Study finds 1 in 4 Fortune 1000 firms will have a cyber loss event in the next year. SMBs typically lose 25% of annual revenues after a breach.

The Cyentia Institute, a cyber security research and data science firm, is pleased to announce the 2020 Information Risk Insights Study. The “IRIS 20/20” clears the fog of FUD (fear, uncertainty, and doubt) surrounding cyber risk and helps managers see their way to better data-driven decisions. This first-of-its-kind study leverages a vast dataset from Advisen spanning tens of thousands of public breaches over the last decade. Cyentia’s extensive analysis of that dataset yields valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes.

David Severski, Senior Data Scientist at Cyentia and lead IRIS analyst, “The IRIS is a game changer for enterprise risk managers. With data-driven estimates for frequency and cost of breaches, firms will be positioned to make better decisions on the issues that matter most to them.”

Using Cyentia’s team of data scientists and Advisen’s industry-leading set of publicly discoverable breaches, Cyentia is able to provide risk managers with industry specific estimates on both the frequency of loss events and the likely sizes of losses resulting from cyber events. Readers of the IRIS report can find estimates based upon their industry or the size of their firm or the characteristics of their partners. With these estimates, risk managers can make better decisions on investment and risk strategies, improving the business return on effort invested.

Key Findings of the IRIS 20/20 Report Include:

  • Over 60% of the Fortune 1000 had at least one cyber incident over the last decade. On an annual basis, we estimate one in four Fortune 1000 firms will suffer a loss event.
  • Moving beyond mega-corporations, the probability of incidents drops substantially. SMBs have rates below 2% and are orders of magnitude less likely to suffer 10 or more breaches in a year.
  • The likelihood of incidents varies up to 30x by industry. Government agencies, administrative support, information services, and financial firms, have the highest rates.
  • The traditional method of estimating breach losses—using a flat cost per record—is flat-out wrong. It results in $1.7 trillion in error from overestimating losses. We offer a better option.
  • We can use the number of records breached to estimate losses, but it’s probabilistic rather than deterministic. An exposure of 1,000 records has a 6% chance of exceeding $10M. By comparison, an exposure of 100M records has a better than 50% chance of racking up at least $10M in losses.
  • Financial losses following a cyber event typically run about $200K, but 10% of them exceed $20M. The cost of extreme events (95th percentile) to the mega corporations in the Fortune 250 approaches $100M (or more).
  • Typical and extreme losses differ greatly among industries. The information services and retail sectors show abnormally high losses that exceed many other sectors by a factor of 10.
  • A $100B enterprise that experiences a typical cyber event should expect a cost that represents 0.000003% of annual revenues. A mom and pop shop that brings in $100K per year, on the other hand, will likely lose one-quarter of their earnings or more.
  • Based on these frequency and loss estimations, we assess that there’s a 6% chance that a Fortune 1000 firm will lose $100M or more in a 12-month period due to cyber events. These are the type of probabilistic cyber risk projections we’re aiming to support in this study.

“This is something I’ve been wanting to study for a very long time. Our extensive analysis yields objective data on the frequency and financial impact of breaches to organizations of all types and sizes. We hope it helps many escape the qualitative quagmire of information risk assessments,” says Dr. Wade Baker, co-founder of the Cyentia Institute.

For the full report, visit

About The Cyentia Institute

The Cyentia Institute is a research & data science firm working to advance knowledge in the cybersecurity industry. We accomplish this by partnering with security vendors and other organizations to publish a range of high-quality, data-driven content. Follow us on Twitter or visit us at to learn more.

About Advisen

Advisen is the leading provider of data, media, and technology solutions for the commercial property and casualty insurance market. Advisen’s proprietary data sets and applications focus on large, specialty risks. Through Web Connectivity Ltd., Advisen provides messaging services, business consulting, and technical solutions to streamline and automate insurance transactions. Advisen connects a community of more than 200,000 professionals through daily newsletters, conferences, and webinars. The company was founded in 2000 and is headquartered in New York City, with offices in the US and the UK. Visit to learn more.