{"id":1895,"date":"2025-02-12T06:00:00","date_gmt":"2025-02-12T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1895"},"modified":"2025-02-12T06:00:00","modified_gmt":"2025-02-12T06:00:00","slug":"uk-monitoring-group-to-classify-cyber-incidents-on-earthquake-like-scale","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1895","title":{"rendered":"UK monitoring group to classify cyber incidents on earthquake-like scale"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A UK body backed by the cyber insurance industry is seeking to establish a framework to classify the severity of cyber incidents affecting UK organisations.<\/p>\n<p>The <a href=\"https:\/\/cybermonitoringcentre.com\/2025\/02\/06\/cyber-monitoring-centre-officially-starts-categorising-cyber-events\/\">Cyber Monitoring Centre<\/a> (CMC) \u2014 an independent nonprofit organisation launched last week \u2014 aims to create a standardised scale for measuring the impact of cyber incidents from one (least severe) to five (most severe).<\/p>\n<p>A wide range of data and analysis will be used to assess and categorise incidents against the framework, which measures severity based on the proportion of UK organisations affected and the overall financial impact.<\/p>\n<p>Edward Lewis, CEO of cybersecurity consultancy CyXcel, told CSO that the focus of CMC is on the needs of insurance buyers, rather than the industry itself.<\/p>\n<p>\u201cThe CMC evolved from market reactions to the <a href=\"https:\/\/www.csoonline.com\/article\/573443\/lloyd-s-of-london-to-exclude-state-backed-attacks-from-cyber-insurance-policies.html\">Lloyd\u2019s cyber war bulletin<\/a>, which faced backlash for its conflation of systemic cyber risk with cyber war, as well the ambiguity and attribution challenges posed by the associated model clauses which followed it,\u201d Lewis explained.<\/p>\n<p>Insurance marketplace Lloyd\u2019s of London put forward a policy requiring insurance group members to exclude liability for losses arising from state-backed cyberattacks from 2023. The measure, which was controversial even when it was introduced, remains contentious.<\/p>\n<p>Lewis continued: \u201cWhile large global companies with deep pockets may weather disputes over attribution and accept delays in cyber policy payouts, small and medium-sized businesses cannot afford such delays. These businesses need rapid support, particularly financial support, in a measure of days not the weeks, months, or even years that insurers, lawyers, and brokers could end up arguing about attribution and whether a loss is excluded from cover.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Impact assessment<\/h2>\n<p>The <a href=\"https:\/\/cybermonitoringcentre.com\/technical-committee\/\">CMC\u2019s Technical Committee<\/a>, chaired by former National Cyber Security Centre CEO Ciaran Martin, will access incidents that have a potential financial impact greater than \u00a3100 million and where there is data available to make an assessment.<\/p>\n<p>Looking back at past events, the <a href=\"https:\/\/www.csoonline.com\/article\/563255\/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html\">2017 NotPetya attack<\/a> would have made grade five (not least because of its sever impact on multiple industries) while the <a href=\"https:\/\/www.csoonline.com\/article\/575495\/moveit-transfer-vulnerability-appears-to-be-exploited-widely.html\">2023 Moveit breach<\/a> would only have made a category one because of its minimal impact on UK industries. Last year\u2019s <a href=\"https:\/\/www.csoonline.com\/article\/2872861\/crowdstrike-ceo-apologizes-for-crashing-it-systems-around-the-world-details-fix.html\">CrowdStrike meltdown<\/a> would have qualified as a category three event.<\/p>\n<p>More details of the CMC\u2019s methodology can be found <a href=\"https:\/\/cybermonitoringcentre.com\/methodology\/\">here<\/a>. Classification results and detailed reports will be provided free of charge within a month of an incident.<\/p>\n<p>By providing a consistent and objective framework for assessing cyber incidents \u2014 loosely comparable to the Richter scale for earthquakes or the Saffir-Simpson hurricane wind scale \u2014 the CMC wants to bring greater clarity to the understanding often complex cyber events.<\/p>\n<h2 class=\"wp-block-heading\">Risk management<\/h2>\n<p>The CMC hopes this increased understanding will spur the development of improved <a href=\"https:\/\/www.csoonline.com\/article\/562125\/what-is-incident-response-and-how-to-build-an-ir-plan.html\">incident response planning<\/a>. Experts quizzed by CSO on CMC welcomed its launch.<\/p>\n<p>Ivan Milenkovich, vice president of cyber risk technology in EMEA at Qualys, said data from the CMC has the potential to allow IT security professionals to make better risk assessments \u2014 but only providing it is used correctly.<\/p>\n<p>\u201cBy introducing a standardised cyber event categorisation system, the CMC is addressing a critical gap: the lack of consistent, large-scale data to support cyber risk quantification (CRQ),\u201d Milenkovich said. \u201cThis means security teams will finally have access to reliable, aggregated information that can inform risk assessments, threat modelling, and decision-making.\u201d<\/p>\n<p>By introducing standardised cyber event categorisation, the CMC is laying the foundation for a more structured and measurable approach to cyber risk. However cyber risk professionals will still need to integrate the CMC\u2019s risk assessments with their own internal data to factor in their organisation\u2019s specific industry, infrastructure, and threat profile, according to Milenkovich.<\/p>\n<p>\u201cFor many dealing with cyber risk and with cyber insurance and risk operations background and knowledge, this initiative could help bridge the gap between qualitative and quantitative risk management, making it easier to justify security investments with data-backed reasoning,\u201d Milenkovich concluded. \u201cHowever, success will depend on how well organisations leverage this information alongside their own internal risk frameworks.\u201d<\/p>\n<p>Other experts agreed that establishing a consistent standard to measure the severity of cyber incidents will bring clarity to what can be a complex process.<\/p>\n<p>\u201cOrganisations will hopefully be enabled to provide a standardised method for assessing incidents, identifying patterns and vulnerabilities across their cyber landscape,\u201d said Martin Greenfield, CEO of cyber monitoring firm Quod Orbis. \u201cThis not only improves real-time incident response but also strengthens proactive threat hunting and long-term resilience planning.\u201d<\/p>\n<p>Dr. Ilia Kolochenko, CEO at application security testing vendor ImmuniWeb and a fellow at the British Computer Society (BCS), described the CMC as a \u201cvery promising and long-awaited project\u201d while urging caution about publicly sharing some of the cyber intelligence because it might inadvertently assist attackers.<\/p>\n<p>\u201cA growing number of state-backed hacking groups and professional cyber mercenaries are actively exploiting data from similar resources run by other governments and NGOs,\u201d according to Kolochenko. \u201cThe bad guys happily explore and discover what their victims know about them to both better conceal their future intrusions and create novel attack vectors that are not yet on the radar.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A UK body backed by the cyber insurance industry is seeking to establish a framework to classify the severity of cyber incidents affecting UK organisations. The Cyber Monitoring Centre (CMC) \u2014 an independent nonprofit organisation launched last week \u2014 aims to create a standardised scale for measuring the impact of cyber incidents from one (least [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1896,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1895","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1895"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1895"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1895\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1896"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}