The Cyber Monitoring Centre’s new cyber risk categorisation scale: a tool to transform underwriting?

As organisations become increasingly reliant on technology, the risk of major cyber events continues to grow. 

Businesses are aware of the digital threats facing them, with Gartner confirming that 93% of boards now recognise cyber risk as a major threat to stakeholder value. And in turn, many firms are seeking cyber insurance as a means of offsetting these risks.

For insurers, this presents a significant opportunity. According to Munich Re, the global cyber insurance market is expected to grow to $29 billion come 2027 – more than double the $14 billion recorded in 2023. However, satisfying that demand is not without its challenges.

The severity of cyber incidents has been notoriously difficult to quantify for several reasons, making underwriting incredibly complex. 

First, there’s no universal impact metric. Unlike physical disasters, where financial loss, casualties and recovery times are well understood, cyber incidents affect organisations in wildly different ways. A ransomware attack that cripples one company might barely touch another.

Second, there is the challenge of underreporting and missing data. Many incidents never get disclosed due to legal concerns, regulatory pressures or reputational risks, and even when they are reported, organisations don’t always share the full extent of the damage. That makes building a reliable severity model tough.

Thirdly, cyberattacks don’t just stop with a single victim. Supply chains, financial markets and even critical infrastructure can all be impacted in ways that are hard to measure, with traditional methods focusing too much on direct costs, while overlooking the wider consequences.

What is the CMC’s new risk categorisation scale?

For insurers faced with this challenge, the Cyber Monitoring Centre (CMC) may be well placed to provide a solution capable of improving cyber risk assessment practices.

A completely independent, non-profit organisation that was founded by members of the insurance industry, the CMC is focused on analysing cyber events that impact UK organisations. As part of this mission, it has most recently developed a framework that can be used to assess the severity of major cyber events as they occur.

The framework works in a similar way to the Saffir–Simpson Hurricane Wind Scale, assigning a severity rating to cyber incidents using a simple five-point scale ranging from one (least severe) to five (most severe). These ratings are based on the economic impacts of incidents, starting at £100 million for category one events and rising to more than £5 billion for category five. Further, each categorisation is supported by an event report, all of which will be available freely. 

For insurers, these analyses have the potential to be a powerful tool to enhance underwriting accuracy.

Critically, the categorisation system addresses the challenge of a lack of consistent, large-scale data to support cyber risk quantification, providing insurers with access to reliable, aggregated information that can inform risk assessments, threat modelling, decision-making and policy pricing.

Those benefits have the potential to cascade more broadly. 

Indeed, many firms look to cyber insurers’ policy qualification criteria as the guiding principles of best practice. By helping insurers to more properly ascertain and assess the risks associated with cyber incidents, insurers can refine their policy requirements, reducing the likelihood of incidents, and in turn payouts.

Proper adoption and ongoing collaboration are vital

The potential is clear, yet no initiative of this scale is without its challenges.

Ultimately, the CMC’s effectiveness in enhancing national awareness of systemic cyber threats, and shaping strategies and preventive measures against them, will depend on several factors.

Potential scope limitations must be considered. While the CMC’s classification model focuses on the financial and operational impacts of attacks, some cyber incidents (especially in sectors like healthcare and transport) can have life-threatening consequences. Therefore, it’s vital that alternative impacts are considered.

Additionally, the issue of data availability remains – if participation is patchy, or companies hold back critical data or details, the output could be less reliable. Further, the CMC will need to refine its model over time to keep up with ever evolving threats.

In essence, its success will depend on continued collaboration between government, industry and cybersecurity professionals.

Where does that begin? In the near term, adoption and practical application of the declarations made by the CMC within insurance will help lay the foundations for its success in the long term.

Edward co-founded and leads CyXcel as CEO, bringing over 20 years of hands-on experience at the intersection of law and cybersecurity. His career began as a lawyer in the UK, where a focus on infrastructure risk and technology disputes sparked his passion for helping businesses navigate the rapidly evolving digital world.  Edward’s unique path has seen him lead teams through some of the most high-profile cyber incidents, from nation-state intrusions and ransomware attacks to corporate transformations. Beyond CyXcel, Edward has helped to lead the Cyber Monitoring Centre as a Director during its incubation year and has supported with the development of the methodology.