Joy Agwunobi

With the world facing a massive cyber risk protection gap estimated at $0.9 trillion, Zurich Insurance Group has called for the adoption of standardised national cybersecurity metrics to strengthen resilience and close the widening divide between economic losses from cyber events and the minimal insurance cover currently available.

According to Zurich, only about 1 percent of global losses arising from cyber incidents are covered by the re/insurance industry, leaving businesses, governments, and individuals dangerously exposed. 

The company issued this warning in a new report titled “Enhancing Cyber Security: Key Metrics for Policymakers”, published in collaboration with the Cyber Threat Alliance and the CyberGreen Institute.

The report argues that without reliable and comprehensive data, governments and organisations are effectively “flying blind” in the fight against cyber threats, which are evolving rapidly alongside emerging technologies such as artificial intelligence (AI), cloud computing, and blockchain.

While regional initiatives like the European Union Agency for Cybersecurity (ENISA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have developed useful frameworks at the corporate and sectoral levels, Zurich notes that national-level metrics to inform government policy are largely absent.

To address this gap, Zurich proposes the establishment of standardised national metrics, supported by robust data collection and analysis, as the foundation for policymaking. 

The report identifies six key measures that governments could adopt to assess national cyber preparedness. These include the percentage of organisations with cyber insurance or audit certification, which serves as an indicator of overall preparedness, and the proportion of exploited vulnerabilities that are more than a year old, which highlights the speed of remediation within the ecosystem. 

It also points to the number of significant cyber incidents as a measure of national detection and analysis capabilities, while the average time taken to contain such incidents reflects the ability to halt the spread of threats. 

In addition, the mean time required to restore operations provides a benchmark for recovery speed, and the percentage of unfilled cybersecurity positions underscores the workforce capacity to manage growing risks.

Zurich further recommends the creation of National Cyber Statistics Bureaus, dedicated institutions that would track and report on cyber resilience. Such bodies would be tasked with ensuring consistent incident reporting, analysing systemic vulnerabilities, evaluating the effectiveness of cybersecurity regulation, and publishing key insights. Beyond national efforts, Zurich suggests these bureaus could form the foundation of a supra-national body to aggregate findings and enable comparative global benchmarking of cyber risk.

The company links its proposals to earlier recommendations in its 2024 whitepaper, “Closing the Cyber Risk Protection Gap,” which emphasised the need for robust quantitative data to underpin standards and best practices.

To move from the current fragmented and reactive approaches to a more unified, data-driven strategy, Zurich is urging policymakers to take decisive action. The company stresses the need for greater collaboration on data collection, shifting from reactive incident reporting to proactive, cross-sector data sharing. It also highlights the importance of establishing dedicated entities either newly created or through the empowerment of existing institutions to collect, analyse, and report cyber statistics across industries and national borders. 

In addition, Zurich emphasises the harmonisation of standards and frameworks, calling for consistent definitions, benchmarks, and reporting protocols that would enable more effective policymaking and stronger international cooperation.