This paper presents preliminary evidence on cyber risk in the Italian private sector based on the Bank of Italy's annual surveys of Italian industrial and service firms. The information collected, albeit only covering the incidence of cyber attacks and some aspects of security governance, is the first of its kind for Italy. The results are striking: even though a mere 1.5 per cent of businesses do not deploy any cybersecurity measures, 30.3 per cent – corresponding to 35.6 per cent of total employees report at least some damage from a cyber attack between September 2015 and September 2016. Once data are corrected to account for unwillingness to report or inability to detect attacks on the part of some respondents, these figures climb to 45.2 and 56 per cent respectively, with large, high-tech and internationally exposed businesses faring worse than average. The economy-wide risk level is likely to be higher still; the financial sector, healthcare, education and social care are excluded from the sample, but they are known from other sources to be particularly appealing to attackers.