The UK’s Cyber Monitoring Centre is proving its value, and policymakers should take note
It’s been a rough year for cyber crime in the United Kingdom. In April, a spate of extortion-based incidents hit venerable retailers like Marks & Spencer, Co-op and Harrods. In August, Jaguar Land Rover, a subsidiary of Tata Motors, halted production for weeks as it attempted to recover from a criminal intrusion. As the CEO of the UK’s National Cyber Security Centre (NCSC) said in the agency’s annual review, “[t]he recent cyber attacks must act as a wake-up call.”
At the same time, the spate of incidents has provided a trial-by-fire for the new Cyber Monitoring Centre (CMC), a non-governmental organization launched last year to provide independent assessments of the scale of systemic cyber events in the United Kingdom. In recent months, the CMC has analyzed both the retail incidents and the JLR disruption. To put it bluntly, I am impressed. Eight months into their categorization efforts, the CMC is successfully providing transparent, impartial reports that can quickly help the entire ecosystem understand the impact of a cyber event.
The CMC may have a short track record, but policymakers in the United States and beyond should be paying attention to their work—and considering how to franchise the model outside the UK.
Created for Insurance…
The idea for the CMC came out of a challenge facing the cyber insurance industry. Cyber insurers have gained increasing confidence in their ability to price so-called attritional risk: the day-to-day losses that stem from business email compromise or a confined ransomware attack. However, insurers’ risk models still have lots of uncertainty with respect to systemic incidents. As a relatively new line of insurance, cyber lacks the same longitudinal claims data that help insurers model systemic risk in other sectors. Furthermore, achieving “uncorrelated” risk across the technology stack is hard to come by in cyberspace, where the technology is functionally the same across sectors, geographies, and business sizes.
I wrote about this challenge extensively in my June paper, “How a Government Reinsurance Program Can Accelerate Maturation of the Cyber Insurance Market.” In it, I focused on how interventions, like a government-backed reinsurance program, can help reduce uncertainty by limiting total losses from a catastrophic incident. In a recent Cyberscoop op-ed with Mark Montgomery, we called on Congress to consider such an intervention in their ongoing policy discussions about the reauthorization of the Terrorism Risk Insurance Program.
However, as I note in the paper, there should be pre-conditions in order for a backstop to kick in. Policymakers need to identify the criteria for government intervention in the market, as well as the entity in charge of making the determination as to whether those criteria have been met. In June, I suggested that a panel of experts could perform the latter function. In retrospect, I should have just pointed to the CMC.
Beyond its governing secretariat, the CMC hosts a technical committee. This group, chaired by the inaugural head of the NCSC, Ciaran Martin, consists of exactly the kinds of experts in law, cybersecurity, and economics that I had in mind. When faced with an incident, the technical committee is tasked with, within 30 days, providing an assessment of its impact based on a two-dimensional matrix: cost to the UK economy and number of citizens affected.
In the whitepaper making the case for the CMC, James Burns, Head of Cyber Strategy at specialist cyber insurer CFC, pointed out inherent tension in insurance contracts between carriers trying to exclude risks they can’t model and the intuitions of their policyholders. Using the COVID-19 pandemic as an example, Burns persuasively argues that challenges with business interruption insurance in 2020 are a reasonable analogue for many of the dynamics in the cyber insurance market. Those challenges were significant: Litigation, frustration, and a failure to capitalize on insurance’s ability to smooth out stochastic shocks to the economy.
Burns proposed a severity scale, similar to the scales used for weather disasters like hurricanes and tornadoes. Such a yardstick would help insurers, policyholders, and reinsurers have clarity about what types of incidents are covered. Just as a worldwide pandemic might be beyond the ability of insurers to handle, a cyber insurer might exclude a Category Five cyber incident. Using such a scale to articulate which losses are covered—and which are not—would be a lot clearer to policyholders than the legalese that one would otherwise need to write into a policy today to achieve that effect. For reinsurers who are insuring cyber insurers themselves against catastrophic losses (or even for a government backstop), the severity scale might provide a trigger for deciding whether or not the policy applies.
Burns proposed the severity scale model in January 2024. Today, we have two test cases to look at. On June 20, the CMC put out its first assessment on events in the retail sector. The center categorized the incidents at Marks & Spencer and Co-op as a “Category 2 systemic event” with an estimated financial impact of “£270 million to £440 million.” Importantly, the CMC explained why it grouped these two incidents together while leaving off Harrods and other retail incidents that occurred in the similar April-May time frame and it provided a detailed description of how it determined the cost estimate.
Those characteristics carry through to the even more impressive JLR analysis, which the CMC labels a “Category 3 systemic event” with an initial estimated financial impact of £1.9 billion. The production shutdown at JLR has caused ripple effects throughout the UK economy, as suppliers have seen demand for their vehicle components plummet while JLR was attempting to restart manufacturing. Nonetheless, the CMC was able to quickly pull together relevant data to model the broad impact of the event and to explain how its initial damage assessment could change.
Cyber insurers that were looking to see some successful test cases before incorporating CMC categorizations into their policies must be pleased with the results thus far. Of course, as more data become available, the CMC will need to validate its initial assessments next year. Barring evidence of a significant miscalibration, however, the CMC seems well-positioned to solve (at least for UK insurers) a key problem that they have been grappling with.
…But with Broader Policy Implications
Policymakers should take note of these developments—-and not just for the purposes of designing a cyber reinsurance program. There are several other uses that CMC analysis could be put to, especially if the model were to be franchised beyond the UK.
Cyber State of Distress
In its landmark 2020 report, the Cyberspace Solarium Commission called for creating a “cyber state of distress” that could unlock federal aid. This concept was eventually realized, at least in part, in the 2021 Bipartisan Infrastructure Law (Title VI, Subtitle A of Public Law 117-58) as the Cyber Response and Recovery Fund (CRRF). However, the money in the CRRF has never been used, in part because the criteria for what constitutes a “[declared] significant incident” are difficult to assess. In particular, the CRRF requires that there be an assessment of the ability for “otherwise available resources” to effectively respond to an incident.
Were a CMC-like organization providing assessments on U.S. incidents, policymakers might instead use those category assessments as the trigger for CRRF-like programs. Importantly, such an organization could also clarify for legislators and agency heads exactly the kinds of incidents that should trigger federal involvement.
Similar thresholds might also be appropriate in other programs that provide emergency aid. For instance, during the Change Healthcare incident, the Centers for Medicare and Medicaid Services made accelerated and advanced payments to doctors to address cash flow problems. The UK government recently provided loan guarantees to facilitate JLR’s recovery from its cyber incident. In either case, a CMC-style incident categorization could provide a useful criterion to determine whether such facilities should be available as part of government recovery efforts.
Metrics
Cybersecurity metrics at all levels—from the tactical and operational to the strategic and public policy—remain frustratingly hard to come by. CMC-style categorization is by no means a panacea for policymakers looking for national-level metrics, but it can certainly help.
In particular, independent assessments of the cost of cyber incidents are near non-existent. That shouldn’t be surprising, given that the entities with the most data about costs—victims and incident responders—are not incentivized to either aggregate or share. To the extent data about costs are shared (e.g., due to regulatory filings), inconsistent definitions of what is directly or indirectly attributable to an incident make comparison difficult. While the government could impose such incentives directly, through authorities given to an agency like a “Bureau of Cyber Statistics,” policy proposals to that end have not gained traction. And the politics of a voluntary government effort could still be fraught, as industry might fear that such a program might eventually be empowered with compulsory authorities.
A non-governmental effort, however, can provide structured methodology for assessments, allowing them to easily be compared without concerns about potential regulatory impacts. The CMC’s first two reports are strong evidence in favor of this theory. Policymakers could consider using the number of systemic events and their severity as national-level indicators for the health of their cybersecurity ecosystems.
Time to Franchise?
The CMC has been live for only eight months, but it is already showing value. Bringing the model to other jurisdictions seems a logical next step, especially as increasing the volume of incidents covered will allow for more opportunities to refine methodologies. Of course, much of the CMC’s unique value-add comes from it being a trusted, independent third-party. Policymakers and industry leaders can’t create a U.S. CMC on their own. But by sending a strong demand signal that they would find systemic event assessments useful, they can set the stage for the growth of this important mechanism.
