Who typically performs probable maximum loss calculations?

Probable maximum loss (PML) calculations are conducted to estimate the potential loss in value from a catastrophic event, which is crucial for risk management within an organization. Generally, cybersecurity analysts within a company possess the appropriate expertise and insight into the organization's systems, data security, and overall risk profile. They can analyze various factors, including the vulnerabilities present within their infrastructure, potential threat scenarios, and the impact that different cyber incidents could have on the business.

Cybersecurity analysts are trained to evaluate the technical aspects of the system as well as the business context, allowing them to provide a more nuanced and accurate assessment of probable maximum losses. Their role enables them to tailor the PML calculations specifically to the company's operations, assets, and risk environment.

While external software vendors may provide tools or models to assist in these calculations, they typically lack the deep understanding of the company's unique circumstances that in-house analysts have. Human resources representatives are generally not involved in risk assessments, as their focus is primarily on employee management and organizational structure. Similarly, government cybersecurity auditors are responsible for ensuring compliance with regulations and standards, rather than conducting specific PML calculations for individual companies. Their primary function is to audit and assess compliance rather than to focus solely on a company’s potential financial losses from