Will the new Cyber Monitoring Centre’s categorisation scale really help?

February 2025 saw the official launch of the Cyber Monitoring Centre (CMC), which had been operating in ‘stealth mode’ for the preceding 12 months.

What is the CMC and how does it work?

The CMC describes itself as a ‘an independent, non-profit organisation that uses an objective framework to assess the severity of major cyber events as they occur’. 

The CMC will categorise cyber incidents on a scale from one to five, with five being the most severe incident. Relevant events will include large-scale cyber incidents (such as the CrowdStrike incident in July 2024), data breaches, targeted disruptive cyberattacks and supply chain cyberattacks. To be categorised, events must have a potential financial impact greater than £100 million, affect multiple organisations and have sufficient data to enable assessment. The estimated financial impact includes losses due to business interruption, data restoration, incident response costs, extortion (ransomware), transfer of funds and the downstream consequential impacts of a cyber event.

The categorisation is said to be data driven and has been refined during the 12-month incubation period. It combines a range of sources utilised to categorise major incidents, including bespoke polling, media scanning, public and private data sources (including via various data partnerships) and event modelling. 

What are the benefits?  

Categorising the severity of major cyber incidents has always been a difficult task for a number of reasons: a lack of standardisation, the limited availability of data, the sheer complexity of measuring the wider impact and the ever-evolving threat landscape. However, with a standardised framework to assess systemic cyber incidents, insurers can more accurately evaluate the risks connected with different types and scales of cyber threat. 

This provides a number of additional benefits for cyber insurers, including: 

• data on the risks associated with different cyber events will enable underwriters to underwrite risks more precisely, assisting in the pricing of policies;

• policies could be drafted with greater clarity and certainty. For example, clauses could be drafted with direct reference to specific event categories as triggers or limits on cover;

• it may alleviate some of the issues arising from the use of (often ambiguous) policy exclusions in regard to systemic risks, including the problematic use of ‘war’ exclusions, which necessarily rely upon attributing a cyberattack to a state actor. This can take many months (or years) to become clear, and still leaves scope for major systemic events to slip through the net, where they cannot necessarily be attributed to a rogue state; and

• clearer and less ambiguous policy terms would invariably improve trust in the industry. 

Will it work?

The system is certainly not without limitations. For example, there does not appear to be any recognition of the human impact of a cyber incident. However, it should assist insurers in understanding the economic impact of a cyber incident. 

Ultimately, the success of the CMC is likely to come down to two key factors: accuracy and adoption.

Most of the potential benefits are contingent upon the rating system being accurate. The CMC has laid out what appears to be an extremely robust process for categorisation, including the use of an extensive range of data sources, a stress-tested modelling system, the involvement of experts throughout and final categorisation by the CMC’s technical committee. It is hoped the categorisation ought to be reasonably accurate, and will only become more accurate with time. However, as with any data-based system, the output will only be as good as the data that goes in. There will therefore be a period of learning in order to trust the system.

The CLC aims to make a public statement categorising an event within 30 days of its occurrence (albeit it has not committed to this for 2025). One concern regarding the viability of the system is the risk of the CLC getting the categorisation of a major event wrong at an early stage. While the system appears, objectively, to be robust, the proof of the pudding will be in the eating. The fact that the CLC has not committed to its 30-day target date for 2025 is perhaps indicative that it understands the importance of ensuring these early categorisations are as accurate as possible, in order to build trust in the system. 

This connects to the second issue which will determine the success of the CLC, adoption. The extensive potential benefits will only arise if the categorisation system is actually adopted for practical purposes. The CMC’s success will hang on the reaction of the industry (and the public more widely) once declarations are made, and the willingness of the market to utilise those categorisations for the practical purposes they could potentially serve. 

The CMC for its part appears alive to this, and has emphasised its genuine independence and expertise to inspire trust and confidence. Given the effort that has plainly gone into this endeavour, it is hoped that it will release some of the cyber insurance market’s vast potential for significant growth.