Insured losses cover only 1% of the US$0.9 trillion global economic damage from cyber incidents, according to Zurich Insurance Group and its partners, which argue that national cybersecurity metrics could help close this protection gap.
The report, Enhancing Cyber Security: Metrics for Policymakers, developed with the Cyber Threat Alliance and the CyberGreen Institute, says that while corporate-level frameworks exist through agencies such as ENISA in Europe and CISA in the United States, governments lack consistent national-level measures to guide policy decisions.
Zurich and its partners propose six indicators that could provide clarity: the percentage of organisations with cyber insurance or audit certification, the share of exploited vulnerabilities older than one year, the number of significant cyber incidents, the average time to containment, the mean time to restore operations, and the proportion of unfilled cybersecurity positions.
The report recommends creating National Cyber Statistics Bureaus dedicated to collecting and analysing such information. These institutions would provide consistency in incident reporting, assess the effectiveness of regulations, and publish data-driven evaluations. On a wider scale, findings could be aggregated by a supra-national body to enable global comparisons and generate insights into emerging threats.
The findings follow Zurich’s 2024 white paper Closing the Cyber Risk Protection Gap, which reported that although global cyber insurance premiums reached US$14 billion in 2023 and are projected to exceed US$29 billion by 2027, the gap between insured and total economic losses remains significant. Despite growth in the cyber insurance market, most small- and medium-sized businesses continue to be uninsured or underinsured, further widening exposure.
Zurich and its partners argue that addressing this situation will require stronger collaboration between governments and the private sector. They suggest moving away from reactive incident reporting toward proactive, cross-sector data sharing. They also recommend aligning reporting protocols, definitions, and benchmarks across jurisdictions to allow comparisons and consistent policymaking.
The report notes that the global cost of cybercrime is projected to climb from about US$8.5 trillion in 2022 to nearly US$24 trillion by 2027. Ransomware payments reached a record US$1.1 billion in 2023, underscoring the scale of disruption and the need for more comprehensive data.
The report warns that without nationally standardised metrics, policymakers will struggle to measure resilience, assess systemic weaknesses, and close the gap between insured and total losses.
Should governments prioritise establishing national cyber statistics bureaus to address these risks, or are there other approaches that could be more effective? Share your opinion in the comments.
