Lloyd’s Syndicate 1176 and Chaucer have partnered to introduce a specialized cyber insurance policy to protect nuclear power plant (NPP) operators from malicious cyber attacks. As cyber threats against the energy sector continue to rise in both number and sophistication, this collaboration aims to address the unique vulnerabilities of nuclear facilities and their critical role in national security.
A recent report by cybersecurity firm KnowBe4 highlights that cyberattacks on critical infrastructure are becoming “the new geopolitical weapon,” often linked to foreign nations. These attacks pose a rising threat to state and local governments due to potential data breaches and the damage they could inflict on essential systems like power grids, communication networks, and transportation hubs. The report emphasizes that new vulnerabilities emerge as developed nations integrate more digital technologies into their infrastructure. This concern is echoed by the U.S. Department of Energy, which received 185 reports of security incidents in 2023. This new high underscores the escalating risks to the energy sector. All this raises the question. Do nuclear power plants need cyber insurance?
Historical incidents further illustrate the urgency of enhanced cyber protection. In South Korea, an attack on a nuclear power operator’s corporate systems compromised data within their HR systems. In the United States, a 2003 Slammer worm attack compromised the Safety Parameter Display System at an NPP. Another U.S. NPP faced a spear-phishing attempt aimed at acquiring sensitive information.
Malicious Act
The new Malicious Act cyber insurance policy specifically targets coverage for NPPs’ operating systems. It enhances Chaucer’s existing cyber products to offer comprehensive coverage for operators and owners of nuclear-generating assets. The policy mitigates the consequences of malicious attacks, which could lead to software remediation, hardware damage, business interruptions, and reputational harm. In extreme scenarios, such attacks could even result in nuclear accidents.
Historically, the nuclear industry has faced limitations in insurance coverage for cyber-related incidents, especially those resulting from malicious acts. Traditional nuclear insurance policies often exclude such events. This new offering fills that gap by covering unauthorized, malicious, or criminal cyber acts affecting NPP operating systems.
The policy includes a maximum aggregate limit of $25 million and extends to potential business interruptions following physical damage or malware introduction during the policy period. Coverage elements encompass physical damage repairs, data breach responses, incident management, and indemnity for shutdowns caused by cyber-attacks. The policy also provides access to sector-specific cyber specialists to control and mitigate attacks on corporate systems.
Claims management is handled through Chaucer’s in-house cyber claims team. The team offers specialized advice on crisis management, software adjustments, system cleansing, and asset restoration. In the event of a malicious attack resulting in physical damage and operational shutdown, the policy is designed to offer full payout to cover losses during remedial actions and testing.
Exclusions
However, the policy has specific exclusions. It does not cover voluntary shutdowns or those prompted by regulatory intervention unless directly resulting from physical damage or malware compromising safety systems during the policy period. Additionally, acts of war and hostile state-sponsored actions are excluded, as outlined in the war exclusion clause LMA 5567A/B. Limitations also apply to external factors such as supplier issues, grid network damages, and critical infrastructure disruptions outside the client’s operations.
Developed through the UK Nuclear Pool—Nuclear Risk Insurers Ltd (NRI)—the nuclear power plant cyber insurance policy leverages the partnership’s expertise in nuclear and cyber insurance. This collaborative approach enhances capacity and distribution, aiming to meet the pressing need for robust cyber-protection among nuclear industry clients.
Source: CyNuC Case Study: Reducing cyber risk for nuclear power plant operators.
Other News: Insurers Claim NotPetya Was “Cyber Nuclear Attack” (Opens in a new browser tab).
Other News: Columbus says ransomware gang stole personal data of 500,000 Ohio residents.