How a cyber-Richter scale could benefit CISOs

Posted: March 20, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , | Leave a comment

The phrase “world leading” is almost comically overused. The British government misapplied it with a frequency that bordered on the absurd in its post-Brexit press statements, for example. Many corporate minnows have done the same in a bid to punch above their weight in global markets. But a new British non-profit initiative could genuinely lay claim to such a title.

The Cyber Monitoring Centre (CMC) aims to do what has never been done before: to classify cyber events impacting UK organisations on a simple 1-5 scale. The hope is that, in so doing, it could help insurers price coverage more accurately and CISOs to improve cyber resilience and incident response plans.

Why we need one

Like their global peers, UK firms are increasingly reliant on IT and OT systems to function. Yet this also exposes them to a growing risk of digital extortion, service disruption and data theft. Such events can cause severe financial and reputational damage, as well as impacting customers and citizens. Over the past year alone, UK organisations and end users have suffered significantly from the global CrowdStrike outage and a ransomware attack on NHS supplier Synnovis.

Yet up to now, there has been no standardised way to categorise such events.

“Up until now The National Cyber Security Centre’s (NCSC) incident management (IM) team, which is responsible for triaging and categorising incidents, has been where people have traditionally turned to gauge the impact of an attack,” explains Trend Micro UK cybersecurity director, Jonathan Lee. “Its system works by considering the severity of the incident and its potential impact on the UK which then informed its response. However, this approach is based around directing the NCSC’s own resources towards managing the most significant UK cyber incidents.”

There are several reasons why measuring cyber incident severity is a challenge, argues CyXcel CEO, Edward Lewis, who helped to lead the CMC as a director during its incubation year.

Unlike physical disasters – where financial loss, casualties, and recovery times are well understood – cyber incidents affect organisations in wildly different ways. A ransomware attack that cripples one company might barely touch another,” he tells me.

Additionally, many incidents never get disclosed – whether due to legal concerns, regulatory pressure, or reputational risk. Even when they are reported, organisations don’t always share the full extent of the damage. That makes building a reliable severity model tough.”

Lewis adds that traditional approaches have focused too much on direct costs rather than the wider consequences of a cyber incident.

“A cyber attack doesn’t just stop at the victim. Supply chains, financial markets and even critical infrastructure can all be impacted in ways that are hard to measure,” he says.

“The CMC cuts through this by establishing a common framework for measuring severity, aggregating data across sectors, and giving CISOs and policymakers a clearer, quantified picture of cyber risk.”

What the CMC will do

The CMC’s inspiration is the Saffir-Simpson hurricane wind scale, which was designed by a wind engineer (Herbert Saffir) and a meteorologist (Bob Simpson) as a simple way to describe the potential impact of hurricanes. The CMC calculates a score from 1-5 for each qualifying cyber event, based on its financial impact to the populace and the percentage of UK businesses affected to the tune of over £1,000.

The CMC says that losses due to business interruption, data restoration, incident response, extortion, and transfer of funds as well as “downstream impacts of a cyber event” will be included. However, costs due to “liability, any fines or regulatory costs, apology payments, loss adjustment costs, and impacts to individuals” will not be considered in the calculations as these aren’t often available in the immediate aftermath of an event. In any cases, these costs are often “a transfer of costs, rather than the true financial cost of an event”, it argues.

Although its still early days, the CMC has been operating in stealth mode for a year, honing and testing its methodology, and expanding the public and private data sources with which its Technical Committee makes its all-important final assessments.

These data sources include public data from the NHS and media reports, as well as impacted organisations, and partners across incident response, breach lawyers, cybersecurity vendors, insurance claims handlers, and industry associations. It also includes event polling and industry-specific panels from the British Chambers of Commerce, and ONS Business Insights Data & Analytics and Conditions Survey (BICS) respondents. Parametrix helps with cloud monitoring and outage data, while Cirium offers insight into the impact of an event on the UK aviation industry.

The CMC is also developing database of historical events and their impact, which will help with benchmarking, stress testing and to calibrate models going forward.

“When an event occurs, we analyse the event and group the impacted organisations into those that can be modelled in a similar manner (“Archetypes”). We then collect available event data and model the financial impact to each Archetype,” the CMC says. “Through 2024 we developed models for aviation, healthcare (Synnovis event), and for widespread events (CrowdStrike event).”

Better for insurers

Given its origins as proposal by global insurer CFC, it’s perhaps unsurprising that the centre’s output could be a major boost for the sector. It has been argued that the CMC’s cyber-event ranking system could help the industry price its policies more accurately, and improve how insurers cover “systemic incidents” which impact large numbers of businesses simultaneously. It may, for example, lead to simpler language in policies.

Assured director, Ed Ventham, is concerned the move could lead to more exclusions based on the CMC Scale, although he admits this could be better than vaguer scenario-specific exclusions which are more common today.

“We’re obsessed as an industry with systemic risk, and it feels like the sector has had a couple of lucky escapes of late,” he tells me. “But we’re generally supportive of better data being collected. I’m excited by the prospect of what the CMC will bring to the industry. There’s a good team and a lot of experienced people behind it.”

Driving black box thinking

Trend Micro’s Lee is enthused by the potential benefits for CISOs.

“It boasts all the hallmarks of the concept of ‘black box thinking’, something which has really benefited the airline industry and it is a very welcome development.Every breach should be seen as an opportunity to learn to be more resilient in the future,” he tells me.

“This culture of openness and a robust methodology of breach impact analysis goes some way to making it easier for CISOs to understand the practical steps that they could take. Ultimately, as is the mantra in the public sector, our nation needs to continuously measure and understand risk, and take a proactive approach to cybersecurity.”

CMC CEO, Will Mayes, agrees that the initiative will be a boon for CISOs, in helping them to think through incident response strategies more clearly.

“For example, if a category 5 event were to occur, their incident response or other providers may have limited capacity to support them individually, given the number of organisations impacted. A CISO should consider alternative response plans in these scenarios,” he tells me.

“The CMC also creates a common language for talking about cyber risks that will help everyone within the cyber ecosystem to communicate about events to non-experts. It will provide greater clarity and could be used by a CISO to talk to executives about potential events, and get buy-in for security investment.”

It may also help security leaders demonstrate compliance to regulators and benchmark risk posture more effectively, Mayes argues.

However, there are limitations. For one, it doesn’t take into account the potential human impact of cyber incidents such as the Synnovis breach, which led to at least two NHS patients suffering long-term harm, according to Trend Micro’s Lee.

“Indeed, former NCSC CEO, Ciaran Martin, who chairs the CMC Technical Committee, acknowledged this at the launch event. He said that, although the CMC model categorised the Synnovis supply chain attack as a category 2 incident, in societal and human impact terms he would describe it as one of the most impactful cyber-attacks the UK has experienced lately,” he says.  

“We should never forget the human impact that a cyber-attack can have in today’s digitally dependant world.”

CyXcel’s Lewis adds that the effectiveness of the modelling will depend on the quality of data fed in.

“The CMC’s success depends on getting enough organisations to share data. If participation is patchy, or companies hold back critical details, the output could be less reliable,” he says. “Cyber threats are also shifting constantly. The CMC will need to adapt and refine its models over time.”

Leading the way

Despite these challenges, Lewis describes the CMC as “a huge leap forward in cyber resilience”. So could the UK finally have a world-leading, world-first cyber initiative?

“Its success will depend on continued collaboration between government, industry, and cybersecurity professionals – ensuring its insights stay sharp and actionable,” Lewis concludes.

However, the CMC’s Mayes is less circumspect.

“We’ve already received interest and demand to replicate this approach in other countries,” he explains. “In response to demand from partners, we are actively exploring potential expansion to the US.”

Where the UK leads, others follow.

This article first appeared on Assured Intelligence.

Some Best Practice Tips for Effective Cyber Incident Response

Posted: October 5, 2018 | Author: | Filed under: Uncategorized | Tags: , , , , , | Leave a comment

big dataI’ve been neglecting this blog a bit of late. That’s due in part to being overwhelmed with the sheer number of security breach stories and features to write up this summer. I can’t recall a time when there’s been so much going on, and such a great variety of incidents — apart from last year, and the year before …. and possibly the year before that.

It’s becoming something of a cliché to say “it’s not a case of ‘if’ but ‘when’ your organisation is successfully attacked” — but that doesn’t make it any less true. That puts even more pressure on firms to get incident response right. Succeed, and you could get away with little more than a slap on the wrist from the regulators — you may even find your organisation’s reputation enhanced. I asked the experts their views for an upcoming Infosecurity Magazine feature.

First and foremost, IR plans should be drawn up by an organisation-wide team, according to IISP board director, Chris Hodson.

“The IR team must be cross-functional and comprised of senior business stakeholders that understand the importance of the data, applications and infrastructure across their enterprise,” he told me.

“An effective plan must consider not only the nefarious, but also accidental and environmental events. In a world where technology and internet connectivity is baked into everything, safety has become a key consideration too — it’s no longer just considerations of ‘confidentiality, integrity and availability’ (CIA), we need to look at safety being of paramount importance.”

PwC’s US cybersecurity and privacy lead, Sean Joyce, was more prescriptive.

“The incident response plan (IRP) should include but not be limited to the following types of information: event and incident definitions; incident categories, descriptions, and criticality levels; escalation matrices; incident life cycle workflows; a listing of internal stakeholders and external partners with their roles and responsibilities; and reporting requirements,” he explained to me.

Certified SANS instructor, Mathias Fuchs, added much more to the list, including a communications plan, police liaison, mapping out of standard operating procedures, and how to deal with outsourcers like cloud providers.

“As message control is one of the key points in incident response, a predefined circle of trust that limits information flow to people not working on the case as well as to the outside world is key,” he added. “Particularly for publicly traded organisations, information about security incidents has to be treated with great caution as it usually does have an impact on the stock price once publicly available.”

My plan’s in place, now what?

Once you’ve got a plan drawn up, it’s essential to test it regularly, according to Joyce.

“Preparation is a key component to any incident response event. In our experience, organisations that take the time to develop and test their IRPs and playbooks are more prepared to respond and likely reduce the impact of an incident,” he argued.” Decisions that are made in the first 24 hours are extremely impactful in a positive or negative way.”

For Ian Glover, president of accreditation body CREST, it’s also vital to determine how ready the organisation is to respond to an incident, covering people, process and technology.

“CREST has developed a maturity model and free tool to enable assessment of the status of an organisation’s cybersecurity incident response capability on a scale of 1 (least effective) to 5 (most effective),” he told me. “The tool enables assessments to be made at either a summary or detailed level and has been developed in conjunction with a broad range of organisations, including industry bodies, consumer organisations, the UK government and suppliers of expert technical security services. It delivers an assessment against a maturity model based on the 15 steps within the three-phase Cyber Security Incident Response process.”

Lessons learned

Even the best laid plans can come apart when a cyber-attack actually strikes. But well-defined and practiced playbooks can help, said PwC’s Joyce.

“An organisation, in consultation with their external partners, should proceed forward with identifying any additional requirements related to preservation, investigation, containment, and longer-term remediation related actions. The results of the investigative work stream should be communicated in a defined/repeatable process that will directly support internal and external messaging related to the incident,” he explained.

“Depending on the incident, organisations should pre-plan their internal briefing requirements to the board and the frequency and detail of those updates. For external messaging, organisations should work with external partners such as counsel and PR organizations to begin drafting an appropriate hold statement as well as media release should notification be needed prior to the conclusion of the investigation.”

SANS’ Fuchs urged IR teams not to act too quickly, especially if they don’t yet know how the attacker got in.

“Find all ways the attacker might have into your network. Try to develop intelligence about the attacker as you investigate, that helps you when they come back. Figure out what they were looking for and what they have already exfiltrated,” he advised. “Conduct a full investigation and then execute the remediation plan on a weekend where you disconnect the whole organisation from the internet.”

Post IR processes are also vital in helping build long-term resilience.

“If they didn’t get what they were there for, they will return,” warned Fuchs. “Find better ways to detect them and avoid them getting back in the same way they did the first time.”

PwC’s Joyce recommended organisations conduct an IR “post-mortem”.

“The results of this may lead to revisions of the incident response plan, policies, procedures, and key reporting metrics; additional training for the board, executives, staff; and additional investments in technologies in the organisations efforts to mitigate risk and evolve with the constantly evolving cyber threat,” he concluded. “In addition, organisations can schedule table-top exercises to provide training opportunities for all key internal and external stakeholders whose support will be needed in response to an incident. Table-tops provide opportunities to evaluate an organisation’s incident response plan and to assess key components such as escalations, internal and external communications, and technical proficiency of the incident response team.”