CyNuC Case Study: Reducing cyber risk for nuclear power plant operators

The number and sophistication of cyber-attacks is on the rise.

Cyber attacks on the energy sector are on the increase and have become a significant concern due to the critical role this infrastructure plays in national security and the economy.

Lloyd’s Syndicate 1176, in conjunction with the Chaucer Cyber team, has developed a Malicious Act cyber insurance policy specifically targeted to cover the operating systems of Nuclear Power Plants (NPP).

The policy optimises Chaucer’s existing cyber products for the operators and owners of NPPs and their broader nuclear generating business and assets, to cover the consequences of malicious attack to the operating systems of an NPP.

Nuclear Power Plants are well protected to any risk including those posed by a cyber-attack. However, were there to be a malicious attack to the operating systems of an NPP, there could be severe impact leading to remedial actions to the software, damage to the hardware, loss of business, reputational damage and in extreme scenarios a nuclear accident.

The history

Cyber threats emerged in the 1980s as computer technology grew, and it became globally realised that hackers could and were keen to penetrate critical national infrastructure. Back then, hacking required a high level of skill and was not easily achievable.

The landscape began to shift in the 1990s as hacking groups started sharing information and techniques. Publications like ‘The Hacker's Bible’ and various ‘phreaking’ manuals became widely available online and in book format, democratising the knowledge needed for cyber intrusions.

The 2000s marked a significant turning point as hacking and cyber threats were recognized as the fifth domain of warfare. This recognition spurred substantial investments in cyber capabilities at the nation-state level. The sophistication of cyber threats matured rapidly, exemplified by high-profile attacks such as Stuxnet, WannaCry, and NotPetya. These incidents underscored the potential for cyber warfare to cause real-world damage and disruption.

By the mid-2020s, the barrier to executing malicious cyber-attacks had significantly lowered. Tools that once required bespoke development can now be freely downloaded as part of comprehensive packages. Furthermore, cyber-attacks, including Distributed Denial-of-Service (DDoS), data theft, and ransomware, can be ordered from the dark web for a modest amount of bitcoin, making them accessible to a broader audience.

The problem

The nuclear industry is acutely aware of the risks posed by cyber threats. Disruption, damage, and general cyber vulnerabilities make nuclear power plants a prime target for malicious actors. Their critical role in national security and public safety necessitates stringent cybersecurity measures to prevent catastrophic outcomes.

Some historic events include:

• South Korea – An attack on a Nuclear Power operator’s corporate systems led to compromised date in respect of HR systems
• USA – An NPP suffered a Slammer worm attack in 2003 whereby the Safety Parameter Display System was compromised
• USA – An NPP was subject to a Spear-phishing attempt with a view to gain sensitive information

What coverage is available currently?

Typical existing Nuclear insurance policy wordings incorporate a Cyber Exclusion clause such as LMA 5400: Property Cyber and Data Endorsement. As a result of this exclusion, the policy only covers physical loss or physical damage to property insured under the policy caused by fire or explosion which directly results from a “Cyber Incident”, where “Cyber Incident” is defined as a non-malicious Act.

What is different about Chaucer’s CyNuC Offering?

CyNuC has been designed to cover the specific malicious “Cyber Act” and indemnify insureds for a broad range of possible losses. “Cyber Act” refers to an unauthorised, malicious, or criminal act involving access to, processing of, use of or operation of any Computer System.

The policy will have a maximum aggregate limit of USD 25m and be limited to Operating Systems, however the policy will extend to include potential business interruption following actual physical damage sustained and malware introduced to the Operating Systems within the policy period.

Additional Elements of the Coverage offered include:

• Physical Damage – repair of equipment and assets
• Data Breach and Incident Response
• Sector Specific Cyber Specialists to the Corporate Systems to control the Cyber-attack
• Indemnity where Cyber-attack causes the business to shut down, leading to a business interruption/loss of revenue claim
• Security failure, reputation management, additional media costs and digital asset restoration.

Collaboration

Our product enhances Chaucer’s Nuclear offering by tapping into our existing cyber expertise and working with the broader insurance market to access greater capacity and distribution to all those clients with a real need for this product.

The intention is that the product is developed through the UK Nuclear Pool (Nuclear Risk Insurers Ltd (NRI)) who have both excellent incremental nuclear expertise and established nuclear relationships. Chaucer Syndicate 1176 is the leading member of NRI.

Chaucer’s expertise is demonstrated by its Cyber Centre of Excellence, who work collaboratively with the Energy, Property and Marine divisions to develop bespoke insurance solutions. It provides specialist Cyber services including security training and awareness sessions for clients who wish to make their cyber security practices more robust.

Claims Management

Real-time Incident Response utilises Chaucer’s existing in-house cyber claims team.

Insureds will receive specialist advice on Crisis Management, Incident Response, Software adjustments and replacements, cleansing, reinstatement and reprogramming. Chaucer’s Cyber team also maintains a close relationship with third party cyber insurance claims experts to ensure incident response is as efficient as possible.

In the event of a malicious attack during the policy period to the Operating systems during which physical damage occurs, the policy is expected to pay out in full due to the likely closure of the plant, whilst remedial action and testing takes place.

Once a claim is established, Chaucer works with co-insurers to make a speedy and efficient payment of loss.

What does CyNuC not cover?

• The policy does not cover voluntary shutdown or shutdown to the Operating Systems resulting from regulatory intervention, unless such a shutdown is made as a result of actual physical damage or as a result of proven malware being introduced during the policy period, where such malware compromises the nuclear safety systems of the Operating NPP.
• War and hostile state sponsored action is excluded. The policy includes war exclusion LMA 5567A/B (type 3).
• There are limitations and exclusions in respect of external factors such as suppliers, damage to the Grid network, and interruption of critical infrastructure outside of the client’s operation.
• There are deductibles incorporated for non-business interruption loss of USD 1m each loss and 48 hours for business interruption loss.