Study finds median catastrophic cyber losses of $47M. One in five extreme loss events (43% of all monetary losses) are attributable to state-affiliated actors.

The Cyentia Institute, a cyber security research and data science firm, is pleased to announce the IRIS 20/20 Xtreme. Early in 2020, the Cyentia Institute published the Information Risk Insights Study (IRIS 20/20). This first-of-its-kind study leveraged a vast dataset from Advisen, spanning tens of thousands of cybersecurity incidents over the last decade. Our extensive analysis of that dataset yielded valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes. The IRIS 20/20 Xtreme is a follow-up to that research, focusing on the 100 largest cyber incidents of the last five years, totaling $18 billion in reported losses and 10 billion compromised records. We once again started with Advisen’s Cyber Loss Data and then collected hundreds of additional data points on each of these extreme cyber loss events. Our goal was to breakdown the costs, categorize incident types, identify the actors behind these events and the actions they employed, and better understand how these events impacted the organizations involved. Our primary goal remains the same as the IRIS 20/20—to clear the fog of fear, uncertainty and doubt (FUD) surrounding cyber risk and help managers see their way to better data-driven decisions.

David Severski, Senior Data Scientist at Cyentia and lead IRIS Xtreme analyst, “Continuing the data-driven exploration of loss events from the IRIS 20/20 report, this zeroing in on the largest of the large breaches reveals new information on the actors, magnitude, and forms of loss that make up the headlines in front of risk managers and organization leaders.”

Using Cyentia’s team of data scientists and Advisen’s industry-leading set of publicly discoverable breaches, Cyentia is able to provide risk managers with industry specific estimates on both the frequency of loss events and the likely sizes of losses resulting from cyber events. Readers of the IRIS report can find estimates based upon their industry or the size of their firm or the characteristics of their partners. With these estimates, risk managers can make better decisions on investment and risk strategies, improving the business return on effort invested.

Key Findings of the IRIS Xtreme Report Include:

  • The median loss for extreme losses is $47M. With over one-in-four exceeding $100M losses.
  • Response costs, lost productivity, and fines and judgements are the most common forms of loss in extreme events.
  • The likelihood of incidents varies up to 30x by industry. Government agencies, administrative support, information services, and financial firms, have the highest rates.
  • Firms that bungle the incident response process show costs that are nearly 2.8 times larger than those without signs of poor response.
  • The financial and information sectors, with their large holding of funds and data, have experienced the largest number of extreme loss events!
  • Data breaches, ransomware, fraud, and cryptocurrency theft are by far the most common and costliest types of extreme cyber events.
  • One in five of the largest losses over the last five years are attributed to state affiliated actors.

For the full report, visit

About The Cyentia Institute

The Cyentia Institute is a research & data science firm working to advance knowledge in the cybersecurity industry. We accomplish this by partnering with security vendors and other organizations to publish a range of high-quality, data-driven content. Follow us on Twitter or visit us at to learn more.

About Visible Risk

VisibleRisk is a joint venture between Moody’s Corporation, a global leader in risk assessment, and Team8, a cybersecurity-focused company creation platform, that is focused on creating a standard benchmark for communicating cyber risk to Boards of Directors and senior business executives in order to improve the global dialog about this important issue. Learn more at