The CrowdStrike incident in 2024 hit the UK like a hurricane. As it swept across the country, it ground flights to a standstill, forced hospitals to cancel operations, and brought down the computer systems and websites of hundreds of businesses.
Since the early 1970s, it has been possible to predict the damage likely to be caused by hurricanes using a five-point wind scale.
Category one hurricanes may damage roofs or break branches on trees, and at the other end of the scale, a category five hurricane could leave areas uninhabitable for months.
There’s no such way to categorise the destructive impact of cyber events like the CrowdStrike update, which brought down Windows computers worldwide in July 2024 – but that is set to change, as an initiative gets underway this year to assess the damage caused by major cyber attacks on a hurricane-inspired five-point scale.
The Cyber Monitoring Centre (CMC), the first organisation of its type, has been set up by the insurance industry as an arms-length organisation to assess the impact of serious cyber attacks that have systemic implications for the UK’s infrastructure and services. It aims to make it easier for businesses to buy cyber insurance cover, and know exactly what will be covered and what won’t.
There are many ways to assess the impact of a cyber event. It could be measured in loss of life through cancelled hospital operations, the disruption caused by leaks of people’s personally identifiable information on the internet, or the strategic implications of the loss of classified government information to a hostile nation state.
The CMC will focus on just one: the economic impact. The centre has appointed a technical committee of eminent experts to assign cyber events to a five-point scale ranging from small-scale disruptions impacting hundreds of people to catastrophic attacks affecting hundreds of thousands. Damage impacts range from less than £100m for category one events to more than £5bn for category five.
The centre plans to monitor press reports and reports from business organisations to identify significant cyber attacks with multiple victims. It has partnerships with data providers to provide statistics on cancelled flights and disruption to datacentres, and works with the NHS to gather data on cancelled operations and hospital procedures. It also has access to advice from legal experts and cyber security specialists that respond to incidents, to help it build financial models of each significant cyber event. The models are reviewed and stress-tested. The final say goes to CMC’s technical committee
The centre aims to produce an impact report within 30 days of the cyber event that will focus on immediate financial losses. It will not take into account longer-term losses caused by, for example, the risk of litigation, or other delayed effects.
What counts as a cyber war and who decides?
The aim of the CMC is to make it easier for companies to buy cyber insurance and know what magnitude of cyber event on the five-point scale they can expect to be covered for, said Ed Lewis, a director and founder of the centre.
The insurance industry has long struggled with how to insure cyber risks. Back in 2022, Lloyds of London issued a bulletin mandating the exclusion of “cyber war incidents” from cyber insurance cover. But who would decide whether a cyber attack was an act of warfare by a hostile state? Government or insurers?
Add to that the complex exclusion clauses developed by the London market for cyber insurance, and it was a “lawyer’s dream”, said Lewis.
It became clear that what mattered most was not which country was responsible for an act of cyber warfare, but the scale and severity of an attack. If a cyber attack had the digital fingerprints to show that it was directed against multiple targets, it had the hallmarks of a “systemic attack”.
Some insurers, particularly those that insure multiple small and medium-sized businesses, do not cover systemic risks. That is to avoid large losses if multiple clients are hit by the same catastrophic incident. However, businesses can obtain insurance cover to protect against systemic risks from other specialist insurers.
During the summer of 2022, Lewis went with a team of lawyers from his firm, Weightmans, working with insurer CFC, to France for six weeks to hammer out a solution. They came up with the idea of creating a company limited by guarantee to act as an independent centre of expertise on systemic cyber attacks.
The team spent the first half of 2023 developing a methodology to assess the financial impact of cyber attacks on a five-point, hurricane-inspired scale, and in October that year incorporated CMC as a company limited by guarantee.
The most talked-about cyber attacks are not the most damaging
The centre reviewed three cyber attacks in a trial run in 2024, and the results were surprising. Some of the most talked-about cyber attacks were not necessarily the most damaging to the UK economy.
Take the attack on the file transfer service, MoveIT, in May 2023. It affected over 2,000 organisations and exposed the personal data of around 64 million people.
Although it generated headlines around the world and captivated the attention of the cyber security community, the economic impact of the attack on MoveIT on the UK was as “close to negligible” as it is possible to reach on the CMC’s “hurricane” scale.
In June 2024, another ransomware group struck pathology laboratory Synnovis, which processes blood tests for NHS organisations across London. The attack led to major disruptions for GP surgeries and NHS trusts, leading to delays in medical procedures, cancelled appointments and shortages of blood stocks.
Despite attracting mass interest, CMC judged the economic impact as relatively low, at between £100m and £1bn, with less than 0.1% of the population affected. That won it a rating of category two on the five-point scale.
The failure of an update to CrowdStrike’s security software in July 2024 caused worldwide disruption to Windows computers, but after an initial burst of press coverage, it failed to capture the public’s continued interest. However, CMC’s experts rated CrowdStrike as a category three incident – significantly more impactful than MoveIT and Synnovis.
The need for trust and independence
The CMC’s assessments may not be infallible, but they come with a clear methodology and use data to inform the technical committee’s decisions, all of which will be published and open to public scrutiny.
The idea is that the centre will act very much like an independent arbitrator. Companies offering insurance and those buying insurance will be able to agree to be bound by its decision in any dispute over insurance cover.
That means that the centre will need to be seen as completely independent of the insurance industry and government and that it will need to build a reputation for trusted decisions if it is to be successful.
The centre’s current plans are to raise funding through membership fees, with the organisation hoping to attract members from a wide range of industries, professional services, manufacturing and retail, and insurers. Lewis stressed, however, that insurers and government will have no influence over the CMC’s assessments.
“What we are very clear on is that the work of the technical committee has to be independent of government and independent of insurers,” he said. “They have to be as far as practically possible, beyond the potential for impeachment.”
CMC could impact government policy
The work of the CMC is likely to influence the direction of government policy over cyber risks. Many hope it will help to shift the balance of regulation from policing data leaks to policing cyber failures which result in the loss of essential services.
Ciaran Martin cited as an example an attack by the Conti ransomware group on the Irish health service, which disrupted healthcare for months in 2021.
When the Irish state refused to immediately pay the ransom, the Conti crime group stepped up the pressure by releasing medical data on the internet. It was only at that point that Ireland’s Health Service Executive was obliged to notify regulators about the incident.
“It’s such a stark illustration of the point that a whole national healthcare system, including cancer surgeries had to stop, and that’s not a breach of obligations, but the loss of a small amount of medical data [was considered a breach],” he told Computer Weekly.
That could change in the UK if the Cyber Security and Resilience Bill passes through parliament as expected. It introduces obligations for organisations to maintain critical services, and could lead to mandatory reporting of ransomware attacks.
“I’m not saying, ‘Let’s repeal data regulation and let’s impose sweeping service obligations on small hairdressing salons’, but I’m saying, ‘Let’s think about it carefully’,” said Martin.
If you give a victim the choice between two bad situations – one is the loss of critical health services and the other is the loss of their personal data, most people would opt for losing personal data rather than losing access to medical care, he added.
Lewis concurs. “There seems to be a disproportionate focus on cyber incidents that also involve a data breach,” he said. “I think it’s probably fair to say there’s been quite a bit of criticism of the Information Commissioner’s Office and how those powers have been used over recent times.”
Need to tackle ‘victim stigma’
He hopes that the CMC can remove what he calls “victim stigma”, where fear of bad publicity or litigation can lead organisations hit by cyber attacks to opt for secrecy rather than openness.
There are signs that this is happening already. The British Library, which faced major disruption after an attack by the Rhysida ransomware gang, published a comprehensive lessons-learned report, which was widely applauded in the cyber security community.
The Harris Federation, a network of schools in London and the South East that lost email and telephone access after a ransomware attack in 2021, has talked about its experience in a series of podcasts to help others improve their own cyber resilience.
For Martin, the CMC’s primary aim is to deliver a better-functioning insurance market and better provision for companies seeking to insure against cyber attacks.
He would like to see the CMC gain credibility over time as a source of factual information for academic, government and industry papers.
And if the CMC is doing its job, he said, the media will be able to get a better handle on what cyber incidents are serious and what are likely to have a minor economic impact.