Advancing Cyber Resilience Through Data-Driven Intelligence
Zurich Insurance Group (Zurich), together with the Cyber Threat Alliance and CyberGreen Institute, has published a new report “Enhancing cyber security: Key metrics for policymakers” urging the adoption of standardized national cyber security metrics. The report notes the global cyber risk protection gap of USD 0.9 trillion1, with insured losses covering only 1% of economic losses from cyber incidents.
The measures proposed in Zurich’s 2024 whitepaper, “Closing the Cyber Risk Protection Gap”, rely on robust quantitative data to enhance standards and best practices. While organizations like ENISA and CISA provide corporate-level frameworks, national metrics for policy decision-making are largely absent. Zurich’s new report introduces six key metrics and an institutional framework for governments to help clarify national cyber risk, strengthen resilience, and enable informed policy decisions:
- Percentage of organizations with cyber insurance or audit certification: Measures preparedness and understanding of cyber security.
- Proportion of exploited vulnerabilities older than one year: Indicates ecosystem defense and remediation speed.
- Number of significant cyber incidents: Reflects national detection and analysis capabilities.
- Average time to containment of cyber incidents: Demonstrates ability to halt the spread of threats.
- Mean time to restore operations: Assesses speed of recovery after incidents.
- Percentage of unfilled cyber security positions: Gauges workforce capacity to manage risks.
Establishing National Cyber Statistics Bureaus – dedicated institutions for collecting these metrics – would ensure consistent incident reporting, track threats and resilience, publish key analyses, and assess security regulation effectiveness. These bureaus could also support a supra-national body to aggregate findings, enabling deeper global comparisons and insights into evolving threats.
To move from currently fragmented, reactive approaches to a unified, data-driven strategy, Zurich calls on policymakers to:
- Collaborate on data collection: Move from reactive incident reporting to proactive, cross-sector data sharing
- Establish dedicated entities: Create or empower national and global institutions to collect, analyze, and report cyber statistics across industries and borders
- Harmonize standards and frameworks: Align definitions, benchmarks, and reporting protocols.
1 GFIA – Global Federation of Insurance Associations
Further information
- The report “Enhancing cyber security: Key metrics for policymakers” is available for download at https://www.zurich.com/knowledge/topics/digital-data-and-cyber/cyber-metrics-for-key-decision-makers.
- Whitepaper ‘Closing the Cyber Risk Protection Gap’ (published in 2024)
Contacts
- Media Relations
Zurich Insurance Group (Zurich) is a leading global multi-line insurer founded more than 150 years ago, which has grown into a business serving more than 75 million customers in more than 200 countries and territories, while delivering industry-leading total shareholder returns.
Reflecting its purpose to ‘create a brighter future together,’ Zurich offers protection services that go beyond traditional insurance, to support its customers in building resilience. Since 2020, the Zurich Forest project supports reforestation and biodiversity restoration in Brazil’s Atlantic Forest.
The Group has more than 63,000 employees and is headquartered in Zurich, Switzerland. Zurich Insurance Group Ltd (ZURN) is listed on the SIX Swiss Exchange and has a level I American Depositary Receipt (ZURVY) program, which is traded over-the-counter on OTCQX. Further information is available at www.zurich.com.