a cyber risk quantification. And in that way the companies can say, well, I'm going to the CSO is, is sometimes trying to justify the his or her budget on cybersecurity. And with cyber risk quantification, not only the CSO gets the, the munition or the, the, the right munition bullets to justify in front of the board that this investment is relevant and what would be the impact if they invest 10 or 200 million.
So this is what cyber risk quantification is about. Obviously there are different use cases. So just to give you some examples of how companies are using this or maybe using this. The first one is giving you full transparency. So really starting what is your worst case loss. So we also call this Armageddon or when everything goes south, what is your maximum potential financial loss? Of course this is not the most realistic scenario, but this is a good starting point really to, to open eyes and people start to put a number behind the self exposure. And of course you will see in a few minutes why on how we are able to do this. But the worst case loss, for example, this particular case, this a manufacturing company is telling them, well, your maximal potential loss is 84 million. And if you correlate that, if you compare that to your profits, this is 35% of your cross profits.
So you put in the numbers in perspectives is it's a huge number. So you, you you, you go bankrupt, you are out of business. You're not able to honor your obligation with your stakeholders and more interesting. Also on the right you can see that we are able to break down this worst case. So these are the different laws components. So what is expected laws in terms of business disruption. So if you are not able to operate, you're not able to produce, what is your loss in terms of financial theft or even ransomware, regulatory defense, of course data privacy and so on. So then you, you depending on your company, depending on your business, this distribution of the of the laws will be different for a manufacturing company. Business interruption is, is significant for a financial services company, maybe ransomware or the financial theft or even data privacy theft, it's, it's one of the main loss components.
But from there then we go to a more realistic scenario. So really trying to model and having, using Montecarlo simulations and probability and statistics, we come to a more realistic scenario and tell you, okay, that was your maximum loss, but this is now a more realistic loss. So you can have a, a significant cyber attack, significant cyber loss every six or seven years and we put numbers on on that. So you can have then drive your decisions, drive your budget investments and start also doing ROI calculation on your investment on cyber security. Another use case is, is what we call defense optimization. So it's really getting into your information security maturity and giving you insight where to invest. So which will be the top 10, the top 12 information security controls that will mitigate your, your cyber risk exposure. And I'm talking about actual ISO 27 0 0 1 controls, your your access control, your HR policies, your your cryptography approach.
And we are able to show you also in a heat map where are you today based on your exposure on the, on the Y axis and what is your information security maturity on the x axis and, and give you guidance where to invest in order to mitigate the, the exposure. And here you can see the impact. Well, if you invest in this controls, you can mitigate your exposure by X number of millions. And then you have a clear basis to decide where to invest. And whether this investment is, is is giving you a, providing you a return investment.
Another use case is a scenario planning. This is also a classic, classic one. So imagine your company's involve an MA transaction, you are buying a new business and you want to understand what would be your exposure when this business integrated. I mean they have completely different landscapes. It might be AC company in the us We'll have another mindset in terms of data privacy and we are able to show you okay, before the acquisition, after acquisition, these are the the, the exposure and how this will be increased. And of course then you, you can decide if it makes sense to to buy that company. And then in this particular scenario you see that everything will become worse, every scenario will become worse by buying this, this company you might also be divesting a business unit. And you can see also the impact on that.
Another one is what we call group steering. So really if you are a large company, you are a, a conglomerate or a company doing business in many countries you have 30, 50 entities worldwide. You might have, even if you push from from from the center standardized IT landscape, that might not be the case or you are buying companies or you have a, a new company or another brand you can try to steer them and even do benchmarking between the subseries. So we've done this with 1, 1, 1 customer and really from a group level, the group CSO can really steer the cyber acuity maturity, the cyber risk, the the cyber maturity of, of this subseries on a global level. And you can of course monitor that and also see where this subsi is lacking maturity and which others is not.
This is just an example of some of the use cases. I mean obviously there are other use cases. Recently I was talking with one of our partners and, and they were asking if we can help one of their customers with their bounty program. So it's really to help them if it's worth for them to invest in this bug bounty program, what will be the return on investment? Of course these are things you can do because you can quantify the, the cyber risk, just an example. So now how we do it, how we are able to, to do this.
I mean it's, it's, it's, it's a software solution. It's a SaaS platform on the cloud. So you can subscribe to it and use it as much as you want and repeat the assessments. One of the, the main differentiator is we do a top down risk assessment. I mean most of you, or I'm sure you're familiar of the classic way of doing risk assessment, which is bottom up. So with starting with your assets, that's still needed. So we, we, we are not replacing that, but the, the challenge with that is that it's very difficult to aggregate the results on the company level. And this is what the board needs. The CEO, the cfo, they don't want to, they don't understand the technical aspect. They want to understand my company, why Mike Porsche, what is the, the financial number as you saw? So the top down approach compliments nicely the bottom up approach.
So really from the top really giving you an aggregated view, a consolidated view of your exposure at the company level. So this is, this is, this is kind of new. So it's, it's something that some many people are not aware that is possible in terms of input. Also, you might be asking what input is required. I mean this is not very complex, so this is not something that takes months. So in, in few days, up to four weeks, we are able to, to, to have the first result of the project. So we looked at about 25 information security controls. So we assessed those controls. We looked at about 15 data points in terms of your, your exposure in terms of your business, what's you are doing, which industry, what is your revenue, which regions you're operating. And then there's about 50, 60, we do a business impact analysis also to, to, to go a bit deeper. And this also complemented with interviews. So it's a software solution, but it's complemented also with interviews from the key stakeholders, the CRO, the CFO, the CISO and so on. And again, this can be the first result you get in the first four weeks. If you already have done a risk, a maturity assessment, you already probably have 80% of the required input for, for the risk cyber risk quantification. And then it's our secret sauce, what I call the secret sauce. We are a venture, we are a startup from a ministry ministry in Germany.
It's, it's the largest cyber reinsurer in the world. So as, as, as we are a hundred percent owned by them. And as such we are licensed to use the methodology and their database. So ministry is was one of the pioneers that dared to ensure cyber attacks. Others, insurers, they say, no, that's too risky. We, we don't know how to do that. It's too risky, but ministry decided we need to do this, otherwise we won't be relevant. So they have been doing this in the last eight years and as you can imagine, they have gathered extensive database and this database that we are using has actually the actual losses from cyber incidents. So we know actually what has happened. We have more than 4,000 companies there. We have more than 3,130 industries you can see here. So that's why we are able to quantify. So it it, it's not a number out of nowhere.
It's really in the context of your company and your industry, your size. What has happened in that company and ministry has been very successful in cyber insurance and is, is making money. So having this data shows that the numbers and the methodology is right. And of course there's a lot of complexity behind. So in terms of the all the Monte Carlo simulation that happened with the data, this model is also being adjusted every year there are more than 1000 parameters. So we have visibility on all what happened and it's, this is not about selling of, we were not in the business of, of cyber insurance policy, but we are using the data, the same data. Yeah. And this cannot be applied to, so that's our secret. So that's how we are able to be very accurate and have very compelling and accurate numbers. That makes sense.
Yes. And of course this is not science fiction, this is not new. This already has been tested. So one of our reference customer, Yung Hinrich is a, is a large manufacturing company from Germany's, some of the headquarters in Hamburg. They miss satellite CSO is also the, the, the president of the Saka German chapter. They actually are using the tool, use the tool. And you can see here it's help them to, to facilitate their strategic decision making in terms of where to invest in cyber. And Mt a agents is also a large known German company, a, a aerospace. They also are using the solution, so helping them to define the mitigation strategy. And they, we also have a, a large automotive customers is anonymous, we cannot use their name. But also of course being in Germany, everyone is working somehow with automotive interest. But again, this can be applied to any, any industry. So I hope this was helpful for you and trying to be on time.