Edward Lewis, CEO of CyLex, on the genesis of the Cyber Monitoring Centre
Without question, cybercrime is one of the leading threats facing every industry today.
Ransomware remains not only rampant but devastatingly expensive, with average ransomware payments having increased 500% year over year to $2 million in 2024. What’s more, these payments account for just part of the cost. Excluding ransoms, the average cost of recovery now stands at $2.73 million.
For organisations to withstand such significant financial impacts, cyber insurance has become invaluable. However, from a legal perspective, this is a landscape that has continued to throw up challenges, debate, ambiguity and several headaches in recent years.
Lloyd’s of London introduction of a policy requiring insurance group members to exclude liability for losses arising from state-backed cyberattacks in 2023 is a prime example – one that remains contentious even today owing to both attribution challenges and its conflation of systemic cyber risk with cyber war.
The former of these challenges has proven to be particularly troublesome. Given the potential costs of recovery involved in cyberattacks, many small- and medium-sized businesses are simply unable to cope with delayed cyber policy payouts resulting from disputes over attribution. These are organisations that need rapid financial support in days or weeks, not months or years.
What is the CMC?
This where the newly launched Cyber Monitoring Centre (CMC) aims to provide a solution by enhancing legal clarity.
An independent non-profit led by a technical committee comprising non-insurance experts from across academia, cybersecurity, public policy, defence and law, the CMC has developed a standardised scale that categorises the impact of cyber incidents. I have been privileged to be a part of the leadership driving the initiative.
The CMC framework works in a similar way to the Saffir-Simpson Hurricane Wind Scale, assigning a severity rating to cyber incidents using a simple five-point scale ranging from one (least severe) to five (most severe). These ratings are based on the economic impacts of incidents, starting at £100 million for category one events and rising to more than £5 billion for category five. Further, each categorisation is supported by an event report, all of which will be available freely.
Using a wide range of data and analysis to assess incidents, a key goal of the CMC is to address the long-standing challenge of legal ambiguity in the cyber insurance landscape by providing a consistent, market-wide framework for defining systemic cyber events.
Until now, the severity of cyber incidents has been notoriously difficult to quantify for several reasons.
First, there is no universal impact metric in relation to cyber incidents. While the financial loss, casualties and recovery times of physical disasters are well understood, cyberattacks can impact organisations in a variety of different ways. While a ransomware attack might cripple one company, the same attack may cause only minor problems for another.
Secondly, there are significant challenges around the availability of data. Indeed, many incidents are never disclosed due to reputational risks and legal concerns. Even when they are, organisations often underreport the impact, downplaying the full extent of the damage. As a result, building an accurate severity model becomes more difficult.
Thirdly, cyberattacks are rarely one-off events that end with a single victim. Supply chains, financial markets and critical infrastructure may all be impacted by attacks in ways that are tricky to quantify, with traditional methods of measuring impact focusing too much on direct costs while not considering the wider consequences.
These hurdles have made underwriting challenging in relation to cyber insurance – until now. By establishing a common framework for measuring severity, and aggregating data across sectors, the CMC is striving to overcome these existing challenges and provide a clearer, more quantifiable picture of cyber risks.
What are the benefits it provides?
The benefits of a consistent standard to measure the severity of cyber incidents can be significant for a variety of different stakeholders, bringing clarity to what has historically been a complex process.
Policymakers and regulators will gain a much clearer view into cyber risks at scale, ensuring that resources can be better allocated to combat threats and regulations can be introduced that more effectively enhance nationwide resilience.
Organisations, meanwhile, will be able to assess incidents with a standardised method, helping them to identify and eliminate potential vulnerabilities across their network. Again, this will enhance long-term resilience planning.
For insurers, meanwhile, the CMC’s classifications can help to improve the way in which they cover systemic cyber incidents – attacks that impact large parts of the business community that are difficult to insure for due to their scale.
At present, insurers that do offer cyber solutions have typically relied upon multiple exclusions to define the events that they will cover. However, this can lead to the development of cumbersome, complex and confusing policies. Moving forward, however, it is envisioned that insurers could eventually simplify policy language by referring directly to CMC classification to define the limits of their cover.
Challenges include scope limitations, data availability and model evolution
Critically, these changes may serve to make coyer more attractive and accessible to businesses – especially SMEs, helping to address the growing challenge of attribution issues and policy disputes. However, no initiative of this scale is without its hurdles.
A key risk that may determine the effectiveness of the CMC is scope limitations. While its primarily focused on financial and operational impact, some cyber incidents such as those impacting the health and transport sectors could have life-threatening consequences, which must also be considered.
Keeping up with evolving threats will also be a challenge. With cyberattacks constantly changing and shifting, the CMC will need to tweak its models over time to ensure relevancy. And in large part, that relevancy will rely on industry buy-in and data availability. If participation is patchy, or companies hold back key details, the CMC’s outputs may be less reliable.
Despite these challenges, the CMC holds major promise. Indeed, it has the potential to transform cyber insurance by providing a consistent, market-wide framework for defining systemic cyber events and bringing greater clarity to the understanding of often complex cyber events.
However, that success ultimately depends on continued collaboration between government, industry, and cybersecurity professionals, with widespread adoption key to ensuring the framework’s relevance and effectiveness for years to come.
Edward Lewis, CEO of CyXcel
