CFC and Weightmans to launch UK Cyber Monitoring Centre

A first-of-its-kind initiative, the centre will independently declare and classify systemic cyber attacks in a similar way to catastrophes like natural disasters.

The centre will provide a new authority for identifying when these large-scale events occur, and has the potential to transform cyber insurance by addressing the long-standing challenge of providing a consistent, market-wide framework for defining systemic cyber events.

The CMC — which will operate from January 2024 and be an entirely independent entity — will be led by a technical committee comprising non-insurance experts from across academia, cyber security, public policy, defence and law.

This committee will use a newly developed methodology to categorise cyber incidents on a five-step severity scale, with ‘category one’ events the least severe and ‘category five’ events the most. The classification will be based on the extent of a cyber event in terms of the number of businesses affected and economic impact.

The CMC will aim to issue categorisations within 30 days of an event occurring. For its first year, it is intended that the centre won’t publicly declare incidents while it refines its methodology in a live environment.

While the CMC won’t directly serve the insurance market, its classifications are anticipated to be useful in helping insurers improve how they cover systemic cyber incidents — attacks that affect large parts of the business community simultaneously and that are particularly difficult to insure for due to their large-scale nature.

Currently, insurers offering cyber products usually rely on multiple exclusions to define the cyber events that they will cover, leading to potentially complex and confusing policies.

It is envisioned that insurers could eventually simplify policy language by referring to CMC classifications to define the limits of their cover. This would help make cyber cover more attractive and accessible to businesses — particularly SMEs — and limit the risk of policy disputes.

Weightmans’ cyber experts — led by partner Edward Lewis — supported CFC with a legal feasibility study for the CMC, and the development of the methodology.

Edward Lewis, Partner at Weightmans, said: “The CMC is a milestone in the UK’s approach to tackling systemic cyber risk.

“Systemic attacks — whether the result of sophisticated criminals or hostile nation states — are those that have the potential to cause the most damage.

“But because of their complexity, scale and spread, it has historically been difficult to quickly, effectively and consistently identify when they have occurred and measure their impact.

“The CMC provides the independent measure that is necessary to better understand when a systemic attack has occurred and how much damage it has caused. And this isn’t just something that will benefit insurers through policy wording. Through its expertise and independence, we see it becoming an integral part of the nation’s cyber defence network, working hand-in-hand with government and public agencies to respond to incidents more effectively when they occur and even improve measures to prevent such events happening in the first place.”

James Burns, Head of Cyber Strategy at CFC, said: “The CMC aims to deliver the missing piece of the puzzle in tackling systemic risk.

“It’s something that we and our partners have helped catalyse, but is entirely independent of any one company, organisation or sector. It is this independence that we think will make it so effective in its role as a reliable, expert assessor of systemic incidents. The centre serves no one but its own methodology.

“This launch is very much the start of the centre’s journey. It needs time to prove the strength of its approach in the real-world environment, and build the trust from industry, government and the UK’s business community that will be critical to making it a viable and effective part of the UK’s cyber ecosystem in the long term.”

Weightmans’ role in launching the CMC is the latest development in its ongoing work to support organisations in preventing and addressing cyber incidents.

In September, the firm unveiled a brand-new cyber security business — CyXcel — founded by Edward Lewis, boasting top-flight hires from big four consulting firms (PwC and KPMG), service integrators (Accenture), leading cyber insurers (Marsh and AON), and the UK and US governments, including the National Cyber Security Centre (NCSC) and the U.S. Department of Defense (DoD).

CyXcel brings together crises, legal, technical, and consulting expertise across computer systems, digital networks, information and operational technology, data privacy and e-crime under one roof. Its combination of cyber, forensics and intelligence expertise coupled with the backing of a regulated law firm is the only one of its kind in the UK.