Banca d'Italia develops cyber risk indicator for non-financial firms

The paper introduces a new indicator of cyber risk vulnerability for Italian non-financial firms.

This indicator is built using natural language processing and large language models applied to data from financial statements, news reports, and cyber industry reports.

A taxonomy tailored to Italy addresses previously unconsidered dimensions of cyber risk, capturing cyberattacks, regulatory compliance, and the use of cyber defence technologies and security certifications.

The methodology allows for a structured extraction of cyber-related information, enhancing understanding of firms' disclosure priorities.

The indicator increases with higher cyber vulnerability.

Data shows cyberattacks in Italy have been on the rise since 2019, with a significant increase in frequency and diversity, from 14 incidents in 2019 to 232 in 2023 for the sample firms.

Manufacturing, Professional Services, Wholesale and Retail, and Vehicle Repair are among the most frequently targeted sectors.

The negative impact of cyber incidents on firms' vulnerability immediately after an attack outweighs the mitigating effects of defensive actions, which require time to take effect.

Firms also tend to increase cyber risk information in official reports only after experiencing an attack.