Cyber Monitoring Centre Introduces ‘Richter Scale’ for Cyber-Attacks
The UK’s new Cyber Monitoring Centre (CMC) has been officially launched and aims to measure cyber incidents with greater clarity and precision.
The CMC’s approach will mirror the methodologies used for physical events, such as the Richter scale for earthquakes and the Saffir-Simpson hurricane wind scale for hurricanes.
After a year in stealth mode, the CMC, an independent non-profit established by the UK insurance industry, was publicly launched during an event at the Royal United Services Institute (RUSI) on February 6, 2025.
The center aims to monitor cyber events and categorize their intensity and impact on UK organizations.
Such cyber events include large-scale cyber incidents like the outages caused by a faulty CrowdStrike update in July 2024, data breaches, targeted disruptive cyber-attacks and supply chain cyber-attacks.
The CMC will provide the results of its investigations, including the classification, for free.
Will Mayes, CEO of the CMC, commented: “The CMC has the potential to help businesses and individuals better understand the implications of cyber events, mitigate their impact on people’s lives, and improve cyber resilience and response plans.”
During the launch event, Ciaran Martin, Chair of the CMC Technical Committee, said: “There is a paradox in cybersecurity. We are a very technical industry, yet we are not good at measuring harm from the threats that we face.”
He believes the work of the CMC could be a huge leap forward and will improve the way people and organizations tackle, learn from and recover from cyber incidents.
“If we crack this, and I’m confident that we will, ultimately it could be a huge boost to cyber security efforts not just here but internationally too,” he added.
What to Expect from the UK Cyber Monitoring Centre
The work of monitoring, assessing and classifying cyber incidents will be carried out by the organization’s Technical Committee, chaired by Martin and composed of five other members:
- Sadie Creese, Professor of Cyber Security at the University of Oxford
- Gaven Smith, Former Director General for Technology at GCHQ
- Dan Jeffery, Managing Director at Daintta
- Jamie MacColl, Cybersecurity Research Fellow at RUSI
- Julian Williams, Head of the Department of Finance at Durham University
Ultimately, the Technical Committee aims to share an initial public statement within 30 days after a cyber incident is detected.
This statement will include two key pieces of information:
- The incident’s assigned category using the CMC scale
- A detailed report on the incident and its financial impact
However, Mayes said the CMC was not committing to the 30 day timeframe for 2025.
The CMC’s categorization will primarily focus on business and financial impact.
During the launch event, Martin noted that while media coverage commonly emphasizes data breaches over disruptive attacks – for various reasons, including the scarcity of available information on disruptive attacks – disruptive attacks can have a much greater financial impact than some data breaches.
“Additionally, headlines often use the amount of data stolen as an impact measure, yet it is not always a good metric,” he added.
Martin also highlighted that the CMC categorization should be seen as an additional tool for measuring the impact of a cyber incident, not as the zenith of cyber incident measurement.
“For example, during our work in 2024, we have categorized the Synnovis attack as a mid-level impact cyber event. However, I’m giving a speech tomorrow, and I will definitely mention it as one of the most impactful cyber-attacks the UK has experienced lately because it affected people beyond its mere financial impact.”
Read more: Synnovis Restores Systems After Cyber-Attack, But Blood Shortages Remain
The CMC Methodology
The CMC has defined a specific methodology to assess and categorize a cyber event:
- When a cyber event occurs, the CMC team schedules a meeting with the Technical Committee to decide whether to proceed and gather input on the assessment process
- The CMC team collects and analyzes a broad set of data, with data sources including media scanning, bespoke polling and partnerships with data providers (the full list of data sources can be found on the CMC website)
- The CMC team prepares an event briefing pack for the Technical Committee
- The CMC Technical Committee reviews the data during a half-day workshop to discuss, challenge and agree on the event category using the CMC scale
- Once categorized, the event is communicated publicly along with a brief statement
Edward Lewis, CEO of cybersecurity consultancy CyXcel, has helped to lead the CMC as a Director during its incubation year and carried out the initial feasibility assessment.
Speaking to Infosecurity, he explained: “Over the incubation period, we rigorously tested and refined the methodology, with a particular focus on expanding the quality and variety of data sources that inform the Technical Committee’s assessments. As a result, the CMC has developed one of the richest and most diverse cyber data sets in the UK — an asset that continues to grow and improve.”
The CMC scale categorizes cyber events into five categories, depending on two criteria:
- The affected population: the number of organizations that have
experienced a financial impact of £1k or greater to their UK operations as the result of a cyber event - The financial impact: the loss to the affected population due to the cyber event
The estimated financial impact includes losses due to business interruption, data restoration, incident response costs, extortion, and transfer of funds, as well as downstream impacts of a cyber event.
Costs due to liability, any fines or regulatory costs, apology payments, loss adjustment costs, and impacts to individuals are not included in the financial impact as these are not available in the immediate aftermath of an event and often these payments are a transfer of costs, rather than the true financial cost of an event.
