UK monitoring group to classify cyber incidents on earthquake-like scale

A UK body backed by the cyber insurance industry is seeking to establish a framework to classify the severity of cyber incidents affecting UK organisations.

The Cyber Monitoring Centre (CMC) — an independent nonprofit organisation launched last week — aims to create a standardised scale for measuring the impact of cyber incidents from one (least severe) to five (most severe).

A wide range of data and analysis will be used to assess and categorise incidents against the framework, which measures severity based on the proportion of UK organisations affected and the overall financial impact.

Edward Lewis, CEO of cybersecurity consultancy CyXcel, told CSO that the focus of CMC is on the needs of insurance buyers, rather than the industry itself.

“The CMC evolved from market reactions to the Lloyd’s cyber war bulletin, which faced backlash for its conflation of systemic cyber risk with cyber war, as well the ambiguity and attribution challenges posed by the associated model clauses which followed it,” Lewis explained.

Insurance marketplace Lloyd’s of London put forward a policy requiring insurance group members to exclude liability for losses arising from state-backed cyberattacks from 2023. The measure, which was controversial even when it was introduced, remains contentious.

Lewis continued: “While large global companies with deep pockets may weather disputes over attribution and accept delays in cyber policy payouts, small and medium-sized businesses cannot afford such delays. These businesses need rapid support, particularly financial support, in a measure of days not the weeks, months, or even years that insurers, lawyers, and brokers could end up arguing about attribution and whether a loss is excluded from cover.”

Impact assessment

The CMC’s Technical Committee, chaired by former National Cyber Security Centre CEO Ciaran Martin, will access incidents that have a potential financial impact greater than £100 million and where there is data available to make an assessment.

Looking back at past events, the 2017 NotPetya attack would have made grade five (not least because of its sever impact on multiple industries) while the 2023 Moveit breach would only have made a category one because of its minimal impact on UK industries. Last year’s CrowdStrike meltdown would have qualified as a category three event.

More details of the CMC’s methodology can be found here. Classification results and detailed reports will be provided free of charge within a month of an incident.

By providing a consistent and objective framework for assessing cyber incidents — loosely comparable to the Richter scale for earthquakes or the Saffir-Simpson hurricane wind scale — the CMC wants to bring greater clarity to the understanding often complex cyber events.

Risk management

The CMC hopes this increased understanding will spur the development of improved incident response planning. Experts quizzed by CSO on CMC welcomed its launch.

Ivan Milenkovich, vice president of cyber risk technology in EMEA at Qualys, said data from the CMC has the potential to allow IT security professionals to make better risk assessments — but only providing it is used correctly.

“By introducing a standardised cyber event categorisation system, the CMC is addressing a critical gap: the lack of consistent, large-scale data to support cyber risk quantification (CRQ),” Milenkovich said. “This means security teams will finally have access to reliable, aggregated information that can inform risk assessments, threat modelling, and decision-making.”

By introducing standardised cyber event categorisation, the CMC is laying the foundation for a more structured and measurable approach to cyber risk. However cyber risk professionals will still need to integrate the CMC’s risk assessments with their own internal data to factor in their organisation’s specific industry, infrastructure, and threat profile, according to Milenkovich.

“For many dealing with cyber risk and with cyber insurance and risk operations background and knowledge, this initiative could help bridge the gap between qualitative and quantitative risk management, making it easier to justify security investments with data-backed reasoning,” Milenkovich concluded. “However, success will depend on how well organisations leverage this information alongside their own internal risk frameworks.”

Other experts agreed that establishing a consistent standard to measure the severity of cyber incidents will bring clarity to what can be a complex process.

“Organisations will hopefully be enabled to provide a standardised method for assessing incidents, identifying patterns and vulnerabilities across their cyber landscape,” said Martin Greenfield, CEO of cyber monitoring firm Quod Orbis. “This not only improves real-time incident response but also strengthens proactive threat hunting and long-term resilience planning.”

Dr. Ilia Kolochenko, CEO at application security testing vendor ImmuniWeb and a fellow at the British Computer Society (BCS), described the CMC as a “very promising and long-awaited project” while urging caution about publicly sharing some of the cyber intelligence because it might inadvertently assist attackers.

“A growing number of state-backed hacking groups and professional cyber mercenaries are actively exploiting data from similar resources run by other governments and NGOs,” according to Kolochenko. “The bad guys happily explore and discover what their victims know about them to both better conceal their future intrusions and create novel attack vectors that are not yet on the radar.”