Demonstrating Due Care: Cyber Liability Considerations for Nuclear Facilities
Cyber security is the next frontier for nuclear risk managers. Within a short span of time cyber attacks have evolved in sophistication and stealth, making it difficult to develop an effective and adaptive risk management approach. While there is consensus within nuclear industry that it must bolster its capacity to “remain ahead of the dynamic cyber threat curve,” it is important to determine what this looks like in practice: what constitutes a reasonable application of cyber security measures such that it sufficiently attempts to reduce vulnerabilities and associated risks?
In November 2016, the Stimson Center, along with the Security Awareness Special Interest Group (SASIG) and the World Institute for Nuclear Security (WINS), hosted The Nuclear Security Roundtable on Executive and Corporate Responsibility in London, bringing together fifty industry stakeholders and cyber security experts to discuss the inherent challenges in managing cyber security risks in the nuclear sector. Participants examined a hypothetical cyber attack scenario in a nuclear power plant that undermined the security posture of the facility, cascading into a major power outage and consequently resulting in first-party property damage, reputational fallout, and significant third-party business interruption losses. Under this scenario, participants considered potential negligence claims and cor porate liability, and how a “model of accountability” – demonstrating compliance to high industry standards – might be structured in order to mitigate such liability.