First rule of risk: Never underestimate risk. Even when you follow this rule, and even when your estimates seem ‘proper’.
Where of course, the propriety of your estimates is in grave doubt, either on the “This has never happened to us so / Come on, get real, [we’re not a target because we’re of no interest to anyone] what are the odds!? / Ho hum, there’s the boy cried wolf again”,
or on the “I’ve been reading this thing about CYBER! Arrrgh! In the Inquirer so why aren’t all staff hiding under their desk and we didn’t yet have the Marines take over and destroy the office to defend it ..?” FUD-side.
[Side note: You did have ‘consultants’ over (office (culture, motivation) destroyed, seems like a preventative measure?), but be aware that’s the opposite of Oorah]
Because when every nanosecond brings the possibility of an ‘event’ (how’s the repeat of sampling with (! … is it?) replacement over so many draws working out in your frequency estimations..!?), one can be sure that a 99% chance of something not happening, will result not in the virtually certainly not happening every time, but in the certainty that the 1% will strike, repeatedly, and a strike will endure much, much, much longer that the inception of it. The ‘event’ isn’t measured in nanoseconds, but in days, weeks, months and sometimes even years (think the, near-certain, reputational damage). So, your estimates are too low, all too low.
But since the detractors are always downplaying your estimates due to their other-directed agendas, do follow the First Rule of Risk …
[Your in-house security gurus are quite like that, yes, being the absolute rookies at the BlahBlah Seat At The Board Table — probably available only when the Board is out — or any level they’re relegated to]