19.02.25

UK to Get New Cyber-attack Severity Rating System

Cyber-attack Severity Rating – UK to Get New System

The government is launching a new cyber-attack severity rating system to crack down on cyber-crime and increase cyber-resilience among UK organisations. According to the government’s 2024 Cyber Security Breaches Survey, half of businesses and almost a third of charities experienced some form of cyber-security breach or attack last year. The new monitoring system is designed to help organisations tackle and learn from such incidents.

New Cyber-attack Severity Rating Explained

The Cyber-attack Severity Rating System is being led by the National Cyber Security Centre’s (NCSC) technical committee, the Cyber Monitoring Centre (CMC) will categorise specific cyber-events on a scale of 1 (least severe) to 5 (most severe). Events worthy of categorisation include those that affect multiple organisations or have a potential financial impact exceeding £100 million. Other cyber-attacks with sufficient data available to allow for a proper assessment will also be considered for rating. The CMC will publish a report alongside an event’s rating, advising the victims on how to respond and recover from the incident.

The rating system’s implementation follows several severe cyber-attacks in the past 12 months that significantly impacted UK organisations. A cyber-attack that breached the statutory corporation Transport for London suspended multiple transport services and cost more than £30 million. Denial-of-service attacks hit several councils, including Portsmouth and Middlesborough, and a ransomware attack on the NHS disrupted thousands of medical appointments and took months to recover from.

Will Mayes, chief executive of the CMC, said, “The risk of major cyber-events is greater now than at any time in the past as UK organisations have become increasingly reliant on technology. The CMC has the potential to help businesses and individuals better understand the implications of cyber-events, mitigate their impact on people’s lives, and improve cyber-resilience and response plans.”

The CMC’s technical committee will be chaired by the former CEO of the NCSC, Ciaran Martin.

Next Steps

Although the government’s new cyber-attack severity rating system is a step towards increased cyber-resilience, cyber-breaches remain a concern for businesses across sectors. Organisations should implement robust cyber-hygiene measures and review their cyber-insurance cover.

Contact us today for additional risk management guidance and insurance solutions.

The cyber-threat information provided by Zywave and contributed by Lisa Langley, Cert CII, Team Leader, Professional Risks, Cox Mahon Ltd.

Contains public sector information published by GOV.UK and licensed under the Open Government Licence v3.0.
The content of this publication is of general interest and is not intended to apply to specific circumstances or jurisdiction. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice from their own legal counsel. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2025 Zywave, Inc. All rights reserved.