With the world facing a $0.9 trillion cyber risk protection gap, Zurich is calling for the adoption of standardised national cyber security metrics to close it, which would involve the collaboration between governments and the private sector.
This gap highlights the vast difference between economic losses from cyber events and the minimal portion, of just 1%, covered by the re/insurance industry.
In a new report titled “Enhancing cyber security: Key metrics for policymakers,” Zurich, together with the Cyber Threat Alliance and CyberGreen Institute, argues that without comprehensive data, governments and businesses are “flying blind” against rapidly evolving cyber threats.
As emerging technologies like artificial intelligence (AI), cloud, and blockchain introduce new vulnerabilities, most countries lack the data infrastructure needed to respond effectively.
While some national and regional initiatives, such as the European Union Agency for Cybersecurity (ENISA) or the U.S. Cybersecurity and Infrastructure Security Agency (CISA), offer guidance, there is a distinct absence of standardised national-level metrics to inform policy decisions, the report notes.
According to analysts, there is a clear disconnect between the growing threat landscape, the insights from current data collection, and the information needed to address new challenges.
“Cyber security is about keeping digital environments secure from risks so individuals and organizations can operate safely and confidently. It is a multifaceted issue that defies simple solutions. But one thing is certain: Without accurate, timely and comprehensive data, organizations are essentially flying blind in their cyber defences,” analysts state.
Effective metrics at the national or aggregate level will create better framework conditions for the safety of all parts of the economy, according to the report.
These will help protect critical infrastructures as well as small and medium-sized enterprises (SMEs) that form the backbone of the economy.
“They should focus on general resilience, preparedness and response capabilities, adapted by industry, the threat landscape and the size of companies. These metrics would give policymakers the ability to assess relative strengths and weaknesses within existing regulatory frameworks, so that they can see what is working and where adaptations may be needed,” analysts stated.
Adding: “To get there, public and private sector collaboration will be essential. Sharing data on what’s happening in the wild and what subsequently materializes into cyber incidents affecting public infrastructure organizations, defences and responses, is a key enabler to develop comprehensive strategies against cyber threats.”
Zurich’s report proposes six key metrics and a supporting institutional framework to address the cyber risk protection gap:
- Percentage of organisations with cyber insurance or audit certification: Measures preparedness and understanding of cyber security.
- Proportion of exploited vulnerabilities older than one year: Indicates how quickly an ecosystem remediates known weaknesses.
- Number of significant cyber incidents: Reflects national detection and analysis capabilities.
- Average time to containment of cyber incidents: Assesses the ability to stop threats from spreading.
- Mean time to restore operations: Measures how quickly an organisation can recover after a breach.
- Percentage of unfilled cyber security positions: Gauges workforce capacity to manage risks.
The report advocates for the creation of national cyber statistics bureaus, dedicated institutions to collect, analyse and publish these metrics.
These bureaus would enable consistent incident reporting, track threats and resilience, and assess the effectiveness of security regulations.
They could also support a supra-national body to aggregate findings, facilitating global comparisons and deeper insights into evolving threats.
To move from currently fragmented, reactive approaches to a unified, data-driven strategy, Zurich calls on policymakers to:
- Collaborate on data collection: Shift from reactive incident reporting to proactive, cross-sector data sharing.
- Establish dedicated entities: Create or empower national and global institutions to collect, analyse and report cyber statistics across industries and borders.
- Harmonize standards and frameworks: Align reporting protocols and definitions to allow for meaningful international comparisons and informed decision-making.
The post Standardised metrics needed to close $0.9tn cyber risk protection gap: Zurich appeared first on ReinsuranceNe.ws.
