CRA-Zones™

Cyber Risk Accumulation Zones

Download the framework in order to measure & understand your catastrophic cyber risk exposure.

What are CRA-Zones™? 

Cyber Risk Accumulation Zones (CRA-Zones™) were established to provide an easy to use open framework to measure and understand catastrophic cyber risk exposure. The CRA-Zones™ framework defines the minimal elements needed to provide a view of aggregated  cyber exposure. CRA-Zones™ allow for analysis across multiple portfolios of risks and monitoring of exposure trends. The framework was also created to support regulatory efforts for setting a standard for data collection for cyber exposure management.

For natural catastrophe risk, individual policy exposures can be aggregated within geographic zones. Similarly, cyber exposures can be aggregated using CRA-Zones™. Geographic location is still important when assessing cyber catastrophe risk, however, two additional elements must be taken into account to properly assess cyber risk aggregation - industry sector and company size.  The foundation of the CRA-Zones™ is built on acquired historical data and continuous analysis of millions of cyber incidents worldwide.

Analysis has shown a significant correlation between companies from the same location and industry tending to use the same third-party service providers and technologies, leaving them exposed to corresponding cyber attacks. Additionally, the analysis demonstrated that entity size has a direct correlation to technologies used, cyber preparedness, security policies, cybersecurity spending, and level of sophistication of cyber attacks.
Download Framework

What are the elements of the CRA-Zones™?

Location

Country level worldwide and state granularity in the US -based on the ISO-3166 Alpha-2 standard.

Industry

Industry classification breakdown based on the SIC classification system with additional granularity options. 

Entity Size

Four categories based on commonly used revenue bands.
Download Framework

CRA-Zones™ Data Granularity

The framework is built to accommodate users with various levels of data. In cases with insufficient data,  an automated data extrapolation technique can be applied for cyber exposure analysis using CRA-Zones™.
 
Zones can be viewed with low or high granularity. The views are built to accommodate the ability to use the platform despite varying quality of data within a group of risks

Low Granularity

Location
243 Countries
Industry
10 Divisions
Company Size
4 Revenue Band Size Classifications
Number of Zones
9,729

High Granularity

Location
243 Countries + 57 US States & Territories
Industry
10 Main divisions + 83 Subdivisions
Company Size
4 Revenue Band Size Classifications
Number of Zones
99,268
Download Framework

Advantages of implementing
CRA-Zones™

Open framework - No need to license a model
Understand  your cyber risk accumulation
Facilitate portfolio risk diversification
Easily track portfolio aggregation trends
Gain a view of risk that reflects risk accumulation across multiple portfolios
Download Framework

Benefits of Applying Additional Data Layers on CRA-Zones™

Detect correlation between risk accumulation & cyber attacks trends
Monitor compliance with defined risk appetite 
Support regulatory reporting obligations 
Financially quantify probable maximum loss (PML) events
Benchmark to average losses and average industry exposure per zone 
Download Framework

CRA-Zones™ Coding System

*United states_Virginia_Services_Business Services_Large Company

Download Framework

Example Portfolio

Want to learn more about CRA-Zones™?

Get in touch!