The CrowdStrike incident in 2024 hit the UK like a whirlwind. It disrupted flights, forced hospitals to cancel surgeries, and knocked out computer systems and websites for countless businesses.
Since the 1970s, hurricanes have been categorized on a five-point scale based on their wind damage. Category one hurricanes might just cause some roof damage and broken branches. On the opposite end, a category five can make entire areas unlivable for months. But when it comes to cyber incidents like the CrowdStrike event, there hasn’t been a similar system to gauge the damage—until now. This year marks the start of an initiative to develop a five-point scale for assessing the impact of major cyber attacks.
The Cyber Monitoring Centre (CMC) is the first of its kind, launched to evaluate serious cyber incidents that threaten the UK’s infrastructure and services. Its goal? To make it easier for businesses to understand and purchase cyber insurance.
There are many ways to assess cyber attacks—like the impact on lives from canceled surgeries or the fallout from leaked personal information. The CMC will zero in on one area: economic impact. A committee of experts will rank incidents on a scale from minor disruptions affecting hundreds to catastrophic attacks that disrupt hundreds of thousands. The estimated damages will range from under £100 million for a category one event to over £5 billion for a category five.
The CMC plans to track media reports and business organization alerts to identify significant cyber attacks. It collaborates with data providers for statistics on canceled flights and data center disruptions and partners with the NHS to gather info on delayed hospital operations. The center also consults legal and cyber security professionals to create financial models for significant cyber events, which undergo rigorous review.
Their target is to have an impact report ready within 30 days post-attack, focusing on immediate economic losses, without factoring in longer-term consequences like litigation risks.
So, what defines a cyber war? The CMC aims to clarify insurance coverage for companies based on the scale of cyber incidents. Ed Lewis, director and founder of the center and CEO of CyXcel, highlights that the insurance sector has struggled with cyber risks for a while. Back in 2022, Lloyd’s of London ruled out “cyber war incidents” from coverage, but the question remained: who decides if an attack is an act of war? This decision could fall to the government or insurers, leading to a complicated legal landscape.
As it turns out, the nature of an attack matters less than its scale and severity. If an attack targets multiple entities, it’s likely to be classified as systemic. Some insurers don’t cover systemic risks to avoid large losses, but specialized insurers do offer that protection.
In 2022, Lewis and his team of lawyers from Weightmans collaborated with insurer CFC in France for several weeks to devise a solution. This led to the creation of the CMC as an independent authority on systemic cyber attacks.
During a test run in 2024, the center reviewed three significant cyber attacks and found some surprising results. For instance, the MoveIT attack in May 2023 affected over 2,000 organizations and compromised data for about 64 million people, making headlines worldwide. Yet, its economic impact in the UK turned out to be minimal.
In June 2024, the ransomware attack on the pathology lab Synnovis disrupted NHS services across London, causing appointment cancellations and delays. Even with the buzz surrounding it, the CMC rated its economic impact between £100 million and £1 billion, landing it in category two on their scale.
The CrowdStrike failure in July 2024 caused global chaos for Windows devices, but interest waned after initial reports. Experts at the CMC placed it at category three, indicating greater economic significance than both MoveIT and Synnovis.
The CMC’s assessments rely on a defined methodology and data-driven insights, ensuring transparency and public scrutiny. It aims to act as an impartial arbitrator so that claims disputes between insurance companies and clients can refer to its evaluations. Trust and independence are crucial, with the center aspiring to be seen as separate from both the insurance industry and the government.
The work of the CMC might even steer government policy on cyber risks. Some advocate for shifting regulatory oversight from merely monitoring data leaks to prioritizing the protection of essential services. Ciaran Martin points out instances like the Conti ransomware attack on the Irish health service, which wreaked havoc on healthcare services but initially went unreported due to a focus on stolen data instead.
If the Cyber Security and Resilience Bill passes, it could mean stricter obligations on organizations to maintain essential services and possibly compel them to report ransomware incidents.
Lewis also highlights the need to address “victim stigma”—the reluctance of organizations to disclose cyber attacks out of fear of negative publicity or litigation. There’s already a positive trend; organizations like the British Library openly shared insights after facing an attack, while the Harris Federation discussed its challenges to help others bolster their defenses.
The CMC strives for credibility as a reliable information source for academia, industry, and government. If it succeeds, the media might also gain a clearer understanding of which cyber incidents are serious threats versus those with minimal economic ramifications.