Introduction
The progressive digitalization of production processes, corporate governance, and supply chains has profoundly altered the risk profile of non-financial firms. Information systems have become essential productive assets, tightly interwoven with operational continuity, data integrity, and market access. As a result, cyber risk has evolved from a technical concern confined to information technology departments into a material source of economic and financial vulnerability. Cyber incidents can disrupt business operations, compromise sensitive information, propagate through supplier networks, and generate persistent reputational and legal costs, with direct implications for firms’ cash flows and creditworthiness. Yet, despite its growing relevance, cyber risk remains largely absent from standard credit risk assessment frameworks for non-financial firms.
This gap reflects both conceptual and empirical challenges. Cyber risk is inherently multidimensional, combining exposure to malicious attacks, organizational preparedness, regulatory compliance, and the effectiveness of technological and procedural defenses. Moreover, much of the relevant information is embedded in unstructured textual sources such as financial statements, press coverage, and cybersecurity reports, rather than in standardized quantitative indicators. Traditional risk models, which rely primarily on financial ratios and historical defaults, are ill-suited to capture these features. As a consequence, the contribution of cyber risk to firms’ vulnerability is often underestimated or entirely overlooked.
Columba et al.1 address these challenges by developing a comprehensive indicator of cyber risk vulnerability for Italian non-financial firms, combining a novel, Italy-specific cyber risk taxonomy with large language models applied to financial statements, press coverage, and cybersecurity industry sources. The taxonomy captures six key dimensions of cyber risk: regulatory compliance, professional certifications, technological defenses, organizational processes, realized cyberattacks, and affiliations with national or international cybersecurity organizations. By systematically extracting and classifying information from financial statements, press articles, and specialized cybersecurity sources, the methodology transforms heterogeneous and unstructured textual data into a structured, firm-level measure of cyber vulnerability.
1 See: Banca d’Italia. (2026). Measuring cyber risk in the Italian corporate sector: A cyber risk vulnerability indicator for non-financial firms (MISP No. 75). URL. Abstract: This work proposes an indicator of cyber risk vulnerability for Italian non-financial firms, applying natural language processing and a large language model to data extracted from financial statements, news reports, and cyber industry reports. The indicator is based on a taxonomy tailored to Italy, addressing dimensions of cyber risk that so far have not been considered within a unified methodological framework. The new taxonomy captures, for a large and heterogeneous sample of firms, the occurrence of cyberattacks, the degree of firms’ regulatory compliance and the utilization of cyber defence technologies and security certifications. The aptness of including cyber risk in credit risk models is suggested by the data on cyberattacks in Italy, which have been on the rise since 2019. The negative impact of cyber incidents on firms’ vulnerability in the aftermath of an attack outweighs the mitigating effects of defensive actions, which require some time to have an impact. Also, firms tend to increase the amount of information on cyber risk in official reporting only after suffering an attack. Overall, the findings indicate that cyber risk may have material effects on business continuity and, hence, it has to be incorporated into credit risk assessments.
The empirical analysis covers the period from 2019 to 2024 and documents a sharp increase in both the frequency and diversity of cyberattacks affecting Italian non-financial firms. The results show that cyber risk is widespread and persistent across sectors, with particularly high exposure in manufacturing, professional services, and wholesale and retail trade. The proposed cyber risk index remains elevated over time, suggesting structural weaknesses in firms’ cybersecurity posture. Moreover, the evidence indicates that the negative impact of cyber incidents on firms’ vulnerability in the aftermath of an attack outweighs, in the short term, the mitigating effects of defensive actions, which tend to materialize only gradually. Firms also appear to increase the quantity and granularity of cybersecurity disclosure in their financial statements primarily after experiencing a cyberattack, highlighting the limits of self-reported information as a forward-looking risk signal.
By offering a systematic and replicable approach to measuring cyber risk exposure, this work contributes to the growing literature on the financial implications of cyber threats. More importantly, it lays the groundwork for the integration of cyber risk into credit risk assessment frameworks, such as the Banca d’Italia’s In-house Credit Assessment System. In doing so, the paper advances the view that cyber risk should be treated as a core component of firms’ overall risk profile, rather than as an external or ancillary consideration, and that modern risk assessment must increasingly rely on advanced analytical tools capable of extracting economic meaning from complex, unstructured data sources.
Empirical findings
The empirical analysis provides a comprehensive picture of the exposure of Italian non-financial firms to cyber risk and of the dynamics linking cyber incidents, disclosure behavior, and measured vulnerability. The findings consistently point to cyber risk as a structural and persistent feature of firms’ risk profiles rather than a transitory or idiosyncratic phenomenon.
Rising frequency and sectoral concentration of cyberattacks
The first salient result concerns the sharp increase in cyberattacks affecting non-financial firms over the period 2019–2024. The number of documented incidents in the sample rises from 14 in 2019 to 232 in 2023, with preliminary evidence for 2024 confirming that cyber risk remains elevated. On average, during the most recent years of the sample, one firm assessed within the In-house Credit Assessment System (ICAS) perimeter experiences a cyberattack approximately every two days. This acceleration mirrors international threat intelligence but is particularly relevant given that the sample is dominated by non-listed firms, which are typically less visible in global datasets.
Cyberattacks are unevenly distributed across sectors. Manufacturing emerges as the most affected sector, both in absolute terms and in growth rates, reflecting the expanded attack surface created by the diffusion of Industry 4.0 technologies and the convergence of IT and operational technology environments. Professional, scientific and technical services, wholesale and retail trade, and vehicle repair also exhibit high exposure, consistent with their reliance on digital processes, customer data, and extended supply chains. These patterns confirm that cyber risk is shaped by sector-specific operational models rather than by firm size alone.
Typology of attacks and underlying threat structure
The composition of cyberattacks further clarifies the nature of firms’ exposure. Ransomware is the most prevalent and severe threat across the sample, particularly in manufacturing, professional services, and retail sectors, where operational disruptions can be rapidly monetized by attackers. Data breaches are widespread across all sectors, indicating persistent weaknesses in data protection and access control. Phishing and malware attacks are especially prominent in sectors characterized by intensive human interaction with digital systems, highlighting the role of human vulnerability alongside technical flaws. The presence of advanced persistent threats, though limited to specific sectors such as manufacturing and mining, signals that some firms attract highly sophisticated adversaries targeting strategic assets and industrial know-how. Overall, the distribution of attack types aligns closely with EU and international threat assessments, providing external validation of the dataset.
Persistently high cyber risk vulnerability
The construction of the cyber risk index reveals a second critical finding: firms’ vulnerability remains persistently high throughout the observation period. After normalization, the average index value fluctuates narrowly around 82–83 between 2020 and 2023, with no evidence of a meaningful downward trend. This stability at elevated levels suggests that improvements in cybersecurity practices are, at best, keeping pace with the increasing intensity and sophistication of cyber threats rather than reducing overall exposure.
Distributional analysis reinforces this interpretation. Most firms cluster in the upper segment of the risk scale, with median values consistently above 85 and a narrow interquartile range. While the standard deviation of the index increases over time, indicating growing heterogeneity across firms, the lower tail of the distribution improves only marginally. The persistence of high maximum values close to 100 across all years further indicates that a subset of firms remains extremely vulnerable despite regulatory pressure and increasing awareness.
Structural weaknesses and uneven adaptation
The increase in dispersion of the cyber risk index points to diverging trajectories among firms. Some firms appear to strengthen their cybersecurity posture through investments in technologies, processes, and compliance mechanisms, while others lag behind, either due to limited capabilities, insufficient incentives, or organizational constraints. This heterogeneity suggests that cyber risk is not solely a function of external threats but also of internal governance, resource allocation, and strategic priorities. Importantly, the aggregate profile shows limited improvement, indicating that firm-level adaptations are insufficient to offset systemic exposure.
Sample coverage and representativeness
The analysis is based on the population of non-financial firms assessed within the Banca d’Italia’s ICAS and therefore does not aim to represent the entire Italian corporate sector. The sample is skewed toward medium and large firms, which account for the majority of observations, while micro and small enterprises are underrepresented. This reflects the ICAS perimeter and the availability of detailed financial statements, rather than a selection bias introduced by the methodology.
Disclosure dynamics and post-incident behavior
A central contribution of the paper lies in the analysis of how firms react to cyber incidents. The evidence shows that firms significantly increase both the volume and the diversity of cybersecurity-related disclosures in their financial statements following a cyberattack. Statistical tests confirm that references to regulations, certifications, technologies, processes, and even past attacks increase markedly in the post-incident reporting period. This behavior suggests that cyber incidents act as catalysts for disclosure and, in some cases, for formalizing cybersecurity practices.
However, this enhanced disclosure does not translate into an immediate reduction in measured vulnerability. On the contrary, the cyber risk index increases significantly after an attack. This result reflects the asymmetric weighting embedded in the scoring system: realized cyber incidents carry a larger negative contribution than the positive signals associated with defensive actions or compliance. The finding underscores a key empirical insight of the paper: the detrimental impact of a cyberattack on firms’ vulnerability outweighs, in the short term, the mitigating effects of post-incident responses.
Delayed effectiveness of defensive measures
The post-attack increase in the cyber risk index highlights the temporal mismatch between exposure and mitigation. While firms often react to incidents by strengthening governance structures, adopting technologies, or pursuing certifications, these measures require time to become operationally effective and to be reflected in observable outcomes. The index captures this lag by showing that defensive signals only partially offset the penalty associated with an attack within the same reporting window. This dynamic suggests that cyber resilience is cumulative and path-dependent rather than immediately responsive.
Robustness and validation
The paper evaluates the robustness of the proposed cyber risk indicator through multiple validation exercises. These include human audits of large language model classifications, sensitivity analyses based on perturbations of taxonomy weights, and comparisons with external benchmarks. The results show that the indicator remains stable under alternative specifications and that its main empirical patterns are not driven by model artefacts or classification noise.
Implications for risk assessment
Taken together, the findings indicate that cyber risk is a material, persistent, and unevenly distributed source of vulnerability for non-financial firms. The empirical evidence supports the inclusion of cyber risk in credit risk assessment frameworks, as cyber incidents have the potential to impair business continuity, affect financial performance, and increase default risk. Moreover, the reliance on external sources in addition to firms’ self-disclosure proves essential, as firms tend to provide more detailed information only after experiencing an attack. This reinforces the value of the integrated, AI-driven approach proposed by the authors in capturing both latent and realized dimensions of cyber risk.
Banca d’Italia’s credit evaluation framework
The analysis is explicitly framed within the context of credit risk assessment, although the paper does not estimate the impact of cyber risk on default probabilities. Instead, it develops a firm-level cyber risk vulnerability indicator intended to support future integration into existing credit evaluation frameworks, in particular the ICAS.
The paper documents that cyber incidents affecting non-financial firms have material consequences for business continuity, operational performance, and financial stability. These consequences are identified through the observed increase in cyber risk vulnerability following an attack and through the persistence of high vulnerability levels across firms and sectors. The authors emphasize that cyber incidents can disrupt operations, impair cash flows, and generate reputational and legal costs, which are factors traditionally associated with deteriorations in firms’ creditworthiness.
Within this framework, the cyber risk index is constructed as a synthetic measure that captures both realized cyber incidents and firms’ defensive and organizational characteristics. The index increases in response to confirmed cyberattacks and decreases with evidence of regulatory compliance, technological defenses, and structured cybersecurity processes. The asymmetric weighting of these components reflects the empirical observation that the negative effect of cyber incidents on vulnerability dominates, in the short term, the mitigating contribution of defensive actions.
The paper further shows that firms tend to increase the disclosure of cybersecurity-related information in their financial statements after experiencing a cyberattack. While this behavior signals heightened awareness and formalization of cybersecurity practices, the measured cyber risk vulnerability nonetheless increases in the post-attack period. This result is explicitly attributed to the scoring mechanism and to the empirical finding that defensive measures require time to produce observable effects, whereas the occurrence of an attack represents an immediate and concrete signal of vulnerability.
The authors state that the cyber risk index provides a basis for the future incorporation of cyber risk into probability-of-default estimation within ICAS. In operational terms, they outline that the indicator can be mapped into a firm-specific probability of experiencing a cyberattack and that the associated expected losses can be simulated and embedded into stressed financial statements. The resulting stressed financial information would then be used to derive a cyber-risk-adjusted probability of default, which would complement existing statistical and expert-based components of the ICAS framework.
Consistent with the scope of the paper, these elements are presented as methodological positioning rather than as empirical results. The contribution of the paper is therefore limited to the construction, validation, and empirical characterization of the cyber risk vulnerability indicator, while the quantitative estimation of its impact on credit risk metrics is explicitly left for future work.
Appendix A — Cyber risk
Definition adopted in the paper
For the purposes of this article, the definition of cyber risk strictly follows the conceptualization adopted in Measuring cyber risk in the Italian corporate sector: A cyber risk vulnerability indicator for non-financial firms. Cyber risk is defined as:
Any risk emerging from intentional attacks on information and communication technology systems that compromises the confidentiality, availability or the integrity of data or services.
This definition is explicitly adopted by the authors from Giudici and Raffinetti2 and is used consistently throughout the paper as the conceptual basis for the taxonomy, the algorithmic framework, and the construction of the cyber risk vulnerability indicator. It deliberately excludes accidental system failures, natural hazards, or purely operational disruptions not attributable to malicious intent.
2 See: Giudici, P., & Raffinetti, E. (2021). Cyber risk ordering with rank-based statistical models. AStA Advances in Statistical Analysis, 105(4), 469–484. DOI
Cyber risk in practice: a business-level overview
In simple terms, cyber risk is the risk a business takes by relying on digital systems, data, and connected technologies to operate.
Every modern organisation depends on information systems to manage customers, suppliers, finances, production, and decision-making. That dependency creates exposure: if digital systems are disrupted, compromised, or misused, the business may no longer be able to operate as intended. Cyber risk captures this possibility and the consequences that may follow.
Unlike purely technical failures, cyber risk is not limited to software bugs or hardware breakdowns. It includes deliberate malicious actions, human error, weaknesses in processes, and dependencies on third parties. For this reason, cyber risk is best understood as a business risk with technological roots, rather than as a purely technical issue.
Where cyber risk comes from
Cyber risk arises when four elements intersect.
First, there are assets. These are the things the business relies on and wants to protect: data, systems, services, intellectual property, and digital platforms that support daily operations.
Second, there are threats. These are events or actors that could cause harm, such as criminal attacks, fraud, insider misuse, or failures originating in suppliers and service providers.
Third, there are vulnerabilities. These are weaknesses that allow threats to materialise. Vulnerabilities can be technical, such as unpatched systems; organisational, such as unclear responsibilities; or human, such as lack of awareness or poor security practices.
Finally, there is impact. Impact refers to what would happen if a cyber event occurred. This may include operational downtime, financial loss, regulatory penalties, reputational damage, or loss of trust.
Cyber risk exists when valuable assets are exposed to credible threats through exploitable vulnerabilities in a way that could cause meaningful harm to the organisation.
Cyber risk versus cyber incidents
A cyber incident is an event that has already happened, such as a ransomware attack or a data breach.
An organisation may face significant cyber risk simply because it depends heavily on digital systems and lacks adequate safeguards, regardless of whether it has experienced an incident in the past. From a business perspective, cyber risk is therefore about exposure and preparedness, not just about reacting to past events.
Why cyber risk is a business issue
Cyber risk affects an organisation’s ability to achieve its objectives. It can interrupt operations, affect revenue, increase costs, and create legal or regulatory consequences. For these reasons, cyber risk belongs alongside financial, operational, and compliance risks.
Managing cyber risk requires decisions about priorities, investments, and acceptable levels of residual risk. These decisions cannot be made by technical teams alone. They require involvement from senior management and boards, who are responsible for understanding how digital dependencies support the business and what would happen if those dependencies were disrupted.
In practice, cyber risk is as much about governance and decision-making as it is about technology.
How organisations typically manage cyber risk
In most organisations, managing cyber risk follows the same logic used for other types of business risk.
The process usually starts by identifying what is critical to the organisation and what it depends on digitally. From there, attention is given to the most plausible ways those dependencies could fail or be exploited, and to the consequences such failures would have.
Not all risks can or should be eliminated. The objective is to reduce risk to a level that is understood and acceptable, using a combination of technical controls, processes, training, and oversight. Some level of residual cyber risk is inevitable and must be consciously accepted rather than ignored.
How this perspective relates to the article
The paper discussed in this article focuses on one specific and measurable dimension of cyber risk: exposure to intentional cyberattacks and the organisational factors associated with vulnerability. This narrow focus allows cyber risk to be quantified and compared across firms.
The broader perspective outlined in this appendix provides the practical context in which such measurement makes sense. It explains why cyber risk matters to business leaders and how it fits into everyday risk management and governance decisions.
Together, the two perspectives address both how cyber risk can be measured and why it matters for organisations.
Appendix B — Banca d’Italia ICAS: current role and future relevance for cyber risk
What ICAS is, in the Eurosystem context
The In-house Credit Assessment System operated by Banca d’Italia (often referred to as ICAS-BI) is a creditworthiness assessment system for Italian non-financial corporations. It is part of the Eurosystem credit assessment framework used to ensure that assets mobilised as collateral in monetary policy operations meet required credit standards3.
In practice, ICAS enables banks to mobilise as collateral certain credit claims (loans to non-financial firms) that might not be covered by other credit assessment sources. This role is especially relevant for banks that do not have internal ratings based models and rely on external sources accepted within the Eurosystem collateral framework. Banca d’Italia has operated ICAS since 20134.
What ICAS produces and how outputs are used
Banca d’Italia’s public documentation emphasises that ICAS is used by banks in the collateral context and that outputs are not published as a full public rating list. The system does not disclose the list of assessed firms, nor the detailed ratings or estimated probabilities of default. Instead, counterparties are shown the Credit Quality Step classification for the firm.
ICAS assessments are used by commercial banks to support the mobilisation of loans as collateral in Eurosystem monetary policy operations, and to quantify the credit risk of those pledged loans within the collateral framework.
The internal architecture: statistical model plus expert assessment
Recent Banca d’Italia publications describe ICAS-BI as combining a statistical engine with an expert assessment module5.
5 See: Banca d’Italia (2025). The use of Banca d’Italia’s credit assessment system for Italian non-financial firms within the Eurosystem’s collateral framework (MISP No. 60). URL
A key reference states that ICAS-BI uses a statistical model producing monthly one-year probabilities of default for around 370,000 firms, and complements this with analysts’ expert assessments for a subset of roughly 4,000 firms per year.
A separate 2026 methodological note reiterates that the system consists of a statistical model (S-ICAS) and analysts’ evaluation, and compares S-ICAS with machine learning and deep learning alternatives6.
6 See: Banca d’Italia (2026). Credit Risk Assessment with Stacked Machine Learning (MISP No. 73). URL
“Future” in scope: what is explicitly stated in the cyber risk paper
The Banca d’Italia paper explicitly frames the proposed cyber risk vulnerability indicator as a potential future input into the ICAS expert assessment workflow. The authors state that further developments may involve integrating the cyber risk index, and a corresponding cyber risk–adjusted probability of default, into the set of early warning indicators monitored by analysts within the expert assessment module of ICAS.
This is the only forward-looking element discussed in this article that is directly grounded in the source paper. It reflects an explicit statement by the authors and should be interpreted as methodological positioning rather than as evidence of current implementation or empirically validated impact on credit risk metrics.