The Cyber Monitoring Centre’s new cyber risk categorisation scale: a tool to transform underwriting?

As organisations become increasingly reliant on technology, the risk of major cyber events continues to grow. 

Businesses are aware of the digital threats facing them, with Gartner confirming that 93% of boards now recognise cyber risk as a major threat to stakeholder value. And in turn, many firms are seeking cyber insurance as a means of offsetting these risks.

For insurers, this presents a significant opportunity. According to Munich Re, the global cyber insurance market is expected to grow to $29 billion come 2027 – more than double the $14 billion recorded in 2023. However, satisfying that demand is not without its challenges.

The severity of cyber incidents has been notoriously difficult to quantify for several reasons, making underwriting incredibly complex. 

First, there’s no universal impact metric. Unlike physical disasters, where financial loss, casualties and recovery times are well understood, cyber incidents affect organisations in wildly different ways. A ransomware attack that cripples one company might barely touch another.

Second, there is the challenge of underreporting and missing data. Many incidents never get disclosed due to legal concerns, regulatory pressures or reputational risks, and even when they are reported, organisations don’t always share the full extent of the damage. That makes building a reliable severity model tough.

Thirdly, cyberattacks don’t just stop with a single victim. Supply chains, financial markets and even critical infrastructure can all be impacted in ways that are hard to measure, with traditional methods focusing too much on direct costs, while overlooking the wider consequences.

What is the CMC’s new risk categorisation scale?

For insurers faced with this challenge, the Cyber Monitoring Centre (CMC) may be well placed to provide a solution capable of improving cyber risk assessment practices.

A completely independent, non-profit organisation that was founded by members of the insurance industry, the CMC is focused on analysing cyber events that impact UK organisations. As part of this mission, it has most recently developed a framework that can be used to assess the severity of major cyber events as they occur.

The framework works in a similar way to the Saffir–Simpson Hurricane Wind Scale, assigning a severity rating to cyber incidents using a simple five-point scale ranging from one (least severe) to five (most severe). These ratings are based on the economic impacts of incidents, starting at £100 million for category one events and rising to more than £5 billion for category five. Further, each categorisation is supported by an event report, all of which will be available freely.