Cyber Risk Quantification for BFSI Boards

The 5×5 heat map cannot answer a board's most important question: what is our actual financial exposure? FAIR v3.0, NIST SP 800-30, and Probabilistic VaR give boards a number — in ₹ crore — not a colour.

When a bank's board approves a ₹15 crore cyber insurance policy renewal, what is that decision based on? When the CISO requests a budget increase of ₹8 crore to deploy a privileged access management solution, how does the board evaluate whether that investment is justified? When a regulator asks the board to attest to the adequacy of the organisation's cybersecurity investment, what evidence supports that attestation?

In most Indian BFSI organisations today, these decisions are made on the basis of qualitative risk ratings and the CISO's recommendation. That is not adequate oversight — and India's regulators, having observed the same gap in overseas markets, are beginning to expect more.

₹250 Cr

Max DPDP penalty per breach

₹18–47 Cr

Typical ransomware ALE range (mid-size bank)

6 hrs

CERT-In reporting window before liability

4.2×

Typical ROI on MFA — ALE reduction vs cost

Why Qualitative Risk Ratings Are Insufficient for Boards

The "5×5 heat map" — plotting likelihood against impact on a red/amber/green grid — has been the staple of enterprise risk reporting for decades. It has two fundamental problems when applied to cyber risk at the board level.

The first problem is false precision without calibration. When a risk is rated "HIGH likelihood, HIGH impact," what does that mean quantitatively? If "HIGH likelihood" means the event occurs once every three years, and "HIGH impact" means a ₹30 crore loss, then the Annual Loss Expectancy is approximately ₹10 crore. If "HIGH likelihood" means once per decade and "HIGH impact" means ₹200 crore, the ALE is ₹20 crore. These are the same qualitative rating but very different financial exposures.

The second problem is incomparability with other enterprise risks. A board that manages credit risk in basis points and market risk in VaR percentages cannot govern cyber risk using a different, qualitative language. The risk needs to be in the same currency — ₹ crore — that everything else in the boardroom is discussed in.

"The board's question is always the same: how much could this cost us? Everything else is technical detail."

The Four CRQ Models in RiskSage

The RiskSage CRQ Engine supports four industry-standard quantification models, each suited to a different type of board question. All four express results in ₹ crore, anchored to Indian regulatory loss categories.

Model 1: FAIR v3.0 (Monte Carlo)

FAIR — Factor Analysis of Information Risk — is the most widely adopted probabilistic cyber risk model. It decomposes risk into Loss Event Frequency (LEF) and Loss Magnitude (LM), running thousands of Monte Carlo simulations to produce an ALE probability distribution. The result is not a single number but a range: "50th percentile ₹18 crore, 95th percentile ₹47 crore." This is the model best suited for board investment justification and cyber insurance sizing.

FAIR v3.0 — Illustrative Ransomware Scenario (Mid-Size Bank)

Threat Event Freq

0.4/yr

Vulnerability

0.62

Loss Magnitude

₹74 Cr

Annual Loss Expectancy

₹18.4 Cr

P50: ₹18.4 Cr · P95: ₹47 Cr · P99: ₹89 Cr

Monte Carlo simulation, 10,000 runs. Inputs sourced from RiskSage risk graph — VaptFindings, MonitorAlerts, CyberIncidents.

Model 2: FAIR-MAM (Maturity Adjustment Model)

FAIR-MAM translates NIST CSF maturity Tier improvements directly into ₹ crore risk reduction. This is the model that makes the maturity roadmap financially defensible: "Moving from Tier 2 to Tier 3 on the RESPOND function reduces the ransomware ALE from ₹18 crore to ₹11 crore — a reduction of ₹7 crore per year for a programme that costs ₹3 crore to implement." This is the ROI calculation the board can approve.

Model 3: NIST SP 800-30 / ALE (Deterministic)

The classic Single Loss Expectancy × Annual Rate of Occurrence formula, structured across 12 threat categories aligned to RBI and IRDAI threat taxonomies. This produces deterministic ALE figures suitable for audit submissions — the RBI Master Direction for IT examinations and IRDAI's IS audit process both expect structured risk quantification. The RiskSage implementation uses 100 pre-built use cases across 10 categories, covering every major Indian BFSI threat scenario from credential stuffing to supply chain compromise.

Model 4: Probabilistic VaR (Monte Carlo + Bayesian)

Cybersecurity Value at Risk expressed at 95th and 99th percentiles, using Bayesian updating from the organisation's own incident history to calibrate the loss distribution. This model directly answers the cyber insurance question: "At 99th percentile confidence, what is the maximum single-incident loss for which we need insurance coverage?" For a mid-size bank with active VAPT findings, the answer might be ₹89 crore — suggesting that a ₹15 crore cyber insurance policy significantly under-covers the actual tail risk.

The Six FAIR Loss Forms — In Indian Regulatory Context

RiskSage structures every CRQ analysis across six FAIR loss forms, each anchored to Indian regulatory obligations. This ensures that the financial quantification is not academic — it maps directly to the penalties, costs, and obligations that the board is responsible for managing.

FAIR Loss Forms · Indian Regulatory Anchors

PL-1 Productivity Loss — system downtime, staff diversion RBI BCP/DR mandate, SEBI CSCRF resilience

PL-2 Response Cost — IR, forensics, notification CERT-In IR mandate, IRDAI forensics (CERT-In empanelled)

PL-3 Replacement Cost — system rebuild, data recovery RBI IT resilience, IRDAI ICT infrastructure

SL-1 Fines & Judgements — regulatory penalties DPDP ₹250 Cr ceiling, RBI penalties, IRDAI enforcement

SL-2 Competitive Advantage Loss — customer churn, market share DPDP data portability, RBI banking licence conditions

SL-3 Reputation Damage — brand value erosion, stock impact DPDP breach disclosure (SEBI listing obligations)

Four Real-World Use Cases: What Financial Quantification Looks Like

The RiskSage CRQ Engine includes 100 pre-built use cases across 10 categories, all calibrated to Indian BFSI threat profiles, regulatory penalties, and typical incident cost structures. Here are four illustrative examples:

Category D · Incident Response

Ransomware — Core Banking System Encryption

ALE (P50) ₹18.4 Cr/yr

ALE (P95) ₹47 Cr/yr

Primary Loss Form PL-1 + PL-2

Category A · Identity & Access

Privileged Account Compromise — Admin Credential Theft

ALE (P50) ₹9.2 Cr/yr

MFA ROI 4.2× (₹3 Cr → ₹12 Cr ALE ↓)

Primary Loss Form SL-1 + SL-3

Category B · DPDP Compliance

Personal Data Breach — Policyholder Records Exposure

DPDP Penalty (max) ₹250 Cr

ALE (P50, w/ controls) ₹28 Cr/yr

Primary Loss Form SL-1 + SL-2 + SL-3

Category C · VAPT Management

Critical Vulnerability Exploitation — Internet-Facing API

Risk Reduction (7-day patch) ₹14 Cr/yr ALE ↓

IRDAI compliance link IRDAI.AUDIT.1

Primary Loss Form PL-2 + SL-1

How RiskSage Populates CRQ Inputs from the Risk Graph

The most common failure in cyber risk quantification is not the model — it is the inputs. Organisations that attempt FAIR analysis using manual questionnaires or consultant estimates end up with models that are disconnected from operational reality and quickly become stale.

RiskSage populates CRQ inputs automatically from the live risk graph. Threat Event Frequency is estimated from the organisation's own VAPT findings, MonitorAlerts, and CyberIncident history — adjusted against sector threat intelligence. Vulnerability Level is derived from the current control implementation percentage and evidence freshness for the relevant control set. Loss Magnitude is structured using the six FAIR loss forms, with Indian regulatory penalty ceilings (DPDP ₹250 crore, RBI enforcement history) anchoring the SL-1 estimates.

Platform Integration

The RiskSage CRQ Engine feeds the Board Cybersecurity Dashboard directly. Widget N10.3 shows the top 5 risks in ₹ crore. Widget N10.7 shows the security investment portfolio with ALE reduction ROI. The Board PDF export appends a CRQ Investment Summary page, providing the signed evidence record that SEBI CSCRF's investment justification requirement demands.

The Board Question CRQ Enables

When the CRQ Engine is running and connected to the board dashboard, the board can ask a question that was previously unanswerable: "Are we spending the right amount on cybersecurity?"

Consider a board that has approved a ₹22 crore annual cybersecurity budget. The CRQ Engine shows that the top 5 risk scenarios have a combined P50 ALE of ₹87 crore and a P95 ALE of ₹214 crore. The current security programme reduces this ALE to approximately ₹34 crore (P50). The board can see: for ₹22 crore of annual spend, the organisation is avoiding an estimated ₹53 crore of expected annual loss. That is a demonstrable return.

The board can also see where additional investment would generate the highest marginal risk reduction — and prioritise budget allocation accordingly. This is not abstract. This is the governance function that SEBI CSCRF and RBI expect boards to exercise.

Run Your First CRQ Analysis

See what RiskSage's CRQ Engine produces for your organisation's top risk scenarios — in ₹ crore, connected to your live risk graph.

Request a Demo