A Cyber-Richter Scale: How a New UK Cyber Monitoring Centre Could Help CISOs

Phil Muncaster investigates an ambitious new British initiative which could impact the world

The phrase “world first” is regularly overused. The British government misapplied it with a frequency that bordered on the absurd in its post-Brexit press statements, for example. Many corporate minnows have done the same in a bid to punch above their weight in global markets. But a new British non-profit initiative could genuinely lay claim to such a title.

The Cyber Monitoring Centre (CMC) aims to do what has never been done before: to classify cyber events impacting UK organisations on a simple 1-5 scale. The hope is that, in so doing, it could help insurers price coverage more accurately and CISOs to improve cyber resilience and incident response plans.

Why we need one

Like their global peers, UK firms are increasingly reliant on IT and OT systems to function. Yet this also exposes them to a growing risk of digital extortion, service disruption and data theft. Such events can cause severe financial and reputational damage, as well as impacting customers and citizens. Over the past year alone, UK organisations and end users have suffered significantly from the global CrowdStrike outage and a ransomware attack on NHS supplier Synnovis.

Yet up to now, there has been no standardised way to categorise such events.

“Up until now The National Cyber Security Centre’s (NCSC) incident management (IM) team, which is responsible for triaging and categorising incidents, has been where people have traditionally turned to gauge the impact of an attack,” explains Trend Micro UK cybersecurity director, Jonathan Lee. “Its system works by considering the severity of the incident and its potential impact on the UK which then informed its response. However, this approach is based around directing the NCSC’s own resources towards managing the most significant UK cyber incidents.”

“Up to now, there has been no standardised way to categorise cyber events”

There are several reasons why measuring cyber incident severity is a challenge, argues CyXcel CEO, Edward Lewis, who helped to lead the CMC as a director during its incubation year.

“Unlike physical disasters – where financial loss, casualties, and recovery times are well understood – cyber incidents affect organisations in wildly different ways. A ransomware attack that cripples one company might barely touch another,” he tells Assured Intelligence.

“Additionally, many incidents never get disclosed – whether due to legal concerns, regulatory pressure, or reputational risk. Even when they are reported, organisations don’t always share the full extent of the damage. That makes building a reliable severity model tough.”

Lewis adds that traditional approaches have focused too much on direct costs rather than the wider consequences of a cyber incident.

“A cyber attack doesn’t just stop at the victim. Supply chains, financial markets and even critical infrastructure can all be impacted in ways that are hard to measure,” he says.

“The CMC cuts through this by establishing a common framework for measuring severity, aggregating data across sectors, and giving CISOs and policymakers a clearer, quantified picture of cyber risk.”

What the CMC will do

The CMC’s inspiration is the Saffir-Simpson hurricane wind scale, which was designed by a wind engineer (Herbert Saffir) and a meteorologist (Bob Simpson) as a simple way to describe the potential impact of hurricanes. The CMC calculates a score from 1-5 for each qualifying cyber event, based on its financial impact to the populace and the percentage of UK businesses affected to the tune of over £1,000.

The CMC says that losses due to business interruption, data restoration, incident response, extortion, and transfer of funds as well as “downstream impacts of a cyber event” will be included. However, costs due to “liability, any fines or regulatory costs, apology payments, loss adjustment costs, and impacts to individuals” will not be considered in the calculations as these aren’t often available in the immediate aftermath of an event. In any cases, these costs are often “a transfer of costs, rather than the true financial cost of an event”, it argues.

“We should never forget the human impact that a cyber-attack can have in today’s digitally dependant world”Jonathan Lee

Although its still early days, the CMC has been operating in stealth mode for a year, honing and testing its methodology, and expanding the public and private data sources with which its Technical Committee makes its all-important final assessments.

These data sources include public data from the NHS and media reports, as well as impacted organisations, and partners across incident response, breach lawyers, cybersecurity vendors, insurance claims handlers, and industry associations. It also includes event polling and industry-specific panels from the British Chambers of Commerce, and ONS Business Insights Data & Analytics and Conditions Survey (BICS) respondents. Parametrix helps with cloud monitoring and outage data, while Cirium offers insight into the impact of an event on the UK aviation industry.

The CMC is also developing database of historical events and their impact, which will help with benchmarking, stress testing and to calibrate models going forward.

“When an event occurs, we analyse the event and group the impacted organisations into those that can be modelled in a similar manner (“Archetypes”). We then collect available event data and model the financial impact to each Archetype,” the CMC says. “Through 2024 we developed models for aviation, healthcare (Synnovis event), and for widespread events (CrowdStrike event).”

Better for insurers

Given its origins as proposal by global insurer CFC, it’s perhaps unsurprising that the centre’s output could be a major boost for the sector. It has been argued that the CMC’s cyber-event ranking system could help the industry price its policies more accurately, and improve how insurers cover “systemic incidents” which impact large numbers of businesses simultaneously. It may, for example, lead to simpler language in policies.

Assured director, Ed Ventham, is concerned the move could lead to more exclusions based on the CMC Scale, although he admits this could be better than vaguer scenario-specific exclusions which are more common today.

“We’re obsessed as an industry with systemic risk, and it feels like the sector has had a couple of lucky escapes of late,” he tells Assured Intelligence. “But we’re generally supportive of better data being collected. I’m excited by the prospect of what the CMC will bring to the industry. There’s a good team and a lot of experienced people behind it.”

Driving black box thinking

Trend Micro’s Lee is enthused by the potential benefits for CISOs.

“It boasts all the hallmarks of the concept of ‘black box thinking’, something which has really benefited the airline industry and it is a very welcome development. Every breach should be seen as an opportunity to learn to be more resilient in the future,” he tells Assured Intelligence.

“This culture of openness and a robust methodology of breach impact analysis goes some way to making it easier for CISOs to understand the practical steps that they could take. Ultimately, as is the mantra in the public sector, our nation needs to continuously measure and understand risk, and take a proactive approach to cybersecurity.”

CMC CEO, Will Mayes, agrees that the initiative will be a boon for CISOs, in helping them to think through incident response strategies more clearly.

“For example, if a category 5 event were to occur, their incident response or other providers may have limited capacity to support them individually, given the number of organisations impacted. A CISO should consider alternative response plans in these scenarios,” he tells Assured Intelligence.

“The CMC creates a common language for talking about cyber risk that will help everyone to communicate”Will Mayes

“The CMC also creates a common language for talking about cyber risks that will help everyone within the cyber ecosystem to communicate about events to non-experts. It will provide greater clarity and could be used by a CISO to talk to executives about potential events, and get buy-in for security investment.”

It may also help security leaders demonstrate compliance to regulators and benchmark risk posture more effectively, Mayes argues.

However, there are limitations. For one, it doesn’t take into account the potential human impact of cyber incidents such as the Synnovis breach, which led to at least two NHS patients suffering long-term harm, according to Trend Micro’s Lee.

“Indeed, former NCSC CEO, Ciaran Martin, who chairs the CMC Technical Committee, acknowledged this at the launch event. He said that, although the CMC model categorised the Synnovis supply chain attack as a category 2 incident, in societal and human impact terms he would describe it as one of the most impactful cyber-attacks the UK has experienced lately,” he says.

“We should never forget the human impact that a cyber-attack can have in today’s digitally dependant world.”

CyXcel’s Lewis adds that the effectiveness of the modelling will depend on the quality of data fed in.

“The CMC’s success depends on getting enough organisations to share data. If participation is patchy, or companies hold back critical details, the output could be less reliable,” he says. “Cyber threats are also shifting constantly. The CMC will need to adapt and refine its models over time.”

Leading the way

Despite these challenges, Lewis describes the CMC as “a huge leap forward in cyber resilience”. So could the UK finally have a world-leading, world-first cyber initiative?

“Its success will depend on continued collaboration between government, industry, and cybersecurity professionals – ensuring its insights stay sharp and actionable,” Lewis concludes.

However, the CMC’s Mayes is less circumspect.

“We’ve already received interest and demand to replicate this approach in other countries,” he explains. “In response to demand from partners, we are actively exploring potential expansion to the US.”

Where the UK leads, others follow.