Cyber insurance for the digital age login

Question 1 of 10 Final estimate

Jump to...

In this scenario, whose records were breached?

Help me decide

Whose records

Employees are typically more engaged and aware of a data breach than customers meaning they are more likely to sign up for services offered by the company, such as credit monitoring.

If you store any personal data other than your employees (including customer, client, or other non-employee personal data), consider that as "customer" data for this calculator.

How many people were affected by the breach?

Help me decide

1 10 100 1k 10k 100k 1m 10m $100m+

Number affected

Larger breaches drive up costs by requiring greater notification efforts and by drawing more attention, including the attention of regulators and plaintiff's lawyers.

For this question, count the people whose records are affected, not the number of individual data points you store.

Which type of records were exposed in the breach?

Help me decide

Record types

Different laws and regulatory bodies cover different types of records causing costs to differ.

Personal information

An individual's first name or first initial and last name combined with one or more other data points. Other data points may include SSN, driver's license numbers, account passwords and others, depending on the state

Credit card data

The Primary Account Number (PAN) and any related information if included (e.g., expiration dates).

Health records

All data related to mental or physical health, the provision of healthcare, or the payment of healthcare that can be associated with a specific person and that is held by Health Plans, Health Providers, and Healthcare Clearinghouses or those they work with.

How were the records breached in this scenario?

Help me decide

Breach types

Regulators are less forgiving of breaches that result from avoidable circumstances, such as preventable accidents

Your company may be at risk from each of these types of breaches. You can test each option to see the cost of a breach in different scenarios.

Do you store the mailing addresses for those whose records were breached?

Help me decide

  • 1% 100%

Mailing addresses

Written mail is the most expensive form of notification. If mailing addresses are not available, other cheaper forms of notification are permitted.

Have you publicly disclosed another breach in the last 24 months?

Help me decide

Past breaches

Regulators are less forgiving of "repeat offenders"

If you have cyber incidents that were not considered breaches and were resolved internally (not reported to customers or regulators), then no incidents were "publicly disclosed".

How would you estimate the level of complexity of your network?

Help me decide

Network complexity

The more complex a network, the more time consuming -- and expensive -- a forensic investigation tends to be. Breach coach costs also increase as they are required to oversee longer forensic investigations.

The complexity of networks can vary widely even among similar companies. You can use these rough guidelines to estimate network complexity.

Low complexity networks

Have minimal locations (e.g., <10 locations) with limited and basic technology use (e.g., POS system) with employees that generally work on site. May be networks with all data stored in cloud services.

Medium complexity networks

Typically span a larger number of locations (e.g., 10-100 locations) and may include off-site backups. May also include legacy IT from mergers and acquisitions. Users may use various devices and may work remotely.

High complexity networks

Enterprise grade network with many locations (e.g., >100 locations), potentially decentralized management (e.g., franchises), thousands of users, and legacy IT or specialized industry IT.

In this scenario, how big of news story would this breach be?

Help me decide

Size of news story

Breaches that generate news attention tend to have higher credit monitoring costs as a result of increased uptake of credit monitoring, higher PR costs, and higher regulatory costs, as highly newsworthy breaches draw regulatory attention and public pressure for action.

If your breach would end up on the Wall Street Journal it would be national news. If it wouldn't create any news at all it would be a small story. And if it's somewhere in between, consider it a medium story.

How would you estimate your security controls compare to your industry best practices?

Help me decide

Security controls

Regulators are more forgiving of companies with strong security controls in line with best practices. For example, the California AG's office cites the CIS Critical Security Controls as an important component of a standard for "Reasonable Security".

To fully assess a company's security controls is a complex process, and needs vary from business to business. Do your best to compare your own practices to those of your peers or industry standards. Try different options to see how they impact your exposure.

Are you based out of California?

Help me decide


Class action lawsuits for PHI in California have significantly higher settlement values due to state privacy laws.

Check yes to if your company subject to California state laws

Frequently Asked Questions

Frequently Asked Questions

Does this estimate an average cost?

Yes, the calculator shows average costs. However, a company does not necessarily incur each cost component. You can click on each cost component to learn more about the likelihood of incurring that cost.

Why do you not ask about Industry and Revenue?

Industry and Revenue are important predictors of the likelihood of a breach. For example, larger Financial Institutions and Healthcare companies are more frequent targets. However, characteristics of a company's exposure, such as the type and number of records stored drive the cost of the breach.

Why are PCI costs so high?

After a PCI breach Visa, Amex, MasterCard, and Discover may issue fraud assessments to recoup fraud costs. It's not unusual to see PCI assessments range from low or no cost to up to sixty dollars per card. The calculator shows a median cost based on the size of the breach.

What if I have segregated or encrypted records or my data is in the cloud?

Network segmentation, encryption, and cloud storage can help reduce the impact of a data breach. This calculator assumes all records stored (locally or in the cloud) are exposed to an unauthorized party. You can toggle the total number of records to experiment with the cost if only portions of your network and data are compromised.

Estimated cost

Answer the first three questions to get an initial estimate. Answer all ten for a more refined estimate.

$0 $0 per record

Great work! Answer the next seven to refine the estimate

  • Breach Coach $0
    Breach Coach

    A breach coach is frequently required after a data breach. They help determine whether public notification is legally required. In very simple cases (e.g., lost encrypted device that is quickly recovered) breach coach costs may be minimal, but in rare complex cases costs could reach up to one million dollars.

  • Forensics $0

    Forensics is required after most data breaches to help determine whether public notification is required. In especially complex circumstances, forensic costs can increase into the millions.

    For PCI breaches, a breached company often must pay for multiple forensics investigations. One at the request of the card carrier and then the company's own investigation.

  • Crisis Management $0
    Crisis Management

    PR support is not always required and is used for larger or more newsworthy breaches.

  • Notification $0

    Approximately 55% of security incidents result in notification. State and federal laws determine when notification is or is not required. A breach coach helps companies ensure they comply with those laws.

  • Call Center $0
    Call Center

    Many state notification laws and HIPAA require that breached entities provide toll-free numbers customers can call to learn more information about the breach. 90-day call centers have become a breach response standard.

  • Credit Monitoring $0
    Credit Monitoring

    While only a few states require credit monitoring to be offered, companies provide the service in ~65% of breaches

  • PCI Fines & Assessments $0
    PCI Fines & Assessments

    PCI fines and assessments are imposed by credit card companies in PCI breaches where fraud is present, and typically only in breaches of more than 5,000 cards. PCI fines and assessments can be a major driver of breach costs, though can also vary widely depending on the levels of fraud resulting from a breach.

  • Regulatory Fines & Defense $0
    Regulatory Fines & Defense

    This estimate includes State Attorneys General fines and Office of Civil Rights (OCR) fines for HIPAA violations. State AGs investigate 30% of breached companies. OCR has historically investigated all PHI breaches affecting more than 500 individuals.

    This estimate does not include fines under the GDPR regulation for data breaches in the EU. GDPR fines may reach up to 4% of global revenue.

  • Class Action Settlements & Defense $0
    Class Action Settlements & Defense

    This estimate focuses on consumer class action lawsuits. Approximately 5% of publicly reported data breaches lead to consumer class action litigation, though litigation is much more likely for breaches with more than 5,000-10,000 records.

How do I get started? For a ballpark estimate, just answer the first three questions. We'll answer the rest with some default assumptions. To get better estimates, answer all 10 questions. To try different scenarios, just use the Jump To button to skip back to different questions and watch the estimates update on the right. Is this accurate? Our model is based on real-world case claims data and expert analysis, though every breach is different and your case may vary.

See the full report, and more

Are you an insurance broker? At-Bay gives you the tools you need to be an expert on your clients’ cyber risk. Create an account and download our full Data Breach Cost Report, request free security assessments on your prospects and clients, and get a quote for At-Bay’s cyber insurance.