Beyond just IT: cybersecurity as a foundation for economic growth

A cyberattack against Morocco’s National Social Security Fund, which resulted in the leakage of the personal and financial details of nearly two million people; a cyber heist of US$ 1.5 billion in Ethereum, from the Dubai-based cryptocurrency exchange ByBit; a cyberattack targeting Italian government websites, including ministries, public policies and transportation platforms in Rome… These are all examples of the 21 significant cyber incidents reported by the Center for Strategic & International Studies, just for 2025.

Such events, growing in number and impact, threaten every sector and every nation around the world. Cyber incidents are sabotaging development, especially in middle- and low-income countries, where the digital revolution is still gaining momentum and defenses are weaker. 

However, the economic implications of cyber incidents were unclear until recently.

Cybersecurity market inefficiencies

Not long ago, during the World Bank Annual Meetings in Washington D. C., I attended one of the knowledge sessions organized by the Digital Development Unit for Latin America and the Caribbean. These sessions aim to disseminate insights that inform digital transformation across the region and contribute to the broader effort to position the World Bank, not only as a financial institution, but also as a knowledge bank.

The meeting, which focused on the economic implications of cyber events, took off with a presentation by Stéphane Straub, World Bank Chief Economist for Infrastructure, who explained the inefficiencies of the cybersecurity market. His talk made a compelling case for government intervention and World Bank support.

According to Straub, private cybersecurity markets fail due to four key issues which require public intervention: information asymmetry, externalities, tail risk and supply-side inefficiency.

First, firms operating in the digital space lack data on breach probability and potential damages, which leads to inefficient security investments. Thus, there is a need for an entity to facilitate information sharing.

Second, investments in cybersecurity generate positive spillover effects for interconnected firms, as enhanced security in one organization can reduce risks for others within the same network; however, these benefits are often not fully internalized by individual firms, leading to underinvestment. To address this market failure, governments can implement measures such as mandatory certification, ensuring that firms adequately invest in cybersecurity.

Third, for those high-cost, low-probability attacks, which are uninsurable privately, State intervention is needed to sustain insurance markets and protect critical infrastructure. 

And, fourth, regarding supply-side inefficiency, security services markets in emerging economies lack competition, leading to higher prices and lower quality, as well as limited incentives to tailor solutions to the specific emerging markets’ contexts. Thus, Governments should support market entry.

The key message of the initial intervention of the knowledge session was that Governments, with the help of the World Bank loans, knowledge and convening power, should provide public goods like regulation and threat intelligence to complement private cybersecurity.

Cybersecurity economics for emerging markets

During the session, I heard from Estefanía Vergara, Economist at the World Bank, about the main findings of her report Cybersecurity Economics for Emerging Markets.

Based on data from the Center for International and Security Studies at Maryland and the World Bank-owned Media-Disclosed Cyber Events database, her study set out to identify the main trends over the last decade in global cyber incidents and the relationship between economic growth and cybersecurity.

The report states that disclosed cyber incidents worldwide grew at an average annual rate of 21% in the last decade. It was surprising to discover that Latin America and the Caribbean is the world’s fastest-growing region for disclosed cyber incidents, with a 25% average annual growth rate since 2014. Within the region, per million people, Central America has become the most threatened scenario, a laboratory for hackers and malicious actors.

_{Source: Vergara Cobos, Estefanía. 2024. Cybersecurity Economics for Emerging Markets. © World Bank. http://hdl.handle.net/10986/42130 License: CC BY 3.0 IGO.}

The study notes that in emerging markets, though the main reason that inspires cyber incidents is financial gain (as happens in high-income countries), political motives such as protest and espionage encourage proportionally more events of this type than in rich countries. Plus, in emerging markets, the most affected sector by large is the public administration. This puts pressure on governments worldwide to act quickly. 

Regarding the economic implications of having cybersecurity, the study finds that a developing country that reduces its cyber incidents from the top to the bottom quartile of the distribution could see a 1.5% increase in GDP per capita. 

Finally, Vergara’s ongoing research suggests that low- and middle-income countries are likely to experience meaningful and rising economic losses from cyberattacks, with impacts becoming more pronounced as countries deepen their level of internet use and digital integration. 

Country approaches 

In the closing segment of the knowledge session, I had the chance to hear two of our counterparts, a Senior Regulatory Specialist at ANATEL and the Project Lead of the Caribbean Digital Transformation Regional Project, as they discussed the challenges they face in dealing with cybersecurity. 

Both highlighted concerns about limited human and financial resources for cybersecurity, slow policy responses to rapid digitalization, and risks from the interconnected nature of digital infrastructure. 

As a matter of fact, the data in the Cybersecurity Economics for Emerging Markets study shows a huge gap in investment in developing countries. Per capita cybersecurity spending is US$ 1 in India and Mexico, while in the United States and Canada it is US$ 30. Taking Latin America and the Caribbean as a reference, the United States spends 16 times more than the whole region on cybersecurity. 

During their interventions, the two counterparts suggested solutions to overcome such challenges: to leverage preexisting  institutions and governance structures to coordinate cybersecurity across all critical infrastructure sectors; to pool infrastructure and human resources; to standardize data protection and cybercrime regulations; and to foster capacity building. 

All these efforts are well underway thanks to World Bank endorsement. Be it through cybersecurity governance support in the context of a loan for the Dominican Republic Public Administration Reform; be it through funding to strengthen cybersecurity and data protection capacities to ensure digital services in Sergipe; be it through capacity building activities for public officials from Costa Rica, the Digital Development Unit for Latin America and the Caribbean has been helping countries in the region overcome their most pressing challenges. 

Overall, the knowledge session, just one in an ongoing series of meetings that disseminate knowledge both within the World Bank Group and across the region, underscored that cybersecurity is not just an IT challenge. As a matter of fact, it is fundamentally an economic issue.  

And the work by Estefanía Vergara Cobos on cybersecurity economics, though apparently just another study, marks a critical step in the ongoing journey towards a safe and secure digital transformation. 

Source : World Bank