Customer Story

Fresenius, a Major Player in Healthcare, Uses CRQ to Unify and Elevate its Cyber Strategy

Fresenius, a global healthcare leader with 175,000 employees and €22.3 billion in revenue, has made proactive cyber risk management a cornerstone of its resilience strategy.

Employees

175,000+

Industry

Health

Product

Citalid Core

David Steng, Director, Cyber Strategy & Performance

Sapere aude - Osez savoir - Dare to know – 

Benefits

  • Scaled from 10–15 manual FAIR scenarios to hundreds of automated, objective simulations.
  • Unified cyber risk view and comparable data across all four independent divisions.
  • Financial language enabling cyber risk to be integrated into budget decisions and strategic planning.
  • Proactive approach: each division can now anticipate, assess, and prioritize cyber initiatives autonomously.
  • Compatibility with CIS, NIST, and ISO frameworks for seamless adoption.

Fresenius, a global healthcare leader with 175,000 employees and €22.3 billion in revenue, has made proactive cyber risk management a cornerstone of its resilience strategy.

  • Health
  • 175,000+ employees
  • €22.3B revenue
  • Operating in over 80 countries

Fresenius & Cyber Risk Quantification: aligning decisions with risk appetite

As early as 2020, David Steng, Director of Cyber Strategy & Performance at Fresenius, became interested in the FAIR methodology (Factor Analysis of Information Risk) — a quantitative analysis model to better quantify cyber risk from a financial perspective. Based on this methodology, Fresenius implemented semi-annual cyber risk reports for each of the group’s divisions.

However, this initial approach quickly reached its limits: manually, the team could develop only 10 to 15 risk scenarios — far from sufficient for a group of Fresenius’ size — and the method could not scale due to its inherent subjectivity. Each division was responsible for its own quantification, leaving room for varying interpretations and results that were difficult to compare across the group.

Fresenius then chose to work with Citalid, a European SaaS solution capable of objectively and scalably quantifying cyber risk financially — establishing a unified Group CISO function and a common framework for cyber risk management, with one clear objective: make risk understandable to all and improve decision-making at the highest level.

Using financial indicators and threat intelligence for informed, proactive risk management

Citalid stands out for its ability to link risk quantification with Cyber Threat Intelligence (CTI) data, an approach that greatly appealed to Fresenius. Rather than relying on vague labels like “severe risk” or “critical risk,” the platform assigns financial figures to risks. Citalid’s algorithm runs thousands of simulations to evaluate the company’s defense capabilities against attackers, enabling an accurate assessment of the defense level relative to the actual threat landscape.

Thanks to actionable dashboards and indicators, the Citalid platform now helps Fresenius identify threats specific to its sector, assess their potential financial impact, and measure the maturity of its defensive posture across all four divisions — with objective, comparable data. The platform’s flexibility with multiple security frameworks (CIS, NIST, ISO) further eases adoption across teams.

The cyber risk quantification approach adopted by Fresenius has not only improved risk understanding within the organization, but also established a common language between cybersecurity experts and financial decision-makers — enabling executives to define their risk appetite and incorporate cyber risk into budget decisions and strategic planning.


Citalid helps us understand which attackers are interested in our sector thanks to up-to-date cyber threat intelligence data.

With Citalid, maturity level analysis is fairly easy to conduct. We used the CIS framework, but others are available like NIST or ISO. This flexibility eases the solution's adoption within the company.

Quantification allows executives to define their risk appetite. We realized that by applying Citalid's approach, we spent less time trying to understand our risks and more time managing them.


The Citalid solution

  • Threat Exposure Mapping
    • FAIR-based financial risk quantification
    • Sector-specific attacker group profiling
    • Attack frequency simulations
    • Financial dashboards and ready-to-use reports
  • Threat Contextualization
    • Cyber Threat Intelligence (CTI) natively integrated into risk calculations
    • Thousands of attack/defense simulations (Red Team)
    • Strategic CTI expertise and attacker TTP knowledge
  • Security Posture Optimization
    • Cost-benefit analysis of security controls
    • ROSI (Return on Security Investment) calculation
    • Tailored security recommendations
    • CIS, NIST, and ISO framework support

Industry leaders trust Citalid to quantify their cyber risks.

Get started

Discover our Cyber Risk Quantification platform

Citalid newsletter

Newsletter

Arm yourself with knowledge

When it comes to managing cyber risk, knowledge is your best defence. Make sure you’re always up to date, with the latest cyber, insurance, and geopolitical news sent straight to your inbox.