Cyber Risk Quantification: Our Predictions for 2025
As cyber threats grow more sophisticated and their economic impacts become increasingly severe, managing cyber risk has become a strategic priority for businesses. In this context, Cyber Risk Quantification (CRQ) is emerging as an indispensable tool for better understanding, prioritizing and reducing cybersecurity risks.
In 2024, CRQ underwent significant advancements, as highlighted in two reports from Gartner and Forrester. In December, Forrester’s “CRQ Solutions Landscape, Q4” emphasized the growing importance of CRQ in cyber risk management, positioning Citalid as a key market player thanks to its innovative approach and European leadership. Earlier in the year, Citalid was named for the second consecutive year in the Gartner Hype Cycle for Cyber Risk Quantification, confirming its place among the pioneers in this rapidly evolving market.
These analyses underscore both the strategic potential of CRQ and the growing interest it generates among companies seeking to strengthen their defensive maturity.
Our experts closely analyzed CRQ developments and trends throughout 2024, focusing on its practical applications in areas such as cyber insurance, compliance, governance, and communication. Léo Coqueblin, Pouya Canet, and Maxime Cartan reflect on these key issues below.
From Communication to Governance: A New Ambition for CRQ in 2025
In 2024, Cyber Risk Quantification proved itself to be an essential communication tool for organizations, fostering a common language among all stakeholders in cybersecurity strategy. According to Gartner, three of the primary use cases for CRQ involve communication: engaging with risk managers, management, and the board.
This shared language is facilitated by actionable financial indicators. “CRQ simplifies risk assessment for a broad range of stakeholders who may not be experts,” notes Léo Coqueblin, Head of Cyber Risk Strategy at Citalid. CRQ encourages discussions about cyber risk by bringing all company stakeholders—technical and non-technical—together. It helps them understand the economic impact of cyber risks and guides decisions to reduce risk exposure by involving everyone.
As a governance tool, CRQ fosters collaboration and drives specific uses that will be emphasized in 2025, such as ensuring compliance or defining risk appetite.
Generative AI and CRQ: Efficiency and Explainability on the Horizon
Since 2022, generative artificial intelligence (AI) has profoundly transformed society, with tools like ChatGPT leading the charge. This technology has quickly found applications across numerous sectors, redefining complex processes and creating new opportunities. In 2024, the trend reached cybersecurity, with generative AI significantly enhancing cyber risk management solutions. These tools now model attack scenarios, anticipate vulnerabilities, and refine risk analyses with unprecedented speed and precision.
Platforms like Citalid have integrated AI into their computational engines from the outset, particularly for prediction purposes (e.g., Bayesian networks). But this technology is far from done revolutionizing CRQ. Improvements include data collection, human-data interface creation, cyber maturity evaluation, interpretation of insurance policies, and enhanced threat detection and anticipation capabilities.
A particularly promising use of generative AI lies in improving the simplification of output data—a core goal of CRQ. “The emergence of explainable AI promises to bridge the gap between automation and human understanding, making CRQ results more transparent and accessible to decision-makers,” explains Maxime Cartan, co-founder and CEO of Citalid.
In 2025, the convergence of AI and CRQ is expected to bolster the latter’s role as a “common language,” enabling clearer, more contextualized insights for better strategic communication and decision-making. Generative AI is also expected to significantly enhance the efficiency of input data collection, which often comes from diverse sources and formats.
Cyber Risk Quantification in 2025: From Numbers to Decision-Making
In 2024, CRQ was still considered an evolving discipline, partly due to the complexity of its input modeling (fortunately mitigated by AI) and the difficulty of interpreting its outputs. What should be done with these financial indicators? How can their accuracy, down to the decimal point, be justified?
In 2025, Cyber Risk Quantification must move beyond being a tool for generating numbers to become an enabler of action. Two CRQ solutions might produce different financial impact results due to variations in their computational models. Like weather forecasting, these figures are probabilities to inform decision-making, not exact answers.
The value of CRQ lies in its ability to drive the right actions in specific, objective, and practical use cases. “For progress to happen, we must accept that the numbers are not the final answer,” advises Léo Coqueblin.
CRQ’s Expansion Across the Insurance Value Chain
Cyber risk quantification is becoming a cornerstone for all players in the insurance value chain. While gaining traction among insured entities, it is also spreading to brokers and insurers. In 2025, reinsurers are expected to take a closer interest due to their unique challenges with cyber risk accumulation. These risks require robust, tailored solutions for effective management and portfolio diversification.
“The emphasis on quantification was highlighted in 2024 by professional organizations like AMRAE,” notes Pouya Canet. This approach has resonated with brokers and insurers, offering clearer risk indicators and establishing a common language among stakeholders. In 2025, CRQ could become essential for strengthening trust between insurers and insured entities, allowing for better-designed policies aligned with organizational needs.
Beyond underwriting, insurers and reinsurers are also leveraging CRQ to manage and diversify the cyber risks in their portfolios. CRQ’s role in enabling informed decision-making helps distribute covered risks more effectively and optimize management strategies.
Although CRQ is still in its infancy in the insurance sector, its potential is immense. In 2025, we can expect the emergence of new use cases as adoption grows, shaping the future of cyber insurance and reinsurance.
CRQ 2025: Coming of Age?
In conclusion, Cyber Risk Quantification (CRQ) is cementing its status as a strategic lever for involving more stakeholders in cybersecurity. In 2025, its role will go beyond risk evaluation, becoming a key communication tool that fosters a shared understanding of cyber challenges across all organizational levels. By establishing a common language, CRQ empowers everyone—from executives to operational teams—to take targeted and concrete actions.
Generative AI will play a decisive role in this transformation. By streamlining input and output data handling, AI will make risk analyses simpler to define and results easier to
interpret. A forthcoming announcement from Citalid is expected to mark a significant milestone, highlighting the technology’s role in democratizing CRQ.
However, for CRQ to reach its full potential in 2025, it must evolve from an intimidating, number-heavy tool into a driver of decision-making and action. CRQ must provide concrete insights to guide investments, adjust priorities, and strengthen resilience against cyber threats.
Finally, the expansion of CRQ across the entire risk value chain—from insured entities to reinsurers—is excellent news for companies’ economic resilience. By fostering collaboration among stakeholders, CRQ enhances effective risk management and anticipates threats more efficiently.
2025 promises to be a pivotal year for CRQ. By becoming a standard practice, it could sustainably transform business and insurance ecosystem practices, placing cybersecurity at the heart of corporate strategy.
