Question 1

What is cyber risk quantification?

Accepted Answer

Cyber risk quantification (CRQ) is the process of translating an organisation's cyber security posture into financial terms. Rather than producing maturity scores or traffic-light ratings, CRQ produces financial loss distributions: expected annual loss, tail risk estimates, and scenario-level impact figures that boards, CFOs, and risk committees can act on. It applies the same probabilistic methodology used in insurance and credit risk to the cyber domain.

Question 2

How is Üsta different from a framework assessment like ISO 27001 or NIST?

Accepted Answer

Framework assessments tell you how mature your controls are relative to a standard. Üsta tells you what your residual risk costs in financial terms. They answer different questions. A NIST score tells you where your controls sit on a maturity scale; an Üsta engagement tells you your expected annual loss, your tail risk at a given confidence level, and which controls would reduce that loss the most per rand spent. The two are complementary, but only one produces the numbers your board and CFO can use to make decisions.

Question 3

How long does an engagement take?

Accepted Answer

A full engagement runs four to eight weeks from scoping call to final outputs, depending on the scope agreed. The structured assessment phase typically takes one to two weeks, model calibration two to three weeks, and outputs are delivered at the end of the engagement. We start with a 30-minute scoping call to assess fit and agree the timeline before any work begins.

Question 4

What outputs does Üsta produce?

Accepted Answer

Depending on the scope agreed, outputs include: expected annual loss (probability-weighted financial baseline), tail risk distribution (VaR and TVaR at your chosen confidence levels), scenario analysis (data breach, ransomware, third-party failure — each modelled separately in financial terms), control ROI analysis (the financial return on each security investment), and a board-ready summary structured for risk committee and regulatory reporting.

Question 5

Do I need a security platform or existing tooling to work with Üsta?

Accepted Answer

No. Üsta's structured assessment is designed to produce rigorous actuarial outputs from the information your organisation already holds. We do not require hundreds of security tool integrations or a mature telemetry stack. This is one of the key differences between Üsta's approach and US-built platforms that assume a large enterprise tooling environment. We start from where your organisation actually is.

Question 6

Is Üsta available outside South Africa?

Accepted Answer

Üsta's methodology is applicable across Africa and to any organisation with cyber risk exposure in financial services, fintech, or adjacent sectors. Our model is calibrated for the African threat environment and regulatory context, including POPIA and FSCA oversight. We are currently focused on the South African market and broader sub-Saharan Africa, with pan-African engagements handled on a case-by-case basis.

Question 7

How is Üsta different from hiring a Big Four consulting firm?

Accepted Answer

Big Four cyber risk engagements are typically qualitative, expensive, and produce point-in-time outputs: a report, a maturity score, a set of recommendations. Üsta produces actuarially derived financial loss distributions, not qualitative assessments. Our outputs are structured to be defensible to regulators, insurers, and board risk committees in financial terms. We are also significantly more cost-accessible than a Big Four engagement of equivalent scope.

From scoping call to financial outputs.

Four steps. Four to eight weeks. One financial risk position.

Scoping call

Structured assessment

Model calibration

Financial outputs

Actuarial science, applied to cyber risk.

Actuarial, not qualitative

Scenario-based

Africa-calibrated

Transparent and defensible

No complex tooling stack required.

Frequently asked questions.

See if it's the right fit.