Cyberattacks, a vague on the business community that just won't go away. This time, it's British Airways, Boots and the BBC who are having to explain why their employees' personal information was compromised. They're not alone. A slew of companies across the world have been affected, at least eight of them in the UK.
So far, British Airways, Boots and the BBC have confirmed the attack. Each one employs thousands... Major Russian hacker groups, Kilnit, Rewill and Anonymous Sudan, began their long-anticipated attack on European banking. The attack was announced last week, with the cyber criminals saying they are going to take down major European businesses. Hackers took down the websites of the European Investment Bank with what appears to be DDoS attacks. The bank admitted that two of its websites are currently down and said they are responding to the incident. So as you can see, these are not fake news.
So these are mostly things that have happened recently. And I think at this stage, every one of you is aware of how real this is. So companies need to be asking if they're going to be attacked, but when they're going to be attacked. And one of the main challenges that companies are facing today is really understanding their cybersecurity. What is their exposure? Particularly, the board, the C-level, the C-suite, is asking these questions in terms of what is my cyber exposure? What will be my loss, my financial loss, if we are attacked? What will be the return investment?
Are we over-investing or are we under-investing in cybersecurity? Traditionally, people know that they have a high risk or they have a high risk score, but it's not telling them in numbers, in euros, in dollars, what is actually the financial impact. So with cyber risk quantification, we are providing companies in the business, in the language of business, what will be the impact? What will be the financial impact of a cyber attack?
Yesterday, I don't know if you follow one of the last presentations, towards the end of the day, about surviving along the cyber exposure, cyber lines. The speaker was talking about how important it is to inform the board and he was referring to the example of using geopolitics as a good anchor, a good trigger.
That's one way, but of course, there are other ways like having a cyber risk quantification and in that way, the companies can say, well, I'm going to, the CISO is sometimes trying to justify his or her budget on cybersecurity and with cyber risk quantification, not only the CISO gets the munition or the right munition bullets to justify in front of the board that this investment is relevant and what will be the impact if they invest 10 or 200 million. So this is what cyber risk quantification is about.
Obviously, there are different use cases or just to give you some examples of how companies are using this or maybe using this. The first one is giving you full transparency. So really starting, what is your worst case loss? So we also call this Armageddon or when everything goes south, what is your maximum potential financial loss?
Of course, this is not the most realistic scenario, but this is a good starting point really to open eyes and people start to put a number behind the cyber exposure. And of course, you will see in a few minutes why and how we are able to do this. But the worst case loss, for example, this particular case, this manufacturing company is telling them, well, your maximal potential loss is 84 million. And if you correlate that, if you compare that to your profits, this is 35% of your cross-profit. So putting the numbers in perspective, it's a huge number.
So you go bankrupt, you are out of business, you're not able to honor the obligation with your stakeholders. And more interesting also on the right, you can see that we are able to break down this worst case. So these are the different loss components. So what is expected loss in terms of business eruption? So if you are not able to operate, you're not able to produce. What is your loss in terms of financial theft or even ransomware, regulatory defense, of course, data privacy and so on.
So then you, depending on your company, depending on your business, this distribution of the loss will be different. For a manufacturing company, business interruption is significant. For a financial services company, maybe a ransomware or the financial theft or even data privacy theft. It's one of the main loss components. But from there, then we go to a more realistic scenario.
So really trying to model and having using Monte Carlo simulations and probability and statistics, we come to a more realistic scenario and tell you, okay, that was your maximum loss, but this is now a more realistic loss. So you can have a significant cyber attack, significant cyber loss every six or seven years. And we put numbers on that. So you can have then drive your decisions, drive your budget investments and start also doing ROI calculation on your investment in cybersecurity. Another use case is what we call defense optimization.
So it's really getting into your information security maturity and giving you insights where to invest. So which will be the top 10, the top 12 information security controls that will mitigate your cyber risk exposure. And I'm talking about actual ISO 27001 controls, your access control, your HR policies, your cryptography approach. And we are able to show you also in a heat map, where are you today based on your exposure on the y-axis and what is your information security maturity on the x-axis and give you guidance where to invest in order to mitigate the exposure.
And here you can see the impact. Well, if you invest in these controls, you can mitigate your exposure by x number of millions. And then you have a clear basis to decide where to invest and whether this investment is providing you a return investment. Another use case is scenario planning. This is also a classic, classic one. So imagine your company is involved in an MIA transaction. You are buying a new business and you want to understand what will be your exposure when this business is integrated.
I mean, they have completely different heterogeneous landscapes. Maybe a company in the U.S. will have another mindset in terms of data privacy. And we are able to show, okay, before the acquisition, after acquisition, these are the exposure and how this will be increased. And of course, then you can decide if it makes sense to buy that company. And in this particular scenario, you see that everything will become worse. Every scenario will become worse by buying this company. You might also be divesting a business units and you can see also the impact on that.
Another one is what we call group steering. So really, if you are a large company, you are a conglomerate or a company doing business in many countries. You have 30, 50 entities worldwide. You might have, even if you push from the center, a standardized IT landscape, that might not be the case. Or you are buying companies or you have a new company or another brand, you can try to steer them and even do benchmarking between the sub-series. So we've done this with one large customer.
And really from a group level, the group CISO can really steer the cyber maturity of the sub-series on a global level. And you can, of course, monitor that and also see where this sub-series is lacking maturity and which others not. This is just an example of some of the use cases.
I mean, obviously, there are other use cases. Recently, I was talking with one of our partners and they were asking if we can help one of their customers with their bounty program. So it's really to help them, if it's worth for them to invest in this bug bounty program, what would be the return on investment?
Of course, these are things you can do because you can quantify the cyber risk. Just an example.
So now, how we do it, how we are able to do this? I mean, it's a software solution, it's a SaaS platform on the cloud, so you can subscribe to it and use it as much as you want and repeat the assessments. One of the main differentiators is we do a top-down risk assessment.
I mean, most of you, or I'm sure you're familiar with the classic way of doing risk assessment, which is bottom-up, so starting with your assets. That's still needed, so we are not replacing that. But the challenge with that is that it's very difficult to aggregate the results on the company level and this is what the board needs, the CEO, the CFO, they don't want to, they don't understand the technical aspect, they want to understand my company, what is my portion, what is the financial number as you saw.
So the top-down approach complements nicely the bottom-up approach, so really from the top, really giving you an aggregated view, a consolidated view of your exposure at the company level. So this is kind of new, so it's something that many people are not aware that is possible. In terms of input, also you might be asking what input is required.
I mean, this is not very complex, so this is not something that takes months, so in a few days, up to four weeks, we are able to have the first result of the project. So we looked at about 25 information security controls, so we assessed those controls, we looked at about 15 data points in terms of your exposure, in terms of your business, what you are doing, which industry, what is your revenue, which regions you are operating, and then there's about 50-60, we do a business impact analysis also to go a bit deeper, and this also complemented with interviews.
So it's a software solution, but it's complemented also with interviews from the key stakeholders, the CRO, the CFO, the CISO, and so on. And again, this can be the first result you get in the first four weeks. If you already have done a risk maturity assessment, you already probably have 80% of the required input for the cyber risk quantification. And then it's our secret sauce, what I call the secret sauce.
We are a venture, we are a startup from Munich Re, Munich Re in Germany, München RUC, Physik- und Gesellschaft, it's the largest cyber reinsurer in the world, so we are 100% owned by them, and as such, we are licensed to use their methodology and their database. So Munich Re was one of the pioneers that dared to insure cyber attacks.
Others insurers, they said, no, that's too risky, we don't know how to do that, it's too risky, but Munich Re decided we need to do this, otherwise we won't be relevant, so they have been doing this in the last eight years, and as you can imagine, they have gathered extensive database, and this database that we are using has actually the actual losses from cyber incidents.
So we know actually what has happened, we have more than 4 000 companies there, we have more than 130 industries, you can see here, so that's why we are able to quantify, so it's not a number out of nowhere, it's really in the context of your company, in your industry, your size, what has happened in that company, and Munich Re has been very successful in cyber insurance, and it's making money, so having this data shows that the numbers and the methodology is right, and of course, there's a lot of complexity behind, so in terms of all the Monte Carlo simulation that happened with the data, this model is also being adjusted every year, there are more than 1 000 parameters, so we have visibility on what happened, and this is not about selling, or we were not in the business of cyber insurance policy, but we are using the data, the same data, yeah, and this cannot be applied to, so that's our secret, so that's how we are able to be very accurate and have very compelling and accurate numbers, that makes sense.
Yes, and of course, this is not science fiction, this is not new, this already has been tested, so one of our reference customers, Jung Heinrich, is a large manufacturing company from Germany, some of the headquarters in Hamburg, they, Mr.
Sattler is also the president of the SACA German chapter, they actually are using the tool, I use the tool, and you can see here, it's helped them to facilitate their strategic decision-making in terms of where to invest in cyber, and MTU Aero Agents is also a large known German company, Aerospace, they also are using the solution, so helping them to define the mitigation strategy, and we also have a large automotive customer, this Anonymous, we cannot use the name, but also, of course, being a very big we cannot use the name, but also, of course, being Germany, everyone is working somehow with automotive industry, but again, this can be applied to any industry, so I hope this was helpful for you, and trying to be on time.
