IDEAS home Printed from https://ideas.repec.org/p/bdi/wpmisp/mip_075_26.html

The Cyber Risk Of Non-Financial Firms

Author

Listed:
  • Francesco Columba

    (Bank of Italy)

  • Manuel Cugliari

    (Bank of Italy)

  • Marco Orlandi

    (Bank of Italy)

  • Federica Vassalli

    (Bank of Italy)

Abstract

We build a novel indicator of cyber risk vulnerability for Italian non-financial firms applying natural language processing and a large language model to information extracted from financial statements, news, and cyber industry reports. The indicator is based on a taxonomy tailored to the Italian case, that addresses dimensions of cyber risk that so far have not been considered within a unified methodological framework. The new taxonomy captures both the occurrence of cyberattacks and the presence of the associated defensive measures, such as the regulatory compliance, technological defences, and certifications for a large and heterogeneous sample of firms. We find that since 2019 a sizable share of firms has experienced an increase in frequency and heterogeneity of cyberattacks. Firms appear highly vulnerable: the impact of a cyber incident on the vulnerability index in the aftermath of the attack outweighs the mitigating effects of the defensive actions, which require some time to become effective. Also, we observe that firms tend to increase cyber-related information in official reporting following an attack. These findings warrant the integration of cyber risk into credit risk models.

Suggested Citation

  • Francesco Columba & Manuel Cugliari & Marco Orlandi & Federica Vassalli, 2026. "The Cyber Risk Of Non-Financial Firms," Mercati, infrastrutture, sistemi di pagamento (Markets, Infrastructures, Payment Systems) 75, Bank of Italy, Directorate General for Markets and Payment System.
    • Handle: RePEc:bdi:wpmisp:mip_075_26
    as

    Download full text from publisher

    File URL: https://www.bancaditalia.it/pubblicazioni/mercati-infrastrutture-e-sistemi-di-pagamento/approfondimenti/2026-075/N.75-MISP.pdf
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Rustam Jamilov & Hélène Rey & Ahmed Tahoun, 2021. "The Anatomy of Cyber Risk," NBER Working Papers 28906, National Bureau of Economic Research, Inc.
    2. Antonis Kotidis & Stacey L. Schreft, 2022. "Cyberattacks and Financial Stability: Evidence from a Natural Experiment," Finance and Economics Discussion Series 2022-025, Board of Governors of the Federal Reserve System (U.S.).
    3. Rosati, Pierangelo & Deeney, Peter & Cummins, Mark & van der Werff, Lisa & Lynn, Theo, 2019. "Social media and stock price reaction to data breach announcements: Evidence from US listed companies," Research in International Business and Finance, Elsevier, vol. 47(C), pages 458-469.
    4. Paolo Giudici & Emanuela Raffinetti, 2021. "Cyber risk ordering with rank-based statistical models," AStA Advances in Statistical Analysis, Springer;German Statistical Society, vol. 105(3), pages 469-484, September.
    5. Eli Amir & Shai Levi & Tsafrir Livne, 2018. "Do firms underreport information on cyber-attacks? Evidence from capital markets," Review of Accounting Studies, Springer, vol. 23(3), pages 1177-1206, September.
    6. Md. Hamid Uddin & Md. Hakim Ali & Mohammad Kabir Hassan, 2020. "Cybersecurity hazards and financial system vulnerability: a synthesis of literature," Risk Management, Palgrave Macmillan, vol. 22(4), pages 239-309, December.
    7. Crosignani, Matteo & Macchiavelli, Marco & Silva, André F., 2023. "Pirates without borders: The propagation of cyberattacks through firms’ supply chains," Journal of Financial Economics, Elsevier, vol. 147(2), pages 432-448.
    8. Mikhed, Vyacheslav & Vogan, Michael, 2018. "How data breaches affect consumer credit," Journal of Banking & Finance, Elsevier, vol. 88(C), pages 192-207.
    9. (Annabella) Huang, Jiehui & Murthy, Uday, 2024. "The impact of cybersecurity risk management strategy disclosure on investors’ judgments and decisions," International Journal of Accounting Information Systems, Elsevier, vol. 54(C).
    10. Matteo Malavasi & Gareth W. Peters & Stefan Treuck & Pavel V. Shevchenko & Jiwook Jang & Georgy Sofronov, 2024. "Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications," Papers 2410.05297, arXiv.org.
    11. Masoud, Najeb & Al-Utaibi, Ghassan, 2022. "The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence," Research in Economics, Elsevier, vol. 76(2), pages 131-140.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Strauss, Tal, 2026. "Cyber Risk, Regulation, and Firm Resilience," Other publications TiSEM efb58ae1-e7b6-41dc-b403-2, Tilburg University, School of Economics and Management.
    2. Ramírez, Carlos A., 2025. "On equilibrium cyber risk," Economics Letters, Elsevier, vol. 251(C).
    3. Crosignani, Matteo & Macchiavelli, Marco & Silva, André F., 2023. "Pirates without borders: The propagation of cyberattacks through firms’ supply chains," Journal of Financial Economics, Elsevier, vol. 147(2), pages 432-448.
    4. Douglas Cumming & My Nguyen & Anh Viet Pham & Ama Samarasinghe, 2025. "Banking system stability: A global analysis of cybercrime laws," Papers 2512.01237, arXiv.org.
    5. Chelsea Liu & Muhammad Ali Babar, 2026. "Corporate cybersecurity risk and data breaches: A systematic review of empirical research," Australian Journal of Management, Australian School of Business, vol. 51(1), pages 62-92, February.
    6. Xuanpu Lin & Guoman She, 2025. "Timely Cybersecurity Disclosure and Information Manipulation," Management Science, INFORMS, vol. 71(11), pages 9308-9327, November.
    7. Masoud, Najeb & Al-Utaibi, Ghassan, 2022. "The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence," Research in Economics, Elsevier, vol. 76(2), pages 131-140.
    8. Cao, Hung & Phan, Hieu V. & Silveri, Sabatino, 2024. "Data breach disclosures and stock price crash risk: Evidence from data breach notification laws," International Review of Financial Analysis, Elsevier, vol. 93(C).
    9. Garg, Mukesh & Wang, Tawei & Wilkin, Carla L., 2025. "Impact of reporting information security breaches, accounting quality, and the opportunistic disclosure of good news and bad news," International Journal of Accounting Information Systems, Elsevier, vol. 56(C).
    10. Zong, Lu & Tao, Zheng & Zhai, Jia & Shi, Shimeng, 2025. "Measuring the impact of cyber policy: A news-based cyber policy index and its spillover to U.S. stock sectors," Research in International Business and Finance, Elsevier, vol. 78(C).
    11. Iyer, Subramanian R. & Simkins, Betty J. & Wang, Heng, 2020. "Cyberattacks and impact on bond valuation," Finance Research Letters, Elsevier, vol. 33(C).
    12. Chang, Jin-Wook & Jayachandran, Kartik & Ramírez, Carlos A. & Tintera, Ali, 2024. "On the anatomy of cyberattacks," Economics Letters, Elsevier, vol. 238(C).
    13. Hamzeh Al Amosh & Saleh F. A. Khatib, 2025. "Cybersecurity Transparency and Firm Success: Insights From the Australian Landscape," Australian Economic Papers, Wiley Blackwell, vol. 64(2), pages 189-204, June.
    14. Matteo Malavasi & Gareth W. Peters & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang & Georgy Sofronov, 2021. "Cyber Risk Frequency, Severity and Insurance Viability," Papers 2111.03366, arXiv.org, revised Mar 2022.
    15. Vitaly Meursault & Daniel Moulton & Larry Santucci & Nathan Schor, 2025. "One threshold doesn't fit all: Tailoring machine learning predictions of consumer default for lower‐income areas," Journal of Policy Analysis and Management, John Wiley & Sons, Ltd., vol. 44(3), pages 792-815, June.
    16. Michael McShane & Trung Nguyen, 2020. "Time-varying effects of cyberattacks on firm value," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 580-615, October.
    17. Agbodoh-Falschau, Kouassi Raymond & Ravaonorohanta, Bako Harinivo, 2023. "Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations’ perspectives," Technology in Society, Elsevier, vol. 74(C).
    18. Kristin Masuch & Maike Greve & Simon Trang, 2021. "What to do after a data breach? Examining apology and compensation as response strategies for health service providers," Electronic Markets, Springer;IIM University of St. Gallen, vol. 31(4), pages 829-848, December.
    19. Zhu, Jing & Zhang, Chen & Sun, Jiaojiao & Ding, Jiajun, 2025. "The impact mechanism of interactive carbon disclosure on firm value moderated by investors’ online social networks," Research in International Business and Finance, Elsevier, vol. 75(C).
    20. Uddin, Md Hamid & Mollah, Sabur & Islam, Nazrul & Ali, Md Hakim, 2023. "Does digital transformation matter for operational risk exposure?," Technological Forecasting and Social Change, Elsevier, vol. 197(C).

    More about this item

    Keywords

    ;
    ;
    ;
    ;

    JEL classification:

    • C52 - Mathematical and Quantitative Methods - - Econometric Modeling - - - Model Evaluation, Validation, and Selection
    • C55 - Mathematical and Quantitative Methods - - Econometric Modeling - - - Large Data Sets: Modeling and Analysis
    • G24 - Financial Economics - - Financial Institutions and Services - - - Investment Banking; Venture Capital; Brokerage
    • G32 - Financial Economics - - Corporate Finance and Governance - - - Financing Policy; Financial Risk and Risk Management; Capital and Ownership Structure; Value of Firms; Goodwill

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bdi:wpmisp:mip_075_26. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: the person in charge (email available below). General contact details of provider: https://edirc.repec.org/data/bdigvit.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.