Skip to content
Knowledge base Updated: February 5, 2026

How much does downtime really cost after a cyberattack? A ready-made template for calculating your company's losses

When you think of the cost of a cyberattack, what comes to mind? Probably the amount of ransom demanded by the hackers. This is a mistake. In fact, ransomware is often just the tip of the iceberg. The real, crippling costs lie elsewhere - in every minute that your production line stands in dead sile

Przemysław Widomski Przemysław Widomski

In the boardroom of any manufacturing company there is a cult of numbers. Investment decisions, strategic plans and performance evaluations - everything is based on hard, financial data. But in discussions about cyber security, this mathematical precision often disappears, replaced by vague notions of “risks” and “potential threats.” This makes security investments difficult to justify and often loses out to more “tangible” needs.

Meanwhile, the consequences of a successful cyber attack, especially in an operational technology (OT) environment, are as measurable as possible. Every hour that your factory is out of production comes with a concrete, painful price. Understanding and being able to count that price is one of the most important competencies of a modern manager. It is this calculation that changes the whole conversation about security - from an abstract discussion about hackers, to a hard business conversation about money.

The purpose of this article is to provide you with a practical guide and mental model for making a realistic calculation of total cost of downtime. We will show you what components to consider, where to look for the necessary data and how to present the results in a way that will appeal to the imagination of any CFO. It’s an eye-opening exercise that could forever change the way your company views cyber-resilience investments.

Shortcuts

Why is the cost of ransomware just the tip of the iceberg in losses after a cyberattack?

When a ransomware attack paralyzes a factory, the media and management often focus on one number: the amount of the ransom. This is understandable - it’s an incisive and imaginative amount. But in reality, even if a company decides to pay (which is a high-risk strategy), it is only a fraction of the total losses it will suffer.

The real “iceberg” of costs lies beneath the surface. The largest and most painful item is the losses resulting from business interruption (business interruption). These are lost revenues from the sale of products that could not be produced during this time. Then there are the operating costs that the company incurs despite the lack of production - salaries of employees, lease payments for idle machinery, utility payments.

The next layer is restoration costs - salaries for external incident response experts, overtime for the internal IT/OT team, and sometimes the cost of buying new equipment if the old one has been irreparably damaged. At the very end are long-term costs, such as contractual penalties for late deliveries, loss of customers or increased insurance premiums. Only by adding all these up does the real scale of the financial catastrophe show.

📚 Read the complete guide: Ransomware: Ransomware - czym jest, jak się chronić, co robić po ataku

What are the direct and hidden components of the cost of one hour of production downtime?

To simplify thinking about losses, it is useful to start by calculating a key indicator: the cost per hour of downtime. It can be divided into two main categories. The first is direct costs, i.e. those that are easiest to count. First and foremost to be counted here is the lost margin - that is, the revenue a company normally generates per hour, minus the variable costs it does not incur during downtime (such as the cost of raw materials).

Labor costs should also be added to direct costs. If production workers can’t work but still get paid, this is a direct loss to the company. Add up the hourly rates of all employees affected by the outage and add them to the calculation.

The second category is hidden or indirect costs, which are more difficult to quantify but equally real. This could be, for example, the cost of spoiled raw materials in a process that was abruptly interrupted, the cost of energy consumed by idling machines, or the estimated cost of accelerated depreciation of equipment as a result of uncontrolled stops and restarts.

How to calculate the total cost of an incident at your factory step by step, in 5 steps?

Calculating the total cost of an incident is a process that can be organized into five logical steps. This methodology allows you to collect all the necessary data and avoid overlooking key components.

  • Calculate the cost of an hour of downtime: Following the tips above, calculate the sum of the lost margin and labor costs for one hour of no production. This will be your base rate.

  • Estimate the total downtime (in hours): This is the key and most difficult variable. This time includes not only the period from attack to removal of the threat, but also the time it takes to restore systems, recalibrate machines and resume full performance.

  • Calculate the total cost of the business interruption: Multiply the cost of one hour of downtime (step 1) by the total downtime (step 2). This will give you the main, largest component of the total loss.

  • Add up all direct costs associated with the response: Add up all the additional expenses the company had to incur, such as the cost of outside experts, employee overtime, the purchase of new equipment or any ransom paid.

  • Estimate and add long-term costs: Based on your analysis of contracts and customer relationships, estimate potential contractual penalties, lost future contracts and other image losses. The sum of steps 3, 4 and 5 will give you the most realistic picture of the total cost of the incident.

What financial and production data do you need to collect for your calculation to be reliable?

In order for your calculation to be more than a guess, you need to base it on hard data that you certainly have in your systems. It will be crucial to involve not only your IT department, but especially your financial controlling and production planning departments.

From the finance department, you will need data on average sales revenue, product margins, fixed and variable costs, and hourly employee rates. From the production department, you’ll need operational data: average production line throughput (pieces per hour), production schedules, data on the relationships between processes.

It’s also a good idea to reach out to sales and legal to get information on key contracts and potential penalties for late deliveries. The more real, internal data you collect, the more precise and reliable your final calculation will be, and the more difficult it will be for management to challenge.

On average, how long does a shutdown last after an attack on a factory in Poland, and what does this time depend on?

Downtime is the most critical variable in the entire calculation. Unfortunately, there is no single, simple answer here. Global reports indicate that the average downtime after a ransomware attack is between 16 and 24 days. This is the period of time needed to fully restore operations.

This time depends on many factors, but the most important is the maturity and preparedness of the organization. A company that does not have an incident response plan in place, and whose backups turn out to be corrupted or also encrypted, could face an outage lasting weeks or even months.

In contrast, an organization that has a rehearsed IRP/DRP plan, isolated and tested backups, and the support of an external team of experts, may be able to resume critical production within 24-72 hours. The difference in downtime is therefore gigantic, and the difference in financial losses is therefore astronomical. An investment in preparation is de facto an investment in reducing future downtime.

How do you estimate the risks and costs associated with losing key contracts and customer trust?

This is the most difficult to quantify, but often the most severe category of loss. Loss of reputation and trust is a long-term damage. How to estimate it? Several methods can be used.

First, examine contracts with key customers. Many of them contain precise provisions for contractual penalties for each day of delayed delivery. This is a hard, quantifiable loss that should be included in the calculation.

Second, an analysis of the risk of losing customers should be conducted, in cooperation with the sales department. What is the probability that our largest customer, after a two-week supply interruption, decides to move its orders to a more stable competitor? What is the value of this contract on an annual basis? This allows you to estimate potential future losses.

What personnel costs, from overtime to outside specialists, should be included in the calculation?

A cyber security incident generates huge unplanned personnel costs. The internal IT and OT team, instead of attending to their daily duties, works in crisis mode for days and nights. The cost of all overtime paid to these employees should be meticulously counted.

Very often, an in-house team does not have all the necessary competence to deal with a complex attack. It becomes necessary to hire external experts in incident response (Incident Response) and computer forensics. The cost of such specialists is very high and runs into hundreds of zlotys per hour. In the case of a major incident, the bill for external services can easily reach several hundred thousand zlotys.

Legal costs (legal services related to violations of RODO or NIS2 requirements) and crisis communication costs (support from an external PR agency) should also be included in the calculation.

Loss calculator after a cyber attack: a simplified model

Cost componentHow to calculate?
A. Cost of Business Interruption(Average margin/hour + Labor cost/hour) x Number of hours of downtime
B. Response and Restoration CostsCost of external experts + Overtime of internal team + Cost of new hardware/software
C. External Penalties and LossesTotal contractual penalties + Estimated value of lost contracts + Potential fines (e.g., from NIS2)
Total Cost of the Incident= A + B + C

How can a “Cyber” insurance policy affect the final balance of losses?

A well-constructed cyber insurance policy can be a powerful tool for transferring some of the financial risk. It can cover a significant portion of the costs described above, including the costs of outside experts and even business interruption losses.

However, there are a few key points to keep in mind. First, every policy has a sum insured, which is the upper limit of the insurer’s liability. Second, almost every policy includes a deductible (excess), which is the amount a company must pay out of its own pocket before the insurance kicks in.

Third, and most importantly, the payment of compensation is always subject to the company’s compliance with the security requirements specified in the contract. If the company is found to have grossly neglected basic standards (e.g., no backups), the insurer may refuse to pay the claim. Insurance is not a substitute for viable safeguards.

What are RTO and RPO indicators and how do they affect potential financial losses?

The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are two key metrics that define the maturity of a backup and disaster recovery strategy.

RTO determines how quickly we are able to restore a given system to operation after a failure. The lower the RTO (e.g., 1 hour), the less total downtime there will be, and therefore less financial loss. Achieving a low RTO, however, requires more expensive, more advanced backup and recovery technologies.

The RPO determines how often we perform backups and, consequently, how much maximum data we can lose. If the RPO is 24 hours, it means that in the event of a disaster, we will lose work from the entire last day. If the RPO is 15 minutes, the loss is minimal. Defining and achieving appropriate RTO and RPO values for key systems is fundamental to minimizing potential losses.

How to present the results of the calculation to the board of directors to justify investments in cyber security?

The results of the calculation performed should be presented to the board in the form of a clear and concise report or presentation. Instead of focusing on technical details, speak the language of business.

The presentation should begin by presenting a realistic attack scenario (e.g., ransomware on a SCADA system). Then, present the result of the calculation, i.e. a specific, estimated amount of the total loss the company will suffer in such a scenario.

Finally, present the proposed cyber security investment plan as a solution to the problem. It should be shown that an investment of X amount (e.g., 500 thousand zlotys) reduces or avoids a potential loss of Y amount (e.g., 5 million zlotys). Such an argument is extremely powerful and shows that security is not a cost, but one of the most profitable investments.

How do you show the return on investment (ROI) in security, i.e. how much are you saving in real terms by preventing downtime?

Calculating a classic security ROI is difficult, but a simplified model based on Return on Security Investment (ROSI) can be used. This formula is based on the concept of Annual Loss Expectancy (ALE).

First, we estimate the ALE before investing (e.g., 10% chance of an attack with a loss of 5 million zlotys per year = 500K ALE). Then, we estimate by how much our investment will reduce this risk (e.g. 80%). We calculate ROSI by comparing the “saved” money (80% of PLN 500k = PLN 400k) with the cost of the investment itself.

Even if these numbers are just estimates, just presenting the problem in such financial terms is extremely valuable. It shows that you are thinking about security in a strategic and businesslike way.

Are there ready-made templates that will make this calculation easier for you?

Yes. You can find many free and paid templates and outage cost calculators on the Internet. Many insurance and consulting companies provide such tools to help their clients assess their risks.

However, it is worth remembering that any such template is only a starting point and must be carefully tailored to the specifics of your company and industry. The most important thing is not just filling in the blanks on the sheet, but the thought process and discussion within the organization that leads to the collection of real data and understanding of interrelationships.

As part of our consulting services, we often create dedicated, “bespoke” calculation models for our clients that are 100% tailored to their unique operational and financial situation.

Why is accurate risk pricing crucial to board accountability in NIS2?

The NIS2 directive requires management to implement security measures that are “proportionate” to the identified risks. To be able to prove this proportionality, you must first accurately measure this risk - including in financial terms.

Having a documented, data-based calculation of potential losses is the strongest evidence that management made informed and responsible decisions. It shows that the decision to allocate a certain budget to security was not random, but was based on sound analysis and a desire to protect the company from losses of a certain estimated value.

In the event of an incident and subsequent inspection, such documentation is invaluable evidence that protects management from charges of negligence and lack of due diligence, which is crucial in terms of their personal liability.

How does nFlo help you conduct a Business Impact Analysis (BIA) and create a realistic financial risk model?

At nFlo, we understand that translating technical risk into the language of finance is one of the biggest challenges for most organizations. That’s why a key part of our consulting offering is to support you in conducting a Business Impact Analysis (BIA) and building a dedicated risk assessment model. We act as a facilitator and translator between the worlds of technology, operations and finance in your company. We conduct workshops to help your teams work together to identify key processes, estimate potential losses and define key metrics such as RTO and RPO. Our goal is not only to provide you with a ready-made “loss calculator,” but more importantly to help you build internal competence in your organization to think about cyber security in business terms. We equip you with the tools and arguments to have an effective, data-driven conversation with your board of directors about the necessary investments in digital resilience.

Learn key terms related to this article in our cybersecurity glossary:

  • Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
  • Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
  • SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
  • Backup — Backup, also known as a backup copy or safety copy, is the process of creating…
  • Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

Cybersecurity Backup SOC Ransomware Compliance

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Przemysław Widomski

Przemysław Widomski

Sales Representative

+48 889 051 990przemyslaw.widomski@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist