What are CRA-Zones?
Cyber Risk Accumulation Zones (CRA-Zones) were established to provide an easy to use open framework to measure and understand catastrophic cyber risk exposure. The CRA-Zones framework defines the minimal elements needed to provide a view of aggregated cyber exposure. CRA-Zones allow for analysis across multiple portfolios of risks and monitoring of exposure trends. The framework was also created to support regulatory efforts for setting a standard for data collection for cyber exposure management.
For natural catastrophe risk, individual policy exposures can be aggregated within geographic zones. Similarly, cyber exposures can be aggregated using CRA-Zones. Geographic location is still important when assessing cyber catastrophe risk, however, two additional elements must be taken into account to properly assess cyber risk aggregation - industry sector and company size. The foundation of the CRA-Zones is built on acquired historical data and continuous analysis of millions of cyber incidents worldwide.
Analysis has shown a significant correlation between companies from the same location and industry tending to use the same third-party service providers and technologies, leaving them exposed to corresponding cyber attacks. Additionally, the analysis demonstrated that entity size has a direct correlation to technologies used, cyber preparedness, security policies, cybersecurity spending, and level of sophistication of cyber attacks.