Quantar UK

Cyber Threat Valuation Service

Quantar Cyber Threat Valuation GDPR Solutions

Our cyber threat valuations are carried out in conjunction with your organization’s data and personnel input, coupled with the proprietary network threat data posed to your assets. It is combined with additional external data in order, not just to provide today’s threat value, but also in order to extrapolate into future periods.

This is necessary because cyber threats change on such a frequent basis that historic data becomes less relevant over any given period of time. By working with your organization to configure our technology, we are able to provide you with the tools necessary to determine the financial risk posed, in order that your risk management options are clear.

Why Value Cyber Threats for a GDPR Compliance Program?

There are a number of logical and operational reasons why your organization might want to undertake a cyber threat valuation service, including:

  • As part of your overall enterprise risk, business continuity and resilience programs;
  • Your organization wishes to insure part of the risk posed to its operations by cyber threats and needs to know the risk exposure value in order to determine the percentage to be transferred and thus the total coverage amount required from the risk carrier;
  • You have already established that risk transfer is a desirable part of operational risk management and a captive might be a more cost-effective solution and need to have the value in order to create a captive or establish sidecar coverage;
  • Managing operational risk requires your organization to determine the business processes that should be prioritized for security and need to know the cost-benefit options for each mitigation option available to you.

However, by far the main driver for undertaking a cyber threat valuation exercise is in order to meet the criteria mandated within the GDPR as to the 3 main principles relating to personally identifiable data:


Whilst meeting the requirements of these three concepts stipulated within both the Articles and Recitals, your organization will be undertaking the tasks that would be needed to undertake a cyber threat valuation exercise in the first place. The difference is that our technology would be implemented, but configured using the data that your organization will be acquiring for GDPR compliance.

GDPR Regulatory Stipulations

The GDPR makes reference to how an organization may provide evidence that is is complying with the law via best practice and certified schemes such as ISO/IEC 27001:2013. The onus is now placed upon the DATA CONTROLLER to ensure that, under the new E.U. law, the enhanced and broadened rights of the data subject are met, with serious penalties for those failing to comply. The responsibilities of the Data Controller are set out as follows:

Art. 24 GDPR Responsibility of the controller

3) Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article

Further, the regulation under Recital 77 also stipulates that it is necessary for all organizations to undertake a risk assessment to ensure the principles of the GDPR are satisfied. This requirement maps to the undertaking of the same steps and processes as would be needed for a cyber threat valuation exercise, regardless of the additional data provided in so doing, that can then be used for internal uses and not simply for compliance.

Recital 77

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk

The regulation also makes clear that there is an overriding legitimate interest in respect of the Data Controller in processing personally identifiable information, BUT subject to an organization’s network to withstand compromise:

Recital 49 

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems

These are but a few examples of how both the Articles and Recitals of the GDPR create obligations and liabilities in complying with the scope and specific stipulations of the forthcoming law. With penalties of up to €10 million or 2% of global annual turnover of the previous financial year, whichever is higher and a second tier of up to €20 million or 4%, whichever is higher, all organizations have an imperative to comply.

The GDPR includes within its Articles a requirement that where risk is above an acceptable level, then it should be transferred in some form. By using our patented technology, knowing the value of risk to your organization arising from cyber threats and non-electronic threats that may affect your I.T. systems and processes, risk mitigation can be planned and informed, with audit traceability for GDPR compliance.

Further information on Quantar’s CyCalc Valuation Suite can be found here     


CyCalc Suite is composed of 3 modules;

Network Operational Risk Manager (n-ORM);

Predictive Analytics Engine (PAE),

and Internet Protocol Threat Assessment System (IPTAP).

Local deployment and operation gives your organization the ability to control your risk for GDPR compliance