The December 2025 Cyberattack on Poland’s Energy Sector
A detailed reconstruction of the incident, the malware, and the wider significance for energy and OT security
The growing reliance of firms on digital systems has elevated cyber risk from a technical concern to a material source of economic and financial vulnerability. Cyber incidents can disrupt operations, compromise sensitive data, propagate through supplier networks, and generate persistent legal and reputational costs, with direct implications for firms’ cash flows and creditworthiness. Despite these effects, cyber risk remains largely absent from standard credit risk assessment frameworks, particularly for non-financial firms. This article reviews and discusses a recent contribution by Banca d’Italia that addresses this gap through the construction of a firm-level indicator of cyber risk vulnerability for Italian non-financial firms. The proposed indicator combines a novel, Italy-specific cyber risk taxonomy with large language models and natural language processing techniques applied to heterogeneous textual sources, including financial statements, press coverage, and cybersecurity industry reports, thereby transforming dispersed qualitative evidence into a structured measure of firm-level cyber vulnerability. Using data covering the period 2019–2024, the analysis documents a sharp increase in cyberattacks affecting Italian firms, persistent high levels of cyber risk vulnerability across sectors, and significant heterogeneity in firms’ exposure and adaptation. The evidence shows that cyber incidents have an immediate and dominant effect on measured vulnerability, while the mitigating impact of defensive measures, regulatory compliance, and organizational adaptations tends to emerge only gradually. Beyond reviewing the empirical findings, the article situates the proposed indicator within the broader architecture of credit risk evaluation, particularly the Banca d’Italia In-house Credit Assessment System (ICAS), while clarifying that the operational incorporation of cyber-risk-adjusted probabilities of default into ICAS is not publicly documented. The article also introduces a structured taxonomy of cyber risk based on the causal chain linking assets, vulnerabilities, threats, events, incidents, impacts, controls, assurance signals, and business consequences. This taxonomy clarifies how heterogeneous cybersecurity signals—such as attacks, certifications, governance practices, defensive technologies, regulatory compliance, and affiliations with cybersecurity organizations—can be interpreted consistently within a unified analytical framework. The updated version adds a time-bound appendix on official and institutional follow-ups available at the time of the article update. It examines Banca d’Italia MISP No. 79 on ICAS expert assessment as the institutional channel through which additional and forward-looking risk information can enter credit assessment; Banca d’Italia MISP No. 77 on hydrogeological-risk-adjusted probability of default as a methodological analogue for translating non-financial hazards into adjusted credit-risk metrics; Cyber Index PMI 2025 as complementary survey-based evidence on Italian SME cyber-readiness, supply-chain exposure, incident response, disaster recovery, advanced controls, and third-party governance; and Banca d’Italia’s Financial Stability Report No. 1/2026 as evidence that operational resilience, ICT third-party concentration, technology-supply-chain risk, the F5 incident, artificial intelligence, and post-quantum cryptography are increasingly treated as financial-stability concerns. Taken together, the discussion illustrates how systematic measurement of cyber risk can support the integration of non-traditional risk factors into firm-level credit evaluation, while providing a rigorous conceptual framework for understanding cyber risk as a multidimensional component of corporate vulnerability, operational resilience, supplier dependence, business continuity, and potential creditworthiness.
Introduction
The progressive digitalization of production processes, corporate governance, and supply chains has profoundly altered the risk profile of non-financial firms. Information systems have become essential productive assets, tightly interwoven with operational continuity, data integrity, and market access. As a result, cyber risk has evolved from a technical concern confined to information technology departments into a material source of economic and financial vulnerability. Cyber incidents can disrupt business operations, compromise sensitive information, propagate through supplier networks, and generate persistent reputational and legal costs, with direct implications for firms’ cash flows and creditworthiness. Yet, despite its growing relevance, cyber risk remains largely absent from standard credit risk assessment frameworks for non-financial firms.
This gap reflects both conceptual and empirical challenges. Cyber risk is inherently multidimensional, combining exposure to malicious attacks, organizational preparedness, regulatory compliance, and the effectiveness of technological and procedural defenses. Moreover, much of the relevant information is embedded in unstructured textual sources such as financial statements, press coverage, and cybersecurity reports, rather than in standardized quantitative indicators. Traditional risk models, which rely primarily on financial ratios and historical defaults, are ill-suited to capture these features. As a consequence, the contribution of cyber risk to firms’ vulnerability is often underestimated or entirely overlooked.
Columba et al.1 address these challenges by developing a comprehensive indicator of cyber risk vulnerability for Italian non-financial firms, combining a novel, Italy-specific cyber risk taxonomy with large language models applied to financial statements, press coverage, and cybersecurity industry sources. The taxonomy captures six key dimensions of cyber risk: regulatory compliance, professional certifications, technological defenses, organizational processes, realized cyberattacks, and affiliations with national or international cybersecurity organizations. By systematically extracting and classifying information from financial statements, press articles, and specialized cybersecurity sources, the methodology transforms heterogeneous and unstructured textual data into a structured, firm-level measure of cyber vulnerability.
The empirical analysis covers the period from 2019 to 2024 and documents a sharp increase in both the frequency and diversity of cyberattacks affecting Italian non-financial firms. The results show that cyber risk is widespread and persistent across sectors, with particularly high exposure in manufacturing, professional services, and wholesale and retail trade. The proposed cyber risk index remains elevated over time, suggesting structural weaknesses in firms’ cybersecurity posture. Moreover, the evidence indicates that the negative impact of cyber incidents on firms’ vulnerability in the aftermath of an attack outweighs, in the short term, the mitigating effects of defensive actions, which tend to materialize only gradually. Firms also appear to increase the quantity and granularity of cybersecurity disclosure in their financial statements primarily after experiencing a cyberattack, highlighting the limits of self-reported information as a forward-looking risk signal.
By offering a systematic and replicable approach to measuring cyber risk exposure, this work contributes to the growing literature on the financial implications of cyber threats. More importantly, it lays the groundwork for the integration of cyber risk into credit risk assessment frameworks, such as the Banca d’Italia’s In-house Credit Assessment System. In doing so, the paper advances the view that cyber risk should be treated as a core component of firms’ overall risk profile, rather than as an external or ancillary consideration, and that modern risk assessment must increasingly rely on advanced analytical tools capable of extracting economic meaning from complex, unstructured data sources.
Empirical findings
The empirical analysis provides a comprehensive picture of the exposure of Italian non-financial firms to cyber risk and of the dynamics linking cyber incidents, disclosure behavior, and measured vulnerability. The findings consistently point to cyber risk as a structural and persistent feature of firms’ risk profiles rather than a transitory or idiosyncratic phenomenon.
Rising frequency and sectoral concentration of cyberattacks
The first salient result concerns the sharp increase in cyberattacks affecting non-financial firms over the period 2019–2024. The number of documented incidents in the sample rises from 14 in 2019 to 232 in 2023, with preliminary evidence for 2024 confirming that cyber risk remains elevated. On average, during the most recent years of the sample, one firm assessed within the In-house Credit Assessment System (ICAS) perimeter experiences a cyberattack approximately every two days. This acceleration mirrors international threat intelligence but is particularly relevant given that the sample is dominated by non-listed firms, which are typically less visible in global datasets.
Cyberattacks are unevenly distributed across sectors. Manufacturing emerges as the most affected sector, both in absolute terms and in growth rates, reflecting the expanded attack surface created by the diffusion of Industry 4.0 technologies and the convergence of IT and operational technology environments. Professional, scientific and technical services, wholesale and retail trade, and vehicle repair also exhibit high exposure, consistent with their reliance on digital processes, customer data, and extended supply chains. These patterns confirm that cyber risk is shaped by sector-specific operational models rather than by firm size alone.
Typology of attacks and underlying threat structure
The composition of cyberattacks further clarifies the nature of firms’ exposure. Ransomware is the most prevalent and severe threat across the sample, particularly in manufacturing, professional services, and retail sectors, where operational disruptions can be rapidly monetized by attackers. Data breaches are widespread across all sectors, indicating persistent weaknesses in data protection and access control. Phishing and malware attacks are especially prominent in sectors characterized by intensive human interaction with digital systems, highlighting the role of human vulnerability alongside technical flaws. The presence of advanced persistent threats, though limited to specific sectors such as manufacturing and mining, signals that some firms attract highly sophisticated adversaries targeting strategic assets and industrial know-how. Overall, the distribution of attack types aligns closely with EU and international threat assessments, providing external validation of the dataset.
Persistently high cyber risk vulnerability
The construction of the cyber risk index reveals a second critical finding: firms’ vulnerability remains persistently high throughout the observation period. After normalization, the average index value fluctuates narrowly around 82–83 between 2020 and 2023, with no evidence of a meaningful downward trend. This stability at elevated levels suggests that improvements in cybersecurity practices are, at best, keeping pace with the increasing intensity and sophistication of cyber threats rather than reducing overall exposure.
Distributional analysis reinforces this interpretation. Most firms cluster in the upper segment of the risk scale, with median values consistently above 85 and a narrow interquartile range. While the standard deviation of the index increases over time, indicating growing heterogeneity across firms, the lower tail of the distribution improves only marginally. The persistence of high maximum values close to 100 across all years further indicates that a subset of firms remains extremely vulnerable despite regulatory pressure and increasing awareness.
Structural weaknesses and uneven adaptation
The increase in dispersion of the cyber risk index points to diverging trajectories among firms. Some firms appear to strengthen their cybersecurity posture through investments in technologies, processes, and compliance mechanisms, while others lag behind, either due to limited capabilities, insufficient incentives, or organizational constraints. This heterogeneity suggests that cyber risk is not solely a function of external threats but also of internal governance, resource allocation, and strategic priorities. Importantly, the aggregate profile shows limited improvement, indicating that firm-level adaptations are insufficient to offset systemic exposure.
Sample coverage and representativeness
The analysis is based on the population of non-financial firms assessed within the Banca d’Italia’s ICAS and therefore does not aim to represent the entire Italian corporate sector. The sample is skewed toward medium and large firms, which account for the majority of observations, while micro and small enterprises are underrepresented. This reflects the ICAS perimeter and the availability of detailed financial statements, rather than a selection bias introduced by the methodology.
Disclosure dynamics and post-incident behavior
A central contribution of the paper lies in the analysis of how firms react to cyber incidents. The evidence shows that firms significantly increase both the volume and the diversity of cybersecurity-related disclosures in their financial statements following a cyberattack. Statistical tests confirm that references to regulations, certifications, technologies, processes, and even past attacks increase markedly in the post-incident reporting period. This behavior suggests that cyber incidents act as catalysts for disclosure and, in some cases, for formalizing cybersecurity practices.
However, this enhanced disclosure does not translate into an immediate reduction in measured vulnerability. On the contrary, the cyber risk index increases significantly after an attack. This result reflects the asymmetric weighting embedded in the scoring system: realized cyber incidents carry a larger negative contribution than the positive signals associated with defensive actions or compliance. The finding underscores a key empirical insight of the paper: the detrimental impact of a cyberattack on firms’ vulnerability outweighs, in the short term, the mitigating effects of post-incident responses.
Delayed effectiveness of defensive measures
The post-attack increase in the cyber risk index highlights the temporal mismatch between exposure and mitigation. While firms often react to incidents by strengthening governance structures, adopting technologies, or pursuing certifications, these measures require time to become operationally effective and to be reflected in observable outcomes. The index captures this lag by showing that defensive signals only partially offset the penalty associated with an attack within the same reporting window. This dynamic suggests that cyber resilience is cumulative and path-dependent rather than immediately responsive.
Robustness and validation
The paper evaluates the robustness of the proposed cyber risk indicator through multiple validation exercises. These include human audits of large language model classifications, sensitivity analyses based on perturbations of taxonomy weights, and comparisons with external benchmarks. The results show that the indicator remains stable under alternative specifications and that its main empirical patterns are not driven by model artefacts or classification noise.
Implications for risk assessment
Taken together, the findings indicate that cyber risk is a material, persistent, and unevenly distributed source of vulnerability for non-financial firms. The empirical evidence supports the inclusion of cyber risk in credit risk assessment frameworks, as cyber incidents have the potential to impair business continuity, affect financial performance, and increase default risk. Moreover, the reliance on external sources in addition to firms’ self-disclosure proves essential, as firms tend to provide more detailed information only after experiencing an attack. This reinforces the value of the integrated, AI-driven approach proposed by the authors in capturing both latent and realized dimensions of cyber risk.
Banca d’Italia’s credit evaluation framework
The analysis is explicitly framed within the context of credit risk assessment, although the paper does not estimate the impact of cyber risk on default probabilities. Instead, it develops a firm-level cyber risk vulnerability indicator intended to support future integration into existing credit evaluation frameworks, in particular the ICAS.
The paper documents that cyber incidents affecting non-financial firms have material consequences for business continuity, operational performance, and financial stability. These consequences are identified through the observed increase in cyber risk vulnerability following an attack and through the persistence of high vulnerability levels across firms and sectors. The authors emphasize that cyber incidents can disrupt operations, impair cash flows, and generate reputational and legal costs, which are factors traditionally associated with deteriorations in firms’ creditworthiness.
Within this framework, the cyber risk index is constructed as a synthetic measure that captures both realized cyber incidents and firms’ defensive and organizational characteristics. The index increases in response to confirmed cyberattacks and decreases with evidence of regulatory compliance, technological defenses, and structured cybersecurity processes. The asymmetric weighting of these components reflects the empirical observation that the negative effect of cyber incidents on vulnerability dominates, in the short term, the mitigating contribution of defensive actions.
The paper further shows that firms tend to increase the disclosure of cybersecurity-related information in their financial statements after experiencing a cyberattack. While this behavior signals heightened awareness and formalization of cybersecurity practices, the measured cyber risk vulnerability nonetheless increases in the post-attack period. This result is explicitly attributed to the scoring mechanism and to the empirical finding that defensive measures require time to produce observable effects, whereas the occurrence of an attack represents an immediate and concrete signal of vulnerability.
The authors state that the cyber risk index provides a basis for the future incorporation of cyber risk into probability-of-default estimation within ICAS. In operational terms, they outline that the indicator can be mapped into a firm-specific probability of experiencing a cyberattack and that the associated expected losses can be simulated and embedded into stressed financial statements. The resulting stressed financial information would then be used to derive a cyber-risk-adjusted probability of default, which would complement existing statistical and expert-based components of the ICAS framework.
Consistent with the scope of the paper, these elements are presented as methodological positioning rather than as empirical results. The contribution of the paper is therefore limited to the construction, validation, and empirical characterization of the cyber risk vulnerability indicator, while the quantitative estimation of its impact on credit risk metrics is explicitly left for future work.
Appendix A — Conceptual foundations of cyber risk
Definition adopted in the paper
This appendix introduces the conceptual foundations of cyber risk used throughout the article. The definition adopted strictly follows the conceptualization presented in Measuring cyber risk in the Italian corporate sector paper. Cyber risk is defined as:
Any risk emerging from intentional attacks on information and communication technology systems that compromises the confidentiality, availability or the integrity of data or services.
This definition is explicitly adopted by the authors from Giudici and Raffinetti2 and is used consistently throughout the paper as the conceptual basis for the taxonomy, the algorithmic framework, and the construction of the cyber risk vulnerability indicator. It deliberately excludes accidental system failures, natural hazards, or purely operational disruptions not attributable to malicious intent.
Cyber risk in practice: a business-level overview
Cyber risk can be understood as the exposure that arises from the reliance of organizations on digital systems, data, and interconnected technologies for the execution of business processes.
Every modern organisation depends on information systems to manage customers, suppliers, finances, production, and decision-making. That dependency creates exposure: if digital systems are disrupted, compromised, or misused, the business may no longer be able to operate as intended. Cyber risk captures this possibility and the consequences that may follow.
Unlike purely technical failures, cyber risk is not limited to software bugs or hardware breakdowns. It includes deliberate malicious actions, human error, weaknesses in processes, and dependencies on third parties. For this reason, cyber risk is best understood as a business risk with technological roots, rather than as a purely technical issue.
Where cyber risk comes from
Cyber risk arises when four elements intersect:
First, there are assets. These are the things the business relies on and wants to protect: data, systems, services, intellectual property, and digital platforms that support daily operations.
Second, there are threats. These are events or actors that could cause harm, such as criminal attacks, fraud, insider misuse, or failures originating in suppliers and service providers.
Third, there are vulnerabilities. These are weaknesses that allow threats to materialise. Vulnerabilities can be technical, such as unpatched systems; organisational, such as unclear responsibilities; or human, such as lack of awareness or poor security practices.
Finally, there is impact. Impact refers to what would happen if a cyber event occurred. This may include operational downtime, financial loss, regulatory penalties, reputational damage, or loss of trust.
Cyber risk exists when valuable assets are exposed to credible threats through exploitable vulnerabilities in a way that could cause meaningful harm to the organisation.
The analytical structure of cyber risk
From a risk analysis perspective, cyber risk is usually described through a causal chain linking assets, vulnerabilities, threats, events, and impacts. This structure provides the analytical foundation used in cybersecurity risk management and underlies many formal frameworks adopted by governments, regulators, and standards bodies.
The first element of the chain consists of assets. In a business environment, assets include information systems, operational technologies, data repositories, digital services, and the infrastructure that supports production and organizational processes. These assets represent the resources that organizations depend on and therefore seek to protect.
Assets may contain vulnerabilities, which are weaknesses that can be exploited by a malicious actor. Vulnerabilities can arise from software flaws, insecure system configurations, architectural weaknesses, insufficient access controls, organizational deficiencies, or human error. A vulnerability does not cause harm by itself; it represents a condition that makes exploitation possible.
A threat refers to the potential for a malicious actor or harmful mechanism to exploit a vulnerability. Threats may originate from cybercriminal groups, insider misuse, hacktivists, or state-sponsored actors, and they may take different forms such as ransomware campaigns, phishing attacks, malware deployment, or supply-chain compromise.
When a threat successfully exploits a vulnerability affecting an asset, a cyber event occurs. If the event produces actual or potential harm requiring response and mitigation, it becomes a cyber incident. Incidents may involve unauthorized access to systems, data exfiltration, encryption of files, disruption of services, or manipulation of information.
Cyber incidents affect the fundamental security properties of information systems. Traditionally, these properties are described through the principles of confidentiality, integrity, and availability, often referred to as the CIA model of information security. Confidentiality refers to preventing unauthorized access to information; integrity ensures that data and systems are not altered in an unauthorized way; and availability guarantees that systems and services remain accessible when needed.
When one or more of these properties are compromised, the organization may experience business impacts such as operational disruption, financial loss, regulatory consequences, reputational damage, or loss of intellectual property. These consequences ultimately determine the economic relevance of cyber risk for firms and explain why cyber incidents can affect creditworthiness and financial stability.
This causal structure can therefore be summarized as a propagation chain:
asset → vulnerability → threat → event → incident → impact → business consequence.
The propagation chain described above represents the causal sequence through which cyber risk materializes into business consequences. In practice, however, organizations also implement defensive measures and governance mechanisms intended to interrupt or mitigate this sequence. These measures include technological defenses, security architectures, organizational processes, regulatory compliance, certifications, and participation in cybersecurity ecosystems. Such elements do not belong to the causal chain of risk propagation itself; rather, they constitute control and assurance layers that influence the probability or severity of events occurring along the chain. For this reason, they are treated separately in the taxonomy introduced later in this article.
Understanding this structure is essential for interpreting cyber risk indicators. Measurements of cyber risk may capture different stages of this chain. Some indicators reflect realized incidents, while others capture vulnerabilities, defensive capabilities, or organizational preparedness. The taxonomy introduced later in this article builds on this analytical structure to classify the different signals used in the Banca d’Italia cyber risk indicator.
Cyber risk versus cyber incidents
A cyber incident is an event that has already happened, such as a ransomware attack or a data breach.
An organisation may face significant cyber risk simply because it depends heavily on digital systems and lacks adequate safeguards, regardless of whether it has experienced an incident in the past. From a business perspective, cyber risk is therefore about exposure and preparedness, not just about reacting to past events.
Why cyber risk is a business issue
Cyber risk affects an organisation’s ability to achieve its objectives. It can interrupt operations, affect revenue, increase costs, and create legal or regulatory consequences. For these reasons, cyber risk belongs alongside financial, operational, and compliance risks.
Managing cyber risk requires decisions about priorities, investments, and acceptable levels of residual risk. These decisions cannot be made by technical teams alone. They require involvement from senior management and boards, who are responsible for understanding how digital dependencies support the business and what would happen if those dependencies were disrupted.
In practice, cyber risk is as much about governance and decision-making as it is about technology.
How organisations typically manage cyber risk
In most organisations, managing cyber risk follows the same logic used for other types of business risk.
The process usually starts by identifying what is critical to the organisation and what it depends on digitally. From there, attention is given to the most plausible ways those dependencies could fail or be exploited, and to the consequences such failures would have.
Not all risks can or should be eliminated. The objective is to reduce risk to a level that is understood and acceptable, using a combination of technical controls, processes, training, and oversight. Some level of residual cyber risk is inevitable and must be consciously accepted rather than ignored.
How this perspective relates to the article
The paper discussed in this article focuses on one specific and measurable dimension of cyber risk: exposure to intentional cyberattacks and the organisational factors associated with vulnerability. This narrow focus allows cyber risk to be quantified and compared across firms.
The broader perspective outlined in this appendix provides the practical context in which such measurement makes sense. It explains why cyber risk matters to business leaders and how it fits into everyday risk management and governance decisions.
Together, the two perspectives address both how cyber risk can be measured and why it matters for organisations.
Appendix B — Banca d’Italia ICAS: current role and future relevance for cyber risk
What ICAS is, in the Eurosystem context
The In-house Credit Assessment System operated by Banca d’Italia (often referred to as ICAS-BI) is a creditworthiness assessment system for Italian non-financial corporations. It is part of the Eurosystem credit assessment framework used to ensure that assets mobilised as collateral in monetary policy operations meet required credit standards3.
In practice, ICAS enables banks to mobilise as collateral certain credit claims (loans to non-financial firms) that might not be covered by other credit assessment sources. This role is especially relevant for banks that do not have internal ratings based models and rely on external sources accepted within the Eurosystem collateral framework. Banca d’Italia has operated ICAS since 20134.
What ICAS produces and how outputs are used
Banca d’Italia’s public documentation emphasises that ICAS is used by banks in the collateral context and that outputs are not published as a full public rating list. The system does not disclose the list of assessed firms, nor the detailed ratings or estimated probabilities of default. Instead, counterparties are informed of the Credit Quality Step (CQS) assigned to the firm within the Eurosystem credit assessment framework. These CQS categories are mapped to internal probability-of-default estimates but do not constitute publicly disclosed ratings comparable to those issued by commercial credit rating agencies.
ICAS assessments are used by commercial banks to support the mobilisation of loans as collateral in Eurosystem monetary policy operations, and to quantify the credit risk of those pledged loans within the collateral framework.
The internal architecture: statistical model plus expert assessment
Recent Banca d’Italia publications describe ICAS-BI as combining a statistical engine with an expert assessment module5.
A key reference states that ICAS-BI uses a statistical model producing monthly one-year probabilities of default for around 370,000 firms, and complements this with analysts’ expert assessments for a subset of roughly 4,000 firms per year.
A separate 2026 methodological note reiterates that the system consists of a statistical model (S-ICAS) and analysts’ evaluation, and compares S-ICAS with machine learning and deep learning alternatives6.
Future in scope: what is explicitly stated in the cyber risk paper
The Banca d’Italia paper explicitly frames the proposed cyber risk vulnerability indicator as a potential future input into the ICAS expert assessment workflow. The authors state that further developments may involve integrating the cyber risk index, and a corresponding cyber risk–adjusted probability of default, into the set of early warning indicators monitored by analysts within the expert assessment module of ICAS.
This is the only forward-looking element discussed in this article that is directly grounded in the source paper. It reflects an explicit statement by the authors and should be interpreted as methodological positioning rather than as evidence of current implementation or empirically validated impact on credit risk metrics.
Appendix C — Toward a structured taxonomy of cyber risk in the Italian corporate sector
Why a taxonomy is needed
The article discusses cyber risk as a multidimensional source of business vulnerability. That is correct, but multidimensionality creates an immediate methodological problem: the observed cyber related facts are heterogeneous. A ransomware attack, a missing access control, compliance with regulation, an external certification, and a weak supplier are not observations of the same logical type. Without a taxonomy, they remain analytically adjacent but conceptually unordered.
For measurement purposes, cyber risk must therefore be decomposed into several distinct analytical layers:
- what is exposed,
- what is weak,
- what can act against it,
- what actually happened,
- what business consequence followed.
This decomposition is consistent with ACN’s official distinction among assets, vulnerabilities, threats, events and incidents, and with ACN’s organization of cybersecurity capabilities into governance, asset management, risk management, identity and access management, security architecture and operations, event threat and incident management, workforce management, and business continuity and disaster recovery.
Taxonomic principle
The taxonomy proposed here is layered. Each cyber related statement should be classified according to the layer to which it belongs, not merely according to the vocabulary used in the sentence.
A complete cyber risk statement has the following structure:
A threat actor or threat mechanism exploits a vulnerability affecting an asset through a given attack path, generating an event or incident, with effects on confidentiality, integrity, availability, authenticity, or continuity, which then produce operational, financial, legal, strategic, or reputational consequences.
That structure is more rigorous than a flat list of attack types because it preserves causal order. ACN’s own materials support the distinction between observable event, threatening circumstance, exploitable weakness, and incident requiring response and communication7.
Proposed taxonomy for the risks cited in the article
Layer 1 — Asset and exposure domain
This layer identifies the assets and operational environments on which the firm depends and through which cyber risk exposure emerges. It answers the question: where can cyber risk materialize.
The primary classes are:
Operational technology and production environments. This includes industrial control, production systems, plant level automation, and cyber physical dependencies. It is relevant whenever the article refers to disruption of operations, manufacturing exposure, or convergence between IT and OT. ACN’s emphasis on asset identification and protection supports the need to distinguish this exposure class explicitly8.
Enterprise IT systems. This includes servers, endpoints, business applications, networks, cloud workloads, and collaboration platforms. It covers the general digital substrate of the firm9.
Data estates. This includes customer data, employee data, financial data, trade secrets, intellectual property, and regulated datasets. This class is necessary for statements concerning data breaches, sensitive information compromise, or access control failures. ACN’s incident and vulnerability framing supports treating data compromise as distinct from simple service disruption10.
Third party and supply chain dependencies. This includes software vendors, managed service providers, cloud providers, outsourced operations, and digital counterparties. ACN’s cyber risk management references third party and supply chain risk management explicitly, and ACN public reporting also highlights supply chain attacks as a meaningful class11.
Identity perimeter. This includes user identities, administrator identities, privileged accounts, service accounts, and authentication mechanisms. ACN treats identity and access management as a separate cybersecurity domain, so it should also be a separate exposure class in the appendix12.
Layer 2 — Vulnerability and weakness domain
This layer classifies the condition that makes harm possible. It answers the question: what weakness is present.
The main classes are:
Technical vulnerabilities. Software flaws, exposed services, weak configurations, missing patches, insecure protocols, and implementation defects. ACN’s glossary and related guidance treat vulnerabilities as weaknesses in software, hardware, or processes that can be exploited.
Identity and access weaknesses. Weak authentication, inadequate authorization, excessive privileges, poor credential hygiene, absence of segregation of duties, or unmanaged privileged access. This class is justified by ACN’s dedicated IAM domain.
Architectural weaknesses. Flat networks, insecure trust relationships, poor segmentation, insecure remote access, inadequate hardening, or control misplacement. ACN’s Security Architecture, Engineering and Operations domain directly supports separating architecture from mere technology presence.
Organizational and process weaknesses. Missing policies, weak governance, inadequate incident handling, poor risk assessment, undefined roles, weak supplier governance, and immature change management. ACN’s glossary explicitly notes that vulnerabilities may also be organizational and process related, and ACN governance material reinforces this distinction13.
Human and workforce weaknesses. Low awareness, susceptibility to phishing, procedural noncompliance, and insufficient training. ACN has a dedicated workforce management domain, which makes this a proper category rather than a residual one14.
Continuity and recovery weaknesses. Weak backup design, poor recovery procedures, lack of tested continuity plans, and inability to restore critical services quickly. ACN treats business continuity and disaster recovery as a separate domain, so resilience gaps belong here15.
Layer 3 — Threat and attack mechanism domain
This layer classifies the hostile mechanisms or attack vectors through which adversaries attempt to exploit vulnerabilities. It answers the question: what kind of malicious action is being carried out against the organization.
The main classes include:
Ransomware. Malicious software that encrypts data or systems and demands payment for restoration. Ransomware has become one of the most prevalent and economically disruptive forms of cyberattack across many sectors, particularly where operational downtime can be rapidly monetized.
Malware. A broad category covering malicious software designed to compromise systems, steal information, or enable further attacks. This includes trojans, remote access tools (RATs), infostealers, loaders, wipers, and other malicious code families used to gain unauthorized access or maintain persistence within systems.
Phishing and social engineering. Deceptive techniques used to manipulate users into revealing credentials, executing malicious software, or granting unauthorized access. This category includes phishing, spear-phishing, and other forms of social engineering exploiting human behavior rather than technical vulnerabilities.
Distributed denial-of-service (DDoS). Attacks that attempt to disrupt the availability of digital services by overwhelming systems or networks with malicious traffic.
Supply chain compromise. Attacks that exploit trusted relationships with third-party providers, software vendors, or service operators to gain indirect access to a target organization’s systems or data.
Advanced persistent threats (APT). Highly sophisticated and targeted attack campaigns characterized by persistence, stealth, and strategic objectives. These operations are typically associated with well-resourced threat actors seeking long-term access to sensitive systems, industrial know-how, or strategic information.
These categories represent the mechanisms through which adversaries attempt to exploit vulnerabilities, rather than the consequences that follow from successful attacks.
The threat categories described above represent the mechanisms used by adversaries to initiate or conduct an attack. In practice, such attacks typically unfold through a sequence of observable steps within the target environment, such as initial access, execution of malicious code, privilege escalation, lateral movement, data exfiltration, or service disruption. These operational steps generate signals that can be detected in systems, logs, or security monitoring tools. The taxonomy therefore distinguishes the mechanisms of attack (threat layer) from the observable manifestations of those attacks within the organization’s systems, which are classified in the event and incident domain described below.
Layer 4 — Event and incident domain
This layer classifies observable occurrences generated by cyber activity within an organization’s systems or networks, distinguishing between events and incidents. It answers the question: what has actually been detected or recorded in the digital environment. Events correspond to signals produced during the execution of an attack, while incidents correspond to events that produce or may produce adverse effects on the confidentiality, integrity, or availability of information systems and therefore require response and mitigation.
Following the terminology used in cybersecurity standards and institutional frameworks, it is useful to distinguish between events and incidents. A cyber event is any observable occurrence within a system or network, whereas a cyber incident is an event that has actual or potential adverse effects on the confidentiality, integrity, or availability of information systems and therefore requires response or mitigation.
The practical classes include:
Suspicious event. An anomaly or alert indicating potential malicious activity but without confirmed compromise or business impact.
Confirmed security event. Verified malicious activity or indicators of compromise within a system or network, such as unauthorized access attempts, malware execution, or anomalous system behavior.
Cyber incident. A confirmed event that affects systems, services, or data and requires active response measures. Examples include data breaches, ransomware infections, or service disruptions.
Major cyber incident. An incident that produces significant operational disruption, widespread system compromise, or substantial business impact, such as prolonged service outages or large-scale data exfiltration.
This distinction between threat mechanisms, events, and incidents is important because cyber risk indicators may capture signals at different stages of the attack lifecycle. Some signals reflect attempted attacks or suspicious activity, while others correspond to realized incidents with measurable operational or economic consequences.
Layer 5 — Impact domain
This layer classifies what security property or business function is affected. It answers the question: what damage dimension is involved. These impact categories correspond to the fundamental security properties traditionally used in information security analysis, particularly the confidentiality, integrity, and availability principles, extended to include authenticity and operational continuity in modern cyber-physical environments.
The core classes are:
Confidentiality impact. Unauthorized disclosure or theft of information.
Integrity impact. Unauthorized alteration, corruption, or falsification of data, systems, or decisions.
Availability impact. Service interruption, system outage, encryption of assets, denial of access, or impaired production.
Authenticity or trust impact. Compromise of identities, credentials, signatures, or trusted communication channels.
Operational continuity impact. Inability to continue critical business or industrial processes. ACN’s business continuity and disaster recovery domain supports treating continuity loss as a first class impact domain.
Layer 6 — Business consequence domain
This layer classifies why the incident matters economically. It answers the question: what firm level consequence follows.
The main classes are:
Operational disruption. Production stoppage, logistics disruption, inability to serve customers, delay in service delivery.
Financial loss. Direct remediation cost, ransom related cost, loss of revenue, cash flow stress, contractual penalties.
Legal and regulatory consequence. Notification obligations, regulatory scrutiny, sanctions exposure, litigation, and noncompliance cost. ACN’s NIS material and related obligations support the relevance of the compliance consequence class16.
Reputational consequence. Trust erosion with clients, suppliers, lenders, or markets.
Strategic consequence. Loss of intellectual property and industrial know-how, negotiating power, or competitive advantage.
Credit consequence. Deterioration in perceived resilience, governance quality, or operational continuity that may affect creditworthiness. This category is an analytical extension introduced for the purposes of this article, reflecting the integration of cyber risk into credit risk assessment frameworks.
Layer 7 — Control and mitigation domain
This layer classifies the positive signals that reduce vulnerability. It answers the question: what countervailing evidence exists.
The classes are:
Governance controls. Cybersecurity strategy, roles and responsibilities, escalation paths, policies, oversight structures. ACN treats governance as its own domain.
Risk management controls. Formal risk assessment, risk treatment, prioritization, and alignment of controls to risk appetite. ACN has a dedicated cyber risk management domain.
Identity and access controls. Authentication, authorization, access review, privilege management, and identity lifecycle controls.
Architectural and technical controls. Secure architecture, segmentation, hardening, protective technologies, monitoring, and engineered safeguards.
Event detection and response controls. Logging, monitoring, classification, response processes, communication, and incident handling. ACN’s Event, Threat and Incident Management domain directly maps here.
Workforce controls. Awareness, role specific competence, staffing, and training.
Continuity and recovery controls. Backup strategy, recovery capability, tested restoration, resilience planning.
Assurance controls. Testing, assessment, audit, and validation. ACN’s assessment and testing domain supports separating these from operational controls17.
Layer 8 — External assurance and institutional alignment domain
This layer classifies signals that do not directly stop attacks but indicate maturity or embeddedness in a larger security framework.
The classes are:
Regulatory compliance. Alignment with applicable cybersecurity obligations, especially NIS related obligations and risk based measures. ACN states that the NIS regime is in force and that the required measures follow a risk based approach.
Professional certifications and formal attestations. Certifications do not equal security, but they are observable maturity signals. This aligns with the article’s use of certifications as a separate dimension of the index.
Affiliation with cybersecurity organizations or national structures. Participation in recognized national or international ecosystems can function as a coordination and information sharing signal. ACN explicitly frames information sharing and common taxonomy as national coordination enablers.
How the risks cited in the article should be categorized
Using the taxonomy above, the major risk references in the article can be reclassified precisely:
Ransomware is not a vulnerability category. It is a threat and attack mechanism. Its primary impact class is availability and operational continuity, with possible secondary confidentiality and financial effects.
Data breach is not an attack vector. It is primarily an impact and incident outcome category centered on confidentiality loss, often enabled by access control weaknesses, malware, phishing, or supplier compromise.
Phishing is not an impact. It is a threat delivery and social engineering mechanism, usually exploiting workforce and identity weaknesses.
Advanced persistent threat activity is not just a malware subtype. It is a higher sophistication threat class characterized by persistence, targeting, and strategic intent, often associated with theft of know how or long dwell time compromise.
Regulatory compliance is not a realized risk event. It is a control and external assurance signal that may reduce vulnerability but does not, by itself, prove operational resilience. ACN’s risk based compliance logic supports this treatment.
Professional certifications are not direct security outcomes. They are assurance proxies. They belong in the mitigation and external assurance layer, not in the attack layer.
Technological defenses are not impact categories. They belong in the control layer, specifically under architectural and technical controls.
Organizational processes are not threats. They belong in governance, risk management, incident management, workforce management, and continuity domains, depending on the process described.
Affiliation with cybersecurity organizations is neither a threat nor a direct control. It is an institutional alignment and information sharing signal.
Compact taxonomy table
The taxonomy therefore distinguishes nine analytical layers: assets and exposure, vulnerabilities, threats, events, incidents, impacts on security properties, business consequences, mitigation and control mechanisms, and external assurance signals.
Each layer corresponds to a different stage in the transformation of a potential cyber weakness into an observable economic effect. The classification rule is that any cybersecurity-related signal should be assigned to the earliest stage of the chain that it directly represents. For example, a ransomware attack is classified as a threat mechanism, while regulatory compliance belongs to the assurance layer and business interruption belongs to the consequence layer. This structure ensures that heterogeneous cybersecurity signals can be interpreted consistently without conflating causes, manifestations, and outcomes of cyber risk.
The taxonomy can be summarized through the following analytical classification.
| Analytical layer | Role in the cyber risk model | Example classes |
|---|---|---|
| Asset and exposure domain | Identifies the digital assets and operational environments on which the organization depends | Operational technology and production systems, enterprise IT infrastructure, data repositories, supply chain dependencies, identity perimeter |
| Vulnerability domain | Describes weaknesses that may allow threats to exploit assets | Technical vulnerabilities, identity and access weaknesses, architectural weaknesses, organizational and process deficiencies, human factors, continuity and recovery gaps |
| Threat domain | Identifies the attack mechanisms used by adversaries to exploit vulnerabilities | Ransomware, malware, phishing and social engineering, distributed denial-of-service, supply chain compromise, advanced persistent threats |
| Event domain | Captures observable manifestations of malicious activity within systems or networks | Suspicious events, confirmed malicious events, indicators of compromise |
| Incident domain | Represents events producing or potentially producing harm that require response and mitigation | Cyber incidents affecting systems, data breaches, operational disruptions |
| Impact domain | Identifies which security properties are compromised | Confidentiality loss, integrity compromise, service unavailability, authentication compromise, operational continuity disruption |
| Business consequence domain | Describes the economic or organizational effects resulting from cyber incidents | Operational disruption, financial loss, regulatory consequences, reputational damage, strategic losses, credit risk implications |
| Control and mitigation domain | Represents measures that reduce the likelihood or severity of incidents | Governance frameworks, risk management processes, identity and access controls, security architecture, monitoring and incident response, workforce awareness, business continuity mechanisms |
| External assurance domain | Captures signals indicating cybersecurity maturity or institutional alignment | Regulatory compliance, professional certifications, participation in cybersecurity information-sharing communities |
The taxonomy presented above is intended as an analytical framework for interpreting heterogeneous cybersecurity signals rather than as an exhaustive catalogue of cyber threats. Its purpose is to clarify the different stages through which cyber risk emerges and becomes observable within organizations. Each layer corresponds to a distinct analytical role in the cyber risk propagation model: assets define the systems and environments exposed to risk, vulnerabilities represent weaknesses that can be exploited, threats describe the mechanisms used by adversaries, events and incidents capture observable manifestations of malicious activity, impacts identify the security properties affected, and business consequences represent the economic effects that ultimately matter for firms. Control mechanisms and assurance signals operate alongside this causal chain by reducing the likelihood or severity of incidents or by indicating the maturity of an organization’s cybersecurity posture. In this sense, the taxonomy provides a structured lens through which different types of cybersecurity information—such as attacks, governance practices, technological defenses, or compliance disclosures—can be interpreted consistently within a unified framework.
Analytical representation of the propagation chain
The layered taxonomy described above can be summarized through a simplified analytical representation of cyber risk propagation. In this perspective, cyber risk arises when adversarial threats exploit vulnerabilities affecting digital assets, generating incidents whose impacts translate into economic consequences for the organization.
A stylized representation can therefore be written as:
Cyber\ Risk = \sum_{k} P(I_k \mid A,V,T) \times L_k
where
A = assets and exposure V = vulnerabilities T = threats I_k = cyber incident of type k P(I_k \mid A,V,T) = probability that incident k occurs given the asset exposure, vulnerabilities, and threat environment L_k = expected economic loss associated with incident k.
This representation reflects the propagation logic described in the taxonomy. Assets define the systems and environments exposed to risk. Vulnerabilities determine the weaknesses that may be exploited. Threats represent the mechanisms through which adversaries attempt to exploit those weaknesses. When exploitation occurs, observable events may develop into incidents that affect information systems. These incidents generate impacts on confidentiality, integrity, or availability, which in turn produce economic consequences for the organization.
Control and mitigation mechanisms influence cyber risk by reducing either the probability that incidents occur or the magnitude of the losses associated with them. External assurance signals such as certifications, regulatory compliance, or participation in cybersecurity communities provide indirect evidence about the maturity of an organization’s defensive posture and therefore about its expected risk profile.
This analytical representation mirrors the standard expected loss logic commonly used in risk analysis, where risk emerges from the interaction between the probability of adverse events and the severity of their consequences.
Relation to the indicator discussed in the article
The taxonomy introduced in this appendix clarifies how the cyber risk vulnerability indicator discussed in the article should be interpreted. The dimensions used in the indicator do not represent distinct categories of cyberattacks. Rather, they correspond to different types of evidence drawn from separate layers of the cyber risk propagation structure.
Signals such as regulatory compliance and professional certifications belong to the external assurance layer, as they provide indirect information about an organization’s cybersecurity maturity and institutional alignment. Technological defenses, security architectures, and organizational processes belong to the control and mitigation layer, because they represent mechanisms intended to reduce the probability or severity of cyber incidents. Observed cyberattacks and compromise events belong to the threat, event, and incident layers, as they correspond to realized manifestations of adversarial activity. Other signals, such as affiliations with cybersecurity initiatives or participation in sectoral coordination mechanisms, reflect institutional positioning and collective defense arrangements.
For this reason, the indicator is best interpreted not as a taxonomy of attacks but as a composite measurement architecture that aggregates heterogeneous signals drawn from multiple stages of the cyber risk propagation chain. The role of the taxonomy is therefore to provide the conceptual framework that allows these signals to be interpreted consistently rather than as unrelated observations.
Concluding remark on the role of the taxonomy
The primary value of the taxonomy lies in the causal clarity it provides for the analysis of cyber risk. By separating assets, vulnerabilities, threats, events, impacts, and business consequences into distinct analytical layers, the framework makes it possible to distinguish the underlying drivers of cyber risk from its observable manifestations and economic effects.
This distinction has practical implications for both measurement and governance. An organization may exhibit strong compliance signals while still remaining vulnerable because of weaknesses in operational continuity or workforce awareness. Conversely, an organization may not have experienced any major incidents yet still be exposed because of architectural weaknesses, supply chain dependencies, or privileged identity concentration. When such signals are interpreted within a single undifferentiated category, these distinctions become difficult to detect.
A layered taxonomy makes these relationships visible by placing each signal within the stage of the cyber risk propagation chain to which it belongs. This improves analytical interpretation and supports more precise risk assessment. It also provides a conceptual foundation for transforming dispersed and heterogeneous cybersecurity information into structured variables that can be used in empirical analysis and integrated into broader credit risk assessment frameworks.
Appendix: Official follow-ups and complementary evidence after Banca d’Italia MISP No. 75
This appendix records the official and institutional sources that are relevant for updating the analysis developed in this article after the publication of Banca d’Italia’s The Cyber Risk of Non-Financial Firms. The assessment is time-bound: it reflects the public sources available at the time of the article update, as indicated by the modified date in the article metadata. It should therefore not be read as a continuously updated monitoring note. Later official publications may change the status of the analysis, especially if Banca d’Italia publishes further information on the operational use of cyber-risk indicators within ICAS.
The purpose of the appendix is not to broaden the argument beyond the available evidence, but to distinguish carefully between direct follow-ups, methodological analogues, and complementary institutional evidence.
The distinction is essential. The Banca d’Italia paper develops a cyber-risk vulnerability indicator for Italian non-financial firms and discusses a possible future integration of that indicator, together with a cyber-risk-adjusted probability of default, into the ICAS expert-assessment process. At the time of the article update, the sources published afterwards do not provide public evidence that this integration has already become an operational ICAS procedure. They do, however, confirm that the institutional treatment of cyber risk is moving in the same analytical direction: from a purely technical-security concern toward a measurable component of business continuity, operational resilience, supply-chain reliability, and potentially creditworthiness.
Banca d’Italia MISP No. 79: expert assessment as the institutional channel
Banca d’Italia MISP No. 79, The expert assessment within Banca d’Italia’s in-house credit assessment system, is the most relevant official follow-up for understanding the institutional channel through which additional risk information can enter ICAS.18 It is not a cyber-risk paper and it does not state that the cyber-risk vulnerability indicator developed in MISP No. 75 has already been incorporated into ICAS. Its relevance is more precise: it describes how the expert-assessment layer of ICAS operates, how it has been strengthened, how it contributes to the full rating, and how it can accommodate new sources of risk not fully captured by the statistical model.
The paper explains that Banca d’Italia’s ICAS has operated since 2013 and consists of two components: a statistical model, which covers a broad sample of Italian firms, and an expert assessment, which is applied to the subsample of firms that are most significant for collateral purposes. The statistical model provides objectivity, scalability and consistency, but it may fail to capture forward-looking variables or qualitative factors. The expert assessment is designed to address this limitation by adding judgement, qualitative information and a forward-looking perspective to the model-based rating.
The institutional mechanics are important. The expert assessment is carried out by two credit analysts after the statistical rating has been produced. The analysts review the main characteristics of the firm and the variables underlying the statistical assessment; they then evaluate predefined assessment modules and assign scores indicating whether each module improves, confirms or worsens the risk assessment produced by the statistical model. The module scores are aggregated to obtain the full rating. If the two analysts broadly agree and the assessment does not imply a major improvement over the statistical rating, the process stops. Otherwise, the proposal is submitted to a Rating Committee composed of senior staff, which takes the final decision.
The current methodology described in MISP No. 79 is more structured than a generic expert override. Following an internal validation exercise conducted in 2023, Banca d’Italia introduced several improvements in 2024 to increase the quality and consistency of expert assessments. These include structured questionnaires or checklists for each risk profile, a Bayesian aggregation methodology for combining the partial module scores, strengthened sector and group analyses, and the expansion of the covered risk profiles to include climate-related risks.
The procedure is organized into sequential modules: initial adjustment of the statistical rating, financial statement analysis, financial flexibility, governance, sector analysis, third-party opinions, climate change, overall assessment and stand-alone full rating, and, for subsidiaries, group analysis. Each module is scored on a five-point scale, from very positive to very negative. The stand-alone rating is obtained through Bayesian integration of the scores assigned to the first six modules. Analysts may override both module scores and the stand-alone rating, but deviations must be explained. Rating upgrades above defined limits require escalation to the Rating Committee.
This architecture matters for the article because it shows that ICAS already has a formalized institutional layer for incorporating information that is not fully represented in the statistical model. However, the relevant inference must remain limited. MISP No. 79 confirms the existence and strengthening of the expert-assessment channel; it does not confirm that cyber risk has entered that channel. In the paper, the explicitly discussed new risk sources are climate-related risks, sector dynamics, ESG factors and geopolitical risk, not cyber risk.
The validation exercise is also relevant, but it must be interpreted carefully. The empirical validation is based on more than 25,000 expert assessments produced between 2016 and 2022. For each observation, the dataset records the statistical rating, the full rating, the module scores assigned by analysts, and any default event in the twelve months following the rating assignment. The paper evaluates whether expert assessment provides incremental value over the statistical model, how individual modules contribute to the full rating, and whether differences across analysts translate into different rating performance.
The main validation result is that expert assessment improves the discriminatory power of ICAS. The AUROC increases from 85.3 percent for the statistical rating to 87 percent for the full rating. The paper reports that the ROC curve for the full rating lies above the curve for the statistical rating across the full range of thresholds, and that the improvement is statistically significant under a bootstrapping procedure. The improvement is also broadly robust when the analysis is repeated by firm size and by year, although the paper cautions that some subsample results should be interpreted carefully because of limited statistical robustness.
The paper also finds that expert assessment changes the predictive stance of ICAS. The full rating tends to be more conservative than the statistical rating, often resulting in lower ratings. This may reduce narrow precision in matching realized defaults, but it increases prudence and robustness. The paper states that the full rating shows greater resilience to year-to-year fluctuations in default rates because it tends to overestimate defaults, whereas the statistical rating does not always forecast deteriorating credit conditions.
The analysis of analyst behaviour is particularly important for avoiding an overly simplified interpretation of the expert layer. The paper finds that analysts combine module scores in a discretionary fashion. The financial statement module provides the largest marginal contribution to discriminatory power, followed by financial flexibility and third-party opinions. These three modules are the only ones that make a positive and statistically significant contribution to discriminatory power in the reported decomposition. By contrast, the sector analysis module has a negative marginal contribution, although it is not statistically significant, and a residual component linked to other variables or individual analyst choices has a statistically significant negative contribution.
The same analysis shows that none of the individual modules, considered in isolation, significantly enhances predictive power. The shift from the statistical rating to the full rating is instead associated with a more conservative overall stance, partly captured by the constant term in the regression. In other words, even without specific module signals, analysts tend to worsen the statistical rating, introducing a precautionary bias.
The heterogeneity of analyst behaviour is another relevant caveat. The paper finds that analysts often differ in the modules they use and in the weights they implicitly assign to those modules; some analysts do not employ all modules. Approximately 80 percent of analysts differ from the average analyst in the adoption of modules for the full rating. However, this heterogeneity does not translate into superior performance: no individual analyst strategy significantly outperforms the group in terms of discriminatory or predictive power. The paper also warns that, because default events are rare, the results on individual analyst strategies have mainly heuristic value.
A further nuance is essential. The validation exercise refers to the previous version of the expert-assessment methodology, used until 2023. The paper states that the current version benefits from methodological enhancements introduced after the 2023 review, but that an empirical estimation of the value added by the current methodology will only be possible once an adequate statistical sample becomes available. The reported empirical contribution should therefore be read as evidence on the expert-assessment mechanism, not as a final measurement of the post-2024 methodology.
For the purposes of this article, the safest conclusion is therefore narrow but strong. MISP No. 79 does not show that cyber risk is already an operational ICAS input. It does show that ICAS contains a structured expert-assessment layer capable of integrating forward-looking and qualitative information; that this layer has been made more transparent through checklists, documented explanations and Bayesian aggregation; that expert assessment improves the discriminatory power of the full rating relative to the statistical model; and that Banca d’Italia explicitly frames the framework as capable of incorporating emerging risk factors, including climate risks, ESG factors, geopolitical risk, new data sources and artificial intelligence tools.
The implication for MISP No. 75 is consequently methodological, not operational. The cyber-risk vulnerability indicator proposed in MISP No. 75 can be read as a candidate risk signal for a framework of this type, because ICAS already contains a formal channel for integrating information beyond the statistical model. At the time of the article update, however, the public evidence supports only this possibility. It does not support the stronger claim that cyber-risk-adjusted probabilities of default are already used inside ICAS.
Banca d’Italia MISP No. 77: a methodological analogue for non-financial risks
Banca d’Italia MISP No. 77, Hydrogeological and credit risk: the Italian firms’ physical risk-adjusted probability of default, provides the clearest methodological analogue.19 It is not a cyber-risk paper. It assesses climate-related physical risks, specifically floods and landslides, and their impact on the one-year probability of default of Italian non-financial firms.
The report states that the authors combine firm financial data with the geographic location of operational units and hazard levels. For each firm, they derive a discrete risk indicator and a probability of default adjusted for hydrogeological risk by rewriting financial-statement items to incorporate expected loss due to the relevant physical hazard.
This is relevant because it illustrates, in an official Banca d’Italia methodology, a general modelling pattern that is also conceptually relevant for cyber risk:
- identification of a non-financial hazard;
- mapping of the hazard to firm-level exposure or vulnerability;
- estimation of an expected loss mechanism;
- translation of the loss into stressed financial-statement values;
- recomputation or adjustment of the probability of default.
The correct conclusion is not that climate risk and cyber risk are equivalent. They are structurally different. Hydrogeological risk is geographically anchored and physical; cyber risk is partly technical, partly organizational, partly behavioural, and partly supply-chain-dependent. The relevant point is narrower: the Banca d’Italia MISP series is already publishing methodologies in which non-financial risk factors are transformed into adjusted credit-risk metrics for non-financial firms.
Cyber Index PMI 2025: complementary evidence from Italian SMEs
The Rapporto Cyber Index PMI 2025 provides the most relevant complementary evidence on the cyber-readiness of Italian small and medium-sized enterprises outside the Banca d’Italia MISP series.20 It must be used with a precise methodological caveat: it is not a Banca d’Italia source, not an ICAS input, and not a firm-level credit-risk model. It is a survey-based institutional initiative focused on the level of cyber culture, awareness and preparation of Italian SMEs. Its value for this article is therefore not that it estimates probability of default, but that it documents the operational, organizational and supply-chain conditions through which cyber risk may become economically material for non-financial firms.
The initiative is promoted by Generali and Confindustria, with the scientific support of the Osservatori Digital Innovation of the School of Management of Politecnico di Milano and with the institutional partnership of the Agenzia per la Cybersicurezza Nazionale. The report states that the Cyber Index PMI initiative, now in its third year, aims to measure the level of culture and awareness of cyber risk in Italian SMEs, as well as their level of preparation, and to monitor their evolution over time. The 2025 survey was conducted through a Computer Assisted Web Interviewing (CAWI) methodology and involved 1,582 Italian SMEs with between 10 and 249 employees, addressing key corporate figures such as IT managers, cybersecurity managers, owners and other responsible roles. The questionnaire is modular: all 1,582 firms accessed the first level, while 562 firms considered more exposed accessed the second level. The number of preparation-related questions ranges from 13 to 23 depending on the firm’s exposure profile.
The Cyber Index PMI is built on a scale from 0 to 100 and represents the synthetic capacity of Italian SMEs to understand and mitigate cyber risk. The index is calculated from three equally contributing dimensions: strategic approach, identification and implementation. These dimensions are then decomposed into twenty areas of analysis covering organizational choices, risk-management practices, processes, technologies, skills, insurance, third-party management, disaster recovery, patch management and incident response.
The headline result is that the synthetic index reached 55/100 in 2025, compared with 52/100 in 2024 and 51/100 in 2023. The report interprets this as a positive but still insufficient evolution. The improvement is driven mainly by the strategic-approach dimension, which reaches 62 points, while identification reaches 48 points and implementation remains stable at 57 points. This distinction is important: the report explicitly indicates that the progress observed in 2025 is more attributable to growing theoretical awareness than to a fully effective strengthening of the operational security posture.
The maturity distribution confirms this interpretation. Only 16 percent of the sample falls into the mature class, with a Cyber Index score between 80 and 100. The remaining firms are distributed across beginners at 14 percent, informed at 38 percent and aware at 32 percent. The fact that mature firms exceed beginner firms for the first time is described as a symbolic but limited milestone, not as evidence of systemic adequacy. Seven out of ten SMEs remain in the two intermediate classes, where awareness exists but does not yet consistently translate into structured risk-management practices and effective countermeasures.
This matters for credit-risk interpretation because cyber risk is already linked in the report to business continuity, supply-chain participation and commercial qualification. The report states that almost one Italian SME out of four declared that it had suffered at least one cyberattack in the previous three years. It also reports that 2.5 percent suffered operational or financial consequences and that 6 percent required significant response actions. These are self-reported survey data, not independently verified incident records. They should therefore not be treated as an incident database. They are nevertheless relevant because they show that cyber exposure is not merely theoretical in the SME segment.
The supply-chain evidence is even more relevant for the argument of this article. The report states that 81 percent of SMEs operate in supply chains characterized by large organizations, critical infrastructures, public administration, multinationals, international exposure or geopolitical instability. It also states that large firms and public administrations are progressively integrating cybersecurity requirements into supplier-selection processes, preferring partners able to demonstrate a solid defensive posture. The consequence is not only technical vulnerability but potential commercial exclusion: SMEs that cannot demonstrate minimum cybersecurity standards may become less acceptable as suppliers in strategic value chains.
The technology and process evidence shows a sharp asymmetry between basic controls and more advanced resilience capabilities. Basic tools are broadly adopted: antivirus or anti-malware is present on 89 percent of workstations, dedicated network firewalls in 78 percent of firms, and email filtering in 73 percent. Hardening of servers and workstations is reported by 68 percent of firms. More advanced controls are materially less widespread: MFA is present in 43 percent of firms, encryption for workstations in 33 percent, network segmentation in 27 percent, endpoint detection and response or endpoint protection solutions in 26 percent, and formal vulnerability-management and disclosure processes in only 9 percent. This is important because a credit-relevant cyber-resilience assessment cannot be inferred from the presence of basic perimeter controls alone.
The report also shows weaknesses in the operational cycle of incident response and recovery. Among the more exposed SMEs, only 13 percent have an incident-response plan updated periodically on the basis of previous attacks or new threats, while 29 percent have an operational response plan that is not periodically updated. A further 33 percent are evaluating the introduction of such a plan and 24 percent do not plan to introduce one. On disaster recovery, 24 percent of SMEs declare that they can restore application services and data access in real time, 28 percent can restore them with delay, 12 percent can restore only access to data, 20 percent are evaluating the introduction of a plan and 16 percent do not consider it necessary. The operational implication is clear: many SMEs are not yet structured to control the duration and propagation of a cyber disruption once the incident has occurred.
Third-party cyber-risk governance remains one of the weakest areas. The report distinguishes between the assessment of third parties and the contractual or procedural management of third-party cybersecurity. Among the more exposed SMEs, only 9 percent periodically monitor the security level of all suppliers, while 14 percent perform occasional checks on selected relevant suppliers. At the level of third-party management, 17 percent of firms have formal clauses regulating responsibilities, access and monitoring activities and require certifications from suppliers and partners; 12 percent request certifications without formal clauses; 29 percent are evaluating the introduction of specific rules; and 42 percent have not defined them. This is particularly material because cyber risk may propagate through suppliers, managed service providers, software providers, outsourced IT operations and other digital dependencies.
The report also highlights several structural drivers that connect cybersecurity to economic resilience. NIS2 is presented as a change-maker because it shifts cybersecurity from an IT delegation to a governance and compliance responsibility, with effects that may also reach firms outside the formal NIS2 perimeter through supply-chain assessment. Cyber insurance is presented not only as a mechanism for transferring residual risk, but also as an indirect driver of minimum security standards, because access to coverage is linked to underwriting requirements such as MFA, network segmentation and backup policies. The report also notes growing attention to digital sovereignty: approximately 60 percent of SMEs evaluate the geographical origin of cybersecurity solutions, while 11 percent perceive dependence on extra-EU actors as a strategic vulnerability.
For the purposes of this article, the safest conclusion is narrow. Cyber Index PMI 2025 supports the proposition that cyber risk is becoming economically and organizationally material for Italian SMEs. It documents improving awareness, but also persistent weaknesses in identification, implementation, advanced controls, incident response, disaster recovery and third-party governance. It does not support the stronger proposition that SME cyber maturity can be directly translated into probability of default without further modelling. Its role is complementary: it provides survey-based evidence on the real operating conditions that a future cyber-risk credit model would need to take into account.
Banca d’Italia Financial Stability Report No. 1/2026: operational resilience and ICT concentration
Banca d’Italia’s Financial Stability Report No. 1/2026 provides a broader official context for interpreting cyber risk as a financial-stability and operational-resilience issue.21 It is not a source on the cyber maturity of Italian non-financial firms and should not be used as evidence about the cybersecurity posture of the Italian corporate sector as a whole. Its relevance is systemic: the report shows how operational incidents, cyber events, ICT third-party dependence, cloud and IT supply chains, geopolitical tensions, artificial intelligence and post-quantum cryptography are treated within the supervisory perimeter of financial stability.
The report is framed by a macrofinancial environment characterized by heightened geopolitical and trade tensions, the conflict in the Middle East, energy-price shocks, tighter financial conditions and persistent uncertainty. Within this context, the financial position of Italian households and firms is described as balanced overall, while the banking system is presented as sound in terms of capitalization and profitability. This macro context matters because cyber and operational disruptions are not analysed in isolation. They are part of a wider risk environment in which shocks may affect confidence, liquidity, funding conditions, asset quality, operational continuity and the ability of firms to repay loans.
The most directly relevant part is the section on operational and cyber risks. In the second half of 2025, Italian supervised financial entities reported 59 major incidents, of which 11 related to cyber events. Service providers were involved in around 60 percent of the incidents. The report also states that no major operational or cyber incidents were reported in payment systems and market infrastructures in the same period. This distinction is important: the report does not describe a systemic cyber crisis in Italian financial infrastructures, but it does show that major incidents in supervised entities are materially connected to external service providers.
The DORA register of information adds the structural dimension. Based on the first data collection round, with reference date 31 March 2025, directly supervised intermediaries rely on around 10,000 IT service-provider contracts. Just over half of these contracts relate to critical or important functions. Total annual expenditure is approximately €2.4 billion. The top five providers account for about 40 percent of the total contract value, while the top ten account for 52 percent. The report therefore identifies not only the existence of ICT outsourcing, but also concentration and dependency in the provision of services supporting critical or important functions.
The report then connects this dependency structure to digital operational resilience. It states that heavy reliance on IT service providers requires appropriate risk oversight and that, given the complexity of IT service supply chains, intermediaries are required to adopt robust risk control and risk-management arrangements. This is consistent with the DORA logic: cyber risk is not only a matter of internal technical controls, but also of governance over outsourced ICT services, subcontracting chains, substitutability, concentration and operational continuity across the entire digital service supply chain.
The systemic perspective is reinforced by the discussion of vulnerabilities and operational incidents. Banca d’Italia states that its analyses focused on two interconnected critical areas: the security and resilience of technological supply chains, exposed to cross-border events involving global IT and cloud providers, and the rise in cyber threats linked to geopolitical tensions. The report mentions the October 2025 cyberattack on the internal systems of F5, a provider of application delivery and security technologies whose products are widely used in enterprise and financial-sector digital infrastructures.22 Although no evidence of direct impacts on Italian financial intermediaries was identified, the event was examined by CERTFin and monitored by the operational crisis-management and business-continuity coordination structures of the Italian financial marketplace. This is a useful example of how a cyber event affecting a critical technology supplier can be relevant to domestic financial stability even without confirmed local disruption.
The report also links operational and cyber risk to emerging technologies. It states that new technologies amplify exposure to operational and cyber risks and identifies artificial intelligence as a technology with high innovative potential and large-scale possible applications in the financial sector. The same passage stresses that investment in AI must be accompanied by careful and responsible risk management, with particular emphasis on cybersecurity. Finally, the report notes that, in early 2026, the G7 Cyber Expert Group published a roadmap for the financial sector’s transition to post-quantum cryptography, aimed at addressing operational and cyber risks through a coordinated, system-wide approach.
For the purposes of this article, the implication is narrow but relevant. The Financial Stability Report does not show that cyber risk has already become a credit-risk input for Italian non-financial firms. It does, however, show that Banca d’Italia treats operational and cyber risk as systemic issues where the relevant unit of analysis is not only the individual institution, but also its dependency graph: IT service providers, cloud providers, outsourced operational services, global technology suppliers, digital funding channels, AI-enabled architectures and cryptographic transition paths. This supports an important extension of the article’s argument. Cyber risk is not only a property of the single firm. It is also a property of the digital and operational ecosystem on which the firm depends.
The connection with credit-risk analysis should therefore be formulated cautiously. The report does not provide a model for translating cyber exposure into probability of default. It supports the more limited proposition that, as business continuity becomes increasingly dependent on external digital services, future credit-risk and resilience assessments may need to account for supplier concentration, operational substitutability, ICT outsourcing governance, cross-border cloud dependencies and the capacity to maintain essential processes under cyber or technology-supply-chain stress.
See also longforms
Reclaiming the Namespace: EU Digital Sovereignty in the CVE Ecosystem?
Rebalancing coordination and autonomy: EU digital sovereignty, federated CVE governance, and the conditions for sustainable economic growth
Quantum-Safe HTTPS Certificates: Google’s Structural Innovation, Technical Foundations, and Governance Implications
Engineering quantum resistant web authentication through Merkle commitments, transparency logs, and scalable trust infrastructure
When Digital Trust Expires: Quantum Computing and the Collapse of Signature-Based Security
How quantum attacks turn long-lived signatures into silent integrity and impersonation risks
See also posts
Controllo e Monitoraggio della Rete: la Nuova Postura di Sicurezza degli Impianti Connessi
Gli aggiornamenti Terna agli Allegati A.13, A.69 e A.52 nel quadro europeo di resilienza cyber, NIS2, CRA e Perimetro di Sicurezza Nazionale Cibernetica
Quantum Cryptography at the Edge of Feasibility: Resource Estimates, Architectural Divergence, and Systemic Risk
An analysis of the Google and Oratomic results on Shor’s resource estimates and their implications for the convergence of quantum circuit optimization, error correction, and hardware architectures
Quantum Computing Threats and the Advantage of Acting Now
Why trust expires before systems fail, and how early remediation becomes a strategic program rather than an emergency rewrite
Quantum Key Distribution and Post-Quantum Cryptography
Concepts, roles, and correct use
Cybersecurity in an Era with Quantum Computers: Interpreting Mosca’s Risk Inequality
Why $x$ plus $y$ greater than $z$ turns quantum readiness into a present day governance problem
Footnotes
See: Banca d’Italia. (2026). Measuring cyber risk in the Italian corporate sector: A cyber risk vulnerability indicator for non-financial firms (MISP No. 75). URL. Abstract: This work proposes an indicator of cyber risk vulnerability for Italian non-financial firms, applying natural language processing and a large language model to data extracted from financial statements, news reports, and cyber industry reports. The indicator is based on a taxonomy tailored to Italy, addressing dimensions of cyber risk that so far have not been considered within a unified methodological framework. The new taxonomy captures, for a large and heterogeneous sample of firms, the occurrence of cyberattacks, the degree of firms’ regulatory compliance and the utilization of cyber defence technologies and security certifications. The aptness of including cyber risk in credit risk models is suggested by the data on cyberattacks in Italy, which have been on the rise since 2019. The negative impact of cyber incidents on firms’ vulnerability in the aftermath of an attack outweighs the mitigating effects of defensive actions, which require some time to have an impact. Also, firms tend to increase the amount of information on cyber risk in official reporting only after suffering an attack. Overall, the findings indicate that cyber risk may have material effects on business continuity and, hence, it has to be incorporated into credit risk assessments.↩︎
See: Giudici, P., & Raffinetti, E. (2021). Cyber risk ordering with rank-based statistical models. AStA Advances in Statistical Analysis, 105(4), 469–484. DOI. Abstract: In a world that is increasingly connected on-line, cyber risks become critical. Cyber risk management is very difficult, as cyber loss data are typically not disclosed. To mitigate the reputational risks associated with their disclosure, loss data may be collected in terms of ordered severity levels. However, to date, there are no risk models for ordinal cyber data. We fill the gap, proposing a rank-based statistical model aimed at predicting the severity levels of cyber risks. The application of our approach to a real-world case shows that the proposed models are, while statistically sound, simple to implement and interpret.↩︎
See: Eurosystem credit assessment framework (ECAF); Banca d’Italia’s In-house Credit Assessment System (ICAS-BI)↩︎
See: Banca d’Italia (2021). Overview of central banks’ in-house credit assessment systems in the euro area (MISP No. 13). URL; Banca d’Italia (2020). The in-house credit assessment system of Banca d’Italia (QEF No. 586). URL↩︎
See: Banca d’Italia (2025). The use of Banca d’Italia’s credit assessment system for Italian non-financial firms within the Eurosystem’s collateral framework (MISP No. 60). URL↩︎
See: Banca d’Italia (2026). Credit Risk Assessment with Stacked Machine Learning (MISP No. 73). URL↩︎
See: Glossario - ACN↩︎
See: Domini della cybersicurezza - Asset Management. Abstract: Nell’ambito dei domini di cybersicurezza, l’Asset Management consiste nell’insieme delle pratiche volte a identificare, classificare, configurare e proteggere gli asset di un’organizzazione. L’Asset Management ha lo scopo di mettere in sicurezza dai vettori di attacco cibernetici tutti gli asset dell’organizzazione. Le capability relative a questo dominio derivano dall’interazione di processi e controlli che da una parte si occupano di identificare quali sono e dove sono collocati gli asset da proteggere, dall’altra tracciano e monitorano le modifiche e gli aggiornamenti a cui gli asset sono soggetti. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) la creazione e aggiornamento dell’inventario degli asset, (ii) la classificazione degli asset e (iii) la gestione delle configurazioni.↩︎
See: Domini della cybersicurezza - Security Architecture, Engineering and Operations. Abstract: Il dominio Security Architecture, Engineering and Operations ha lo scopo di progettare, implementare e manutenere l’architettura dell’organizzazione, costituita dall’insieme di tutte le componenti che concorrono al mantenimento della cybersicurezza, al fine di ridurre il rischio cyber entro il livello accettato. In altre parole, tale dominio aiuta un’organizzazione a pianificare la cybersicurezza in modo olistico e integrato. Tale capacità deriva dalla definizione di un’infrastruttura di cybersicurezza che risponda alle caratteristiche e alle esigenze dell’organizzazione, nonché ai requisiti di sicurezza individuati. Tale dominio comprende le attività di alto livello, il cui scopo è quello di individuare e coordinare tra loro una serie di soluzioni tecnologiche, processi e controlli che permettano di assicurare la confidenzialità, l’integrità e la disponibilità delle informazioni, assicurandone la protezione dalle minacce cyber. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) definizione dei requisiti di sicurezza; (ii) Security by Design, (iii) Security by Default, (iv) patching e (v) backup.↩︎
See: Domini della cybersicurezza - Event, Threat and Incident Management. Abstract: Il dominio Event, Threat e Incident Management consiste nell’insieme delle pratiche volte a identificare, classificare, rispondere e comunicare gli eventi cyber. Le attività svolte nell’ambito di questo dominio hanno lo scopo di individuare e analizzare eventi anomali, verificare la presenza di incidenti di sicurezza e procedere con la gestione e il contenimento degli stessi. Tale capacità deriva dall’interazione di processi e controlli che da una parte si occupano di prevenire l’incidente monitorando ciò che accade all’interno dell’organizzazione, dall’altra definiscono le modalità attraverso le quali rispondere e contenere eventuali attacchi cyber. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) monitoraggio degli eventi, (ii) Cyber Threat Intelligence (CTI), (iii) gestione degli incidenti e (iv) reporting.↩︎
See: Domini della cybersicurezza – Cyber Risk Management. Abstract: Il dominio Cyber Risk Management consiste nell’insieme di pratiche volte alla gestione del rischio cyber entro un determinato livello conformemente a valutazioni svolte e obiettivi dell’organizzazione. Sviluppare capability di sicurezza all’interno di questo dominio coinvolge diverse attività, tra cui: (i) identificazione e analisi del rischio cyber, (ii) trattamento del rischio cyber, (iii) comunicazione del rischio cyber, (iv) gestione del rischio cyber di terze parti. Il Cyber Risk Management si integra all’interno dell’Enterprise Risk Management (ERM) per l’intera organizzazione ed ha lo scopo di definire e implementare un programma di gestione del rischio cyber che minimizzi la possibilità che l’organizzazione possa essere danneggiata dal verificarsi di attacchi cibernetici.↩︎
See: Domini della cybersicurezza - Identity and Access Management. Abstract: Il dominio di Identity and Access management ha lo scopo di governare e abilitare la mitigazione del rischio di accessi non controllati alle risorse organizzative. Tale capacità deriva dall’interazione di processi e controlli che assicurano, innanzitutto, che le utenze vengano create, configurate e dismesse in accordo con le procedure organizzative, che ad ogni utenza creata vengano associati unicamente i permessi necessari per lo svolgimento delle attività connesse al ruolo rivestito all’interno dell’organizzazione e che, per ogni risorsa presente all’interno dell’organizzazione, vengano definite le modalità di autenticazione più adeguate in base alla criticità delle risorse stesse. Sviluppare capability di cybersicurezza nel dominio dell’Identity and Access Management coinvolge diverse attività. Tra le principali in questo dominio, ci focalizziamo di seguito sulle seguenti: (i) provisioning delle utenze, (ii) revisione delle utenze; (iii) definizione delle modalità di autenticazione; ed infine (iv) deprovisioning delle utenze.↩︎
See: Domini della cybersicurezza - Cybersecurity Governance. Abstract: Il dominio Cybersecurity Governance consiste nell’insieme delle pratiche volte a definire e indirizzare le attività di cybersicurezza attraverso lo sviluppo di una strategia che consenta di realizzare gli obiettivi e la mission dell’organizzazione. Tale strategia deve essere, inoltre, monitorata e aggiornata al fine di mantenere un allineamento rispetto agli obiettivi e al contesto organizzativo, che potrebbero essere oggetto di cambiamento nel tempo. Inoltre, tale dominio è volto a organizzare e regolare le attività di cybersicurezza svolte all’interno dell’organizzazione tramite la definizione di politiche che stabiliscono i requisiti da rispettare per garantire la resilienza organizzativa. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) definizione della strategia di cybersicurezza, (ii) monitoraggio della strategia di cybersicurezza e (iii) definizione e mantenimento delle politiche organizzative.↩︎
See: Domini della cybersicurezza - Workforce Management. Abstract: Il dominio Workforce Management ha lo scopo di pianificare politiche e procedure per garantire la sicurezza informatica dei dipendenti all’interno dell’organizzazione e per gestire il personale sia interno che esterno. Lo scopo di questo dominio è di ridurre il rischio di attacchi informatici, proteggere i dati e le informazioni sensibili dell’organizzazione, monitorare e aggiornare regolarmente le politiche e le procedure di sicurezza e in generale, di creare una cultura della cybersicurezza all’interno dell’organizzazione. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) screening e hiring, (ii) onboarding e offboarding, (iii) training e awareness e (iv) assegnazione di ruoli e responsabilità.↩︎
See: Domini della cybersicurezza - Business Continuity and Disaster Recovery. Abstract: Il dominio Business Continuity and Disaster Recovery ha lo scopo di garantire la continuità operativa e il rapido ripristino delle infrastrutture IT critiche e dei dati e, in generale, mira a minimizzare i disservizi che conseguono ad un’interruzione o un disastro. Relativamente alle attività di Business Continuity l’obiettivo è quello di mantenere la continuità delle operazioni essenziali, qualora si verifichino situazioni di crisi o incidenti di sicurezza che causino l’indisponibilità dei sistemi per un certo lasso di tempo. In relazione alle attività di Disaster Recovery, lo scopo è quello garantire la capacità di ripristinare i sistemi compromessi nel modo più rapido e sicuro possibile. Inoltre, questo dominio comprende le attività volte ad effettuare dei test per verificare la completezza e l’efficacia delle procedure definite per assicurare la Business Continuity e la Disaster Recovery. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) esecuzione della BIA; (ii) Disaster e Recovery, (iii) Test dei piani di Disaster e Recovery.↩︎
See: Domini della cybersicurezza - Assessment e Testing. Abstract: Il dominio Assessment and Testing consiste nell’insieme delle pratiche volte a valutare il livello di cybersicurezza dei propri asset. Questo dominio ha lo scopo di testare i vari componenti dell’organizzazione, di valutare l’efficacia delle misure di sicurezza implementate e di identificare potenziali vulnerabilità al fine di porvi rimedio. Infatti, attraverso i risultati dell’attività di assessment e testing, si potranno individuare le azioni più adeguate da implementare per correggere le vulnerabilità identificate che, se non sanate, potrebbero essere sfruttate da attori malevoli. In questo modo sarà possibile determinare se all’interno dell’organizzazione siano soddisfatti specifici obiettivi e requisiti di sicurezza o se siano necessari dei miglioramenti al fine di raggiungere gli obiettivi e i requisiti di cybersicurezza desiderati. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) Vulnerability Assessment, (ii) Penetration Testing e (iii) Analisi statica del codice.↩︎
See: Banca d’Italia. (2026). The expert assessment within Banca d’Italia’s in-house credit assessment system (MISP No. 79). URL. Abstract: This study investigates the role of the expert assessment – conducted by two analysts following the production of a rating based solely on the statistical model – within Banca d’Italia’s in-house credit assessment system of Italian non-financial firms (ICAS). We have two aims: to document recent methodological enhancements, including the integration of climate-related risks and of sector analysis, and to provide an estimate of the contribution of the expert assessment to the rating process. The study leverages over 25,000 assessments produced by analysts between 2016 and 2022, including corporate default events. The recent methodological innovations have enhanced the transparency and consistency of the expert assessment, facilitating the integration of new risk sources. Our empirical results show that the expert assessment significantly improves both the predictive power and the discriminatory power of the full ratings obtained through ICAS, compared with the ratings based solely on the statistical model, with an increase of the AUROC of around 2 percentage points. Furthermore, the expert assessment protects the performance of ICAS, particularly during periods of macroeconomic stress.↩︎
See: Banca d’Italia. (2026). Hydrogeological and credit risk: the Italian firms’ physical risk-adjusted probability of default (MISP No. 77). URL. Abstract: We assess the impact of climate-related physical risks on the one-year probability of default (PD) of Italian non-financial firms, focusing on hydrogeological risks such as floods and landslides. We compile a dataset combining firms’ financial data with the geographic location of their operational units, matched to hazard levels. We derive for each firm: i) a discrete risk indicator; ii) a PD adjusted for hydrogeological risks, calculated by rewriting the financial statement items so as to incorporate the expected loss due to hydrogeological risk. Our analysis shows that 38 per cent of firms are exposed to hydrogeological risks, with notable regional and sectoral differences. On average, exposure leads to a small increase in PD and limited economic impact, with negligible effects on collateral used in monetary policy operations. However, firms in high-risk areas suffer a higher drop in creditworthiness. Insurance coverage mitigates this effect across the entire sample, reducing the PD impact by half on average. These findings reflect current conditions. The expected increase in the frequency and severity of extreme events in the near future could amplify the negative effects on firms’ credit profiles.↩︎
See: Generali Italia, Confindustria, Osservatori Digital Innovation - School of Management Politecnico di Milano, and Agenzia per la Cybersicurezza Nazionale. (2025). Rapporto Cyber Index PMI 2025: La cultura digitale protegge la tua impresa. URL.↩︎
See: Banca d’Italia. (2026). Financial Stability Report No. 1/2026. URL. Overview: The conflict in the Middle East has increased the vulnerabilities of the global economy and financial system in an environment already characterized by strong geopolitical and trade tensions and by heightened uncertainty. Global growth forecasts have been revised downwards, inflation expectations have risen and financial conditions have tightened. At the same time, the existing risks stemming from excessive financial market valuations, especially in the technology sector, still linger. Any further increases in investors’ risk aversion could affect the riskiest segments of the international financial system. In Italy, the main risks to financial stability stem from international factors. Until last February, Italy’s macrofinancial conditions and the risks associated with cyclical developments were stable. Following the outbreak of the conflict, Italian government bond yields rose and, to a smaller extent, so did their spread visà-vis the German Bund; share prices dropped sharply and, although they have since recovered, they remain exposed to significant fluctuations. The markets have continued to function in an orderly fashion. The financial condition of households and firms is balanced, but a deterioration in the macroeconomic scenario could affect their confidence. The risks to households remain limited given their sound financial position and low debt. The picture for firms also appears to be stable on the whole, supported by a low level of debt and moderate credit growth. At a time of widespread uncertainty, higher energy and transport costs, more persistent inflationary pressures and less accommodative financial conditions could have an impact on households’ purchasing power and on firms’ costs, as well as on their confidence. Despite starting from a sound position, financial intermediaries are exposed to risks that could materialize should the conflict drag on. The deterioration in the geopolitical environment and increased uncertainty may expose banks to a number of risks: funding and liquidity conditions could worsen if market yields were to rise sharply; asset quality could be affected by a deterioration in the ability of firms to repay their loans. However, Italy’s banking system continues to exhibit high levels of capitalization and profitability. The Italian insurance sector also remains sound, thanks to high capitalization levels, rising premium income, andimproving profitability and liquidity conditions; higher yields on fixed-income securities could, however, lead to unrealized losses. Banca d’Italia is continuing to monitor the risks to the macrofinancial environment stemming from the war in the Middle East. It has confirmed the macroprudential measures in place in 2025 and has updated the capital requirements for the other systemically important institutions involved in mergers. There are four special-focus boxes in this Report. The first one analyses Italian investors’ holdings in securities issued by the US technology sector and concludes that the exposure is limited overall. The second presents a new composite indicator of systemic risk for the financial cycle for Italy. The third box shows that the higher default rate for loans granted by less significant institutions can largely be explained by the characteristics of borrowers. The fourth box analyses the characteristics and risks of less significant institutions’ use of online deposit platforms to collect deposits from abroad.↩︎
See: Banca d’Italia. (2026). Financial Stability Report No. 1/2026. URL. See also: F5. (2025). K000154696: F5 Security Incident. URL. See also: UK National Cyber Security Centre. (2025). Confirmed compromise of F5 network. URL. See also: Cybersecurity and Infrastructure Security Agency. (2025). ED 26-01: Mitigate Vulnerabilities in F5 Devices. URL. Context: Banca d’Italia refers to reports, in October 2025, of a cyberattack on the internal systems of F5 and states that no evidence of direct impacts on Italian financial intermediaries was identified. The report also states that the incident was examined by CERTFin and monitored by the working group for operational crisis-management coordination and business continuity in the Italian financial marketplace. CERTFin, the Italian Financial CERT, is a public-private cooperative initiative for the Italian financial sector, with a presidency shared between Banca d’Italia and ABI and operated by ABI Lab. Its stated objectives include acting as a sectoral point of contact, promoting public-private and cross-sector cooperation, sharing information on incidents, cyber threats, vulnerabilities and lessons learned, analysing specific cyber events and their systemic impact, supporting incident response and crisis management through CODISE, and defining methodologies and tools for cyber-risk management. According to F5’s official security notice, the incident involved long-term, persistent access by a highly sophisticated nation-state threat actor to certain F5 systems. According to CISA Emergency Directive ED 26-01, a nation-state-affiliated cyber threat actor compromised F5 systems and exfiltrated files, including a portion of BIG-IP source code and vulnerability information. According to the UK NCSC alert, the reported exfiltrated data included a portion of BIG-IP source code and vulnerability information; this could enable a threat actor to exploit F5 devices and software, conduct static and dynamic analysis to identify logical flaws and vulnerabilities, and develop targeted exploits. NCSC identifies the affected products as BIG-IP iSeries, rSeries or other unsupported F5 devices, and software running BIG-IP F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IQ, and BIG-IP Next for Kubernetes / Cloud-Native Network Functions. NCSC further states that successful exploitation of impacted F5 products could enable access to embedded credentials and API keys, lateral movement, data exfiltration and persistent system access, while also stating that, at the time of its alert, there was no indication that customer networks had been impacted through the compromise of the F5 network. The relevance for this article is therefore not that F5 is a cloud provider, nor that Italian financial intermediaries suffered a confirmed impact, but that a compromise of a widely deployed application-delivery and security supplier can create technology-supply-chain risk for critical digital infrastructures.↩︎
Reuse
Citation
BibTeX citation:
@online{montano2026,
author = {Montano, Antonio},
title = {Measuring {Cyber} {Risk} in the {Italian} {Corporate}
{Sector}},
date = {2026-01-24},
url = {https://antomon.github.io/longforms/measuring-cyber-risk-in-italian-corporate-sector/},
langid = {en}
}
For attribution, please cite this work as:
Montano, Antonio. 2026. “Measuring Cyber Risk in the Italian
Corporate Sector.” January 24. https://antomon.github.io/longforms/measuring-cyber-risk-in-italian-corporate-sector/.