The Cyber Monitoring Centre (CMC), a new UK-based project designed to independently declare and classify systemic cyber attacks using a unique classification scale with the objective of helping organisations understand the nature of systemic security incidents with widespread impacts, has formally begun its work.
Initially a joint project between law firm Weightmans and insurer CFC, the CMC’s objective is to declare and classify systemic incidents on a scale of one through five, where one is the least severe type of incident and five the most dangerous and disruptive. It was initially designed as an aid to the insurance industry, but the results of its work will be freely available to all security risk owners.
It hopes to bring greater clarity and transparency to complex incidents, and help organisations better react to them and prepare for future ones.
“The risk of major cyber events is greater now than at any time in the past as UK organisations have become increasingly reliant on technology. The CMC has the potential to help businesses and individuals better understand the implications of cyber events, mitigate their impact on people’s lives, and improve cyber resilience and response plans,” said CMC CEO Will Mayes.
When a systemic incident – defined by the CMC as one with a financial impact greater than £100m, affecting multiple organisations, and where there is data or information available to enable assessments – the CMC’s Technical Committee, which is led by former National Cyber Security Centre (NCSC) chief executive Ciaran Martin, will measure key factors against the CMC’s core framework to make an effective judgement as to the incident’s classification.
These factors are:
External polling on an incident, for which it is partnering with the Office for National Statistics (ONS) and the British Chambers of Commerce;
Observable technical indicators and incident data drawn from, for example, news reports, NHS or ONS data, and partnerships with third parties such as risk analytics house Parametrix, among others;
And modelling against previous incidents, such as 2024’s CrowdStrike outage, and through conversations with individuals involved in the incident, such as victims, incident response and cyber forensics teams, lawyers, insurance claims handlers and industry bodies.
I have no doubt the CMC will improve the way we tackle, learn from, and recover from cyber incidents. If we crack this, and I’m confident that we will, it could be a huge boost to cyber security efforts Ciaran Martin, Cyber Monitoring Centre
The CMC said the target timeframe to categorise an event against these criteria will be 30 days, although this is not set in stone. Each published categorisation will be supported by an event report that will summarise the committee’s analysis and provide additional insights from its work.
Committee chair Martin said that up to now, measuring the severity of cyber security incidents had been a big challenge.
“This could be a huge leap forward [and] I have no doubt the CMC will improve the way we tackle, learn from, and recover from cyber incidents. If we crack this, and I’m confident that we will, ultimately it could be a huge boost to cyber security efforts not just here but internationally too,” he said.
Mayes added: “I would also like to acknowledge the support from a wide range of world-leading experts who have contributed so much time and expertise to help establish the CMC, and continue to provide data and insights during events. Their ongoing support will be vital and we look forward to adding further expertise to our growing cohort of partners in the months and years ahead.”