The UK’s Cyber Monitoring Centre (CMC) has now started categorising cyber events using a scale designed to assess the impact and severity of attacks (similar to the Richter scale for earthquakes).
What is the Cyber Monitoring Centre?
The Cyber Monitoring Centre (CMC) is an independent, non-profit organisation founded by the UK’s insurance industry to enhance trust in cyber insurance markets and improve national understanding of digital threats. Officially unveiled at a Royal United Services Institute (RUSI) event on 6 February 2025, the CMC has been operating behind the scenes for a year, refining its methodology before making its system publicly available.
How Does the Cyber Event Severity Scale Work?
The CMC has introduced a five-level categorisation system to rank cyber events based on their severity and financial impact. The scale ranges from one (least severe) to five (most severe), considering two key factors:
1. The proportion of UK-based organisations affected.
2. The overall financial impact of the event.
Only incidents with a potential financial impact exceeding £100 million, affecting multiple organisations, and with sufficient available data will be classified. The CMC will collect insights from polling, technical indicators, and other incident data, all reviewed by a Technical Committee of cyber security experts.
Once categorised, cyber events will be published along with detailed reports that outline the impact, methodology, and response strategies. This information will be freely available to businesses and individuals worldwide.
CMC CEO Will Mayes emphasised the importance of this classification system, stating: “The risk of major cyber events is greater now than at any time in the past as UK organisations have become increasingly reliant on technology. The CMC has the potential to help businesses and individuals better understand the implications of cyber events, mitigate their impact on people’s lives, and improve cyber resilience and response plans.”
The rating system initiative is being spearheaded by a team of cyber security experts and industry leaders, with former National Cyber Security Centre (NCSC) chief Ciaran Martin serving as Chair. Explaining the importance of the CMC’s work, Martin says: “Measuring the severity of incidents has proved very challenging. This could be a huge leap forward. I have no doubt the CMC will improve the way we tackle, learn from, and recover from cyber incidents. If we crack this, and I’m confident that we will, ultimately it could be a huge boost to cyber security efforts, not just here but internationally too.”
Why Is the UK Introducing a Cyber Severity Scale?
The new initiative has been launched in the UK to essentially help measure the severity of cyber threats, thereby (hopefully) bringing much-needed clarity to an ever-evolving digital battleground.
Cyber attacks have become increasingly frequent and damaging. In 2023 alone, the UK suffered over seven million cyber attacks, costing the economy an estimated £27 billion per year. From ransomware crippling hospitals to large-scale data breaches exposing personal and financial information, the need for an organised, systematic approach to assessing cyber threats has never been greater.
Martin has stressed that a standardised metric for cyber event severity has been long overdue, and has highlighted how: “If you get a major incident in a large organisation, the results can be absolutely devastating. Hospitals can be brought to their knees.”
Martin has also noted the fact that because international threat actors, including state-backed groups from Russia and China, are constantly evolving their tactics, the UK must now be better prepared.
How Will This Benefit UK Businesses?
For UK businesses, the introduction of the CMC’s cyber severity scale could be an important step in cyber risk management and its benefits could include:
– Clarity and consistency. Businesses will have an easily understood, objective framework to gauge the severity of cyber incidents and make informed decisions.
– Better risk assessment. Insurers, regulators, and industry leaders will be able to assess cyber risks more effectively, leading to better cyber insurance policies and risk management strategies.
– Faster response times. With categorised reports on cyber incidents, organisations can respond more quickly and appropriately to emerging threats.
– Improved cyber resilience. Detailed incident reports will help organisations refine their cyber security measures and prepare for future attacks.
CMC CEO Will Mayes has also highlighted how the CMC’s work will be supported by a broad range of global cyber security experts, saying: “I would also like to acknowledge the support from a wide range of world-leading experts who have contributed so much time and expertise to help establish the CMC, and continue to provide data and insights during events. Their ongoing support will be vital, and we look forward to adding further expertise to our growing cohort of partners in the months and years ahead.”
Potential Challenges and Drawbacks
Despite its promise, and although it’s still very early days, it should be acknowledged that the CMC’s classification system is not without potential challenges. These include:
– Accuracy and data availability. Since categorisation relies on accurate data collection, incomplete or delayed reporting could affect the reliability of classifications.
– Speed (or lack of it) of assessment. The CMC aims to classify events within 30 days, but in 2025 this timeline may take longer. Delays in categorisation could impact real-time responses.
– The threshold for categorisation. By focusing on incidents causing over £100 million in damage, smaller but still significant attacks may not be classified, potentially leaving some businesses without crucial insights.
– The potential for misinterpretation. While the scale is designed to simplify communication, businesses and the public may misinterpret severity rankings, leading to unnecessary alarm or complacency.
UK Not The First Country To Try It
The UK is not the first nation to attempt a structured approach to cyber threat classification, but the CMC’s initiative represents a more comprehensive framework than many existing models. The US, for instance, has the Cyber Incident Severity Schema, a classification system used by federal agencies, but it does not currently have the public-facing clarity or structured ranking system that the CMC intends to implement.
Other European nations have also been watching the CMC’s developments closely, with cyber security experts suggesting that if successful, this model could be replicated in the EU or even standardised internationally. According to industry insiders, discussions are already taking place regarding cross-border data sharing agreements to strengthen global cyber response strategies.
Some cyber security experts have noted how a universal classification that could be used by all countries would make for a better system and, as the CMC begins classifying real-world incidents, there is potential for the UK to take a leading role in shaping a globally recognised cyber threat severity scale. Such a scale would help both businesses and governments get the data needed to make informed, strategic decisions in the fight against digital threats.
What Does This Mean For Your Business?
The introduction of the CMC’s severity scale could offer a clearer, more structured approach to understanding and responding to cyber threats. As cyber attacks grow in frequency and complexity, businesses, insurers, and policymakers require reliable data to assess risk and improve resilience. The CMC’s initiative looks like it could provide just that, i.e. a structured, transparent framework that could transform how the UK, and potentially the wider world, categorises and responds to major cyber incidents.
However, while the system has some clear benefits, it’s not without its limitations. The reliance on accurate and timely data presents an ongoing challenge, particularly given the complex and often opaque nature of cyber incidents. The CMC’s approach of only classifying large-scale events, while logical for identifying major risks, may also leave some significant but smaller-scale attacks unaccounted for. Also, the speed at which classifications are made will determine how effective the system is in providing real-time insights for businesses and policymakers.
Despite these concerns, the CMC’s work has already garnered some strong backing from cyber security experts and industry leaders, who recognise its potential to standardise risk assessment in a sector where clear benchmarks have long been lacking. The fact that other nations are closely monitoring the UK’s efforts also suggests that this initiative could, in time, help shape a globally recognised classification system, which is something that could prove invaluable in the fight against international cyber threats.
The success of the CMC’s cyber event severity scale will depend on its ability to consistently deliver accurate, timely, and actionable insights. If it achieves this, it has the potential to improve cyber resilience not just for UK businesses but for organisations worldwide. With cyber threats showing no signs of slowing, initiatives like this are going to be increasingly necessary.
