The evolution of the compliance corporate governance and risk assessment models has reached a turning point with the recent publication (19 January) of a new document from the Bank of Italy. According to the sources, the cyber risk officially ceases to be a purely technical question and takes on the nature of structural factor of credit risk.
Below is a brief analysis of the legal and strategic implications for non-financial companies.
1. Going beyond accounting data: analyzing unstructured data
The Supervisory Authority has noted that traditional balance sheets are no longer sufficient to represent a company's actual risk exposure. The new Bank of Italy model uses risk assessment techniques. Natural Language Processing (NLP) and the Large Language Model Microsoft Phi-4 to analyze millions of documents, including press articles, specialized web sources, and financial reports.
The goal is to transform descriptive language into quantitative signals, intercepting information on:
- Mitigating elements: investments in defense technologies, adoption of structured processes and possession of safety certifications (like ISO standards).
- Risk factors: disclosure of cyber incidents and past vulnerabilities.
2. Implications for governance and business continuity
From a legal and regulatory perspective corporate governance, the integration of cyber risk into management models credit assessment (specifically in the system ICAS – Italian Credit Assessment System) highlights how a cyber attack can compromise the financial stability of the institution.
Sources emphasize that a cyber event is no longer just an “extraordinary cost,” but a threat that can:
- interrupt the business continuity.
- generate disputes significant and reputational damage.
- Impact, even directly, the company's ability to repay the debt incurred.
3. The “persistence of risk” and critical sectors
The analysis highlights a phenomenon of particular importance for the due diligence legal: the so-called “cyber ”scar”. A sustained cyber attack leaves a persistent mark on the company's risk profile, often weighing more than the corrective measures introduced. ex post.
The sectors requiring the most stringent monitoring are manufacturing (due to the high interconnectivity of Industry 4.0), professional services, and commerce. The dominant threats identified include: ransomware, data breach And phishing.
4. Conclusions: Cybersecurity as a financial lever
For companies, complying with cybersecurity requirements is becoming a prerequisite for protecting their ratings and accessing capital markets. Investing in transparency, governance, and data protection is no longer just a regulatory compliance requirement, but a financial lever capable of directly impacting the cost of money.
In conclusion, in the current digital landscape, the failure to implement adequate cybersecurity measures can be considered a genuine breach of due diligence, with direct impacts on a company's solvency and creditworthiness.
Content by the Lawyer. Gianmaria Pesce
