Cyber Risk Accumulation Zones (CRA-Zones) were established to provide an easy to use open framework to measure and understand catastrophic cyber risk exposure. The CRA-Zones framework defines the minimal elements needed to provide a view of aggregated  cyber exposure. CRA-Zones allow for analysis across multiple portfolios of risks and monitoring of exposure trends. The framework was also created to support regulatory efforts for setting a standard for data collection for cyber exposure management.

For natural catastrophe risk, individual policy exposures can be aggregated within geographic zones. Similarly, cyber exposures can be aggregated using CRA-Zones. Geographic location is still important when assessing cyber catastrophe risk, however, two additional elements must be taken into account to properly assess cyber risk aggregation - industry sector and company size.  The foundation of the CRA-Zones is built on acquired historical data and continuous analysis of millions of cyber incidents worldwide.

Analysis has shown a significant correlation between companies from the same location and industry tending to use the same third-party service providers and technologies, leaving them exposed to corresponding cyber attacks. Additionally, the analysis demonstrated that entity size has a direct correlation to technologies used, cyber preparedness, security policies, cybersecurity spending, and level of sophistication of cyber attacks.