The control room inside the Paks nuclear power plant in Hungary. Photo: Bloomberg/Contributor
Strategies for buying cyber insurance
A prospective purchaser of cyber insurance should do the following:
- Check if coverage is included under existing insurance policies, and also check the exclusion clauses in these policies;
- Ask if a potential insurer can provide write-backs on exclusions, and check the price for such write-backs;
- Ask how much standalone cover would cost, and what capacity would be offered; and
- Review the two prices (write-backs vs standalone cover) to decide whether it makes more financial sense to fund the necessary capacity internally.
An introduction to calculating cyber risk
Ideally, the risk to the public from civil nuclear facilities should be below the risk of disease,35 which is a bellwether of acceptable risk in society. The singular term ‘risk’ discussed here refers in reality to multiple civil nuclear risks – such as accidents, environmental hazards and hacking – all rolled into one. Nonetheless, a simplified concept provides a benchmark to aim at. Much is known about the ‘safety’ risks in civil nuclear plants,36 due to probabilistic risk analysis and a well-recorded history of failures and near misses, but these are not the same as ‘security’ risks. Events such as employees losing laptops or breaching firewall rules (albeit with good intentions) fall into the latter category and can be modelled just as safety risks are. Increased dialogue between safety and security modelling teams should be encouraged, even when the two do not agree. Progress sometimes requires argumentation.
Ideally, the risk to the public from civil nuclear facilities should be below the risk of disease, which is a bellwether of acceptable risk in society.
There is also the question of how to quantify the probability and severity of malicious hacking, where an intelligent adversary is trying to adapt to and avoid an organization’s defences. Clearly, the adversary changes its approach as the defences change. Historically, game theory has been successfully applied to similar problems. This is less daunting than it sounds. The first step is to ask the safety team what is the most severe safety case that it has modelled. The cost of that event can form the basis of a stress test for a computer security incident, using the worst-case scenario to determine maximum severity. Taking the safety case as a starting point, a team can be brought in to discuss whether such a scenario could be caused maliciously through hacking. It is essential to bring penetration testers or CSIR teams into the discussion, as they will provide useful descriptions of the methods that might be used to achieve malicious ends. Otherwise, a supposedly ‘expert’ group is likely to remain under the impression that the scenario cannot happen, because its members cannot imagine how the hack would work.
Assuming that the scenario could indeed be brought about by hacking or technological failure, the challenge will be to understand the probability of such an event occurring. While most people attempt an actuarial approach, in the context of the civil nuclear industry it is well known that not all catastrophic events can be found in history, and that therefore the likelihood of occurrence must be analysed using other methods such as probabilistic risk assessment, counterfactual analysis, crisis simulation, stress testing and safety drills. It is worth considering a simple scenario, such as what happens when an operations room’s communications (email/phone/fax) are compromised and used to subvert control of a facility.
Once there exists a scenario, created by experts and assigned levels of severity and probability respectively, it should be possible to start to look at the calculated risk, and at how much fiscal capacity will be needed to respond to the incident should it occur. This process can be repeated over time using a variety of hypothetical incidents. Such experiences will give staff confidence in calculating and responding to cyber risks. This is crucial as an organization builds capacity and starts to understand its exposure.
Should a civil nuclear facility, on the basis of the above scenario modelling, choose specific cyber insurance, then it will need to demonstrate that it is following various standards and has established a full-time and capable CERT. Guidance on how to do this can be found at the FIRST.org website.37
Transitional use of cyber insurance
One important general point about insurance is that coverage can be purchased for specific projects and specific points in time. For example, imagine that a civil nuclear facility managed by a given organization is scheduled to be decommissioned within three years. It is known that this facility carries a higher cyber risk than newer facilities because of its age, because the software in use there is older and harder to manage, and because there are fewer staff who can respond to a crisis. To train a new security team dedicated to this facility, only to let the team go three years later, would not be reasonable. Instead, extra training could be provided to the existing team and an insurance policy taken out to cover the three years to the transition. This in turn would help with the migration of staff and equipment to a new facility.
The specific sorts of transitional phase in which cyber insurance could be relevant include the following: during construction, before a facility goes live, while it is being wound down, or while one organization is being merged with another.
It is also possible to use cyber insurance, rather than technological solutions, during times of increased risk: for example, if new vulnerabilities have been discovered in the control system used by a nuclear facility and a patch is not expected because the product has reached end-of-life stage. Another example is that a facility might take out temporary cyber insurance if a known hacking group were targeting other similar facilities; such cover might allow the insured party to get through the crisis while security and privacy teams were trained to the higher standard demanded by the new threat.
Capping the unmanageable risk
Cyber risk is constantly evolving, and some risks cannot be prevented, yet facilities still have a duty to manage civil nuclear risks. Risk cannot simply be ‘air-gapped’ away. Phone calls have to be taken, safety designs emailed and software used to model quality. Even if a facility is perfectly secure in theory, it must do business with organizations that may not be operating at the same level of security, privacy and safety. Not only does prudence dictate the creation of contingency plans for situations in which incidents compromising a facility’s systems and security have an impact on its customers and business partners; it is also necessary to plan for situations when the reverse applies, and the facility is itself impacted by virtue of being a customer or business partner of an organization that is compromised.
Risk cannot simply be ‘air-gapped’ away. Phone calls have to be taken, safety designs emailed and software used to model quality. Even if a facility is perfectly secure in theory, it must do business with organizations that may not be operating at the same level of security, privacy and safety.
For an illustration of this concept, imagine an email system that is in principle perfectly secure, and would not accept a spoofed email or divulge the contents of an email to an unauthorized party. However, that is only half the story. The emails which the system sends and receives must also be secure. If a hacker can read the counterparty’s email (for example, by stealing his or her laptop), then the hacker can see any messages sent to that user (an eventuality that constitutes ‘breach’). And if the hacker can send messages as the user – in effect impersonating that user – then the hacker can also potentially convince the recipient to perform various actions or tasks. So, a facility is only as secure as its partner organizations; everyone depends on each other to collaboratively manage cyber risk. Simply informing colleagues and external parties that a hacker has been detected and that any emails sent or received between two given dates may have been compromised is in itself enormously useful in managing cyber risk, even for a hypothetically perfectly secure facility.
The key point here is that not all cyber risks are manageable, especially on a unilateral basis. An organization’s data are in the hands of business partners, whose security and privacy are their own concern. This is literally a risk that is outside one’s control: a classic externality, and one that takes a lot of collaboration to address. Moreover, there will always be nation-state hackers that can exceed the level of defence that an organization has available. This leaves any organization with a residual risk that must be accepted and cannot always be prevented.
Response
Organizations can set aside capital for incident response and/or purchase protection in the form of cyber insurance. They need contingency plans for a variety of threats and risks, ranging from the loss of laptops to actions by disgruntled employees, ransomware and espionage by nation states. Many organizations can benefit from simple role-playing exercises among board members about how to handle incidents. It is possible either to create scenarios in-house (breach or ransomware incidents are good starting points) or to hire specialists to provide training.
Such processes often make it clearer to senior executives (who may or may not be accustomed to dealing with technical risks on a daily business) how responding to cybersecurity threats is not as simple as a password change. It involves communication and coordination across the organization, and often with many other organizations as well.
Scenario exercises provide an opportunity for organizations to review how much money, manpower and time are available for responding to a cyber incident. Alternatively, or in addition, an organization can perform ‘risk transfer’ by engaging specialist civil nuclear cyber risk and insurance professionals. The key goal of this process is to discover the limit of coverage offered, and on the basis of this information to produce a flexible plan for decision-making and resource allocation in the event of a crisis. Many cyber incidents last longer and require more work to resolve than expected, so it is worth asking how quickly the contingency budget can be refilled. Internally, an organization might refill the contingency budget faster than the insurance policy is able to make a second payout. Nonetheless, if it is not feasible to keep large amounts of capital in reserve or hire permanent, full-time security and privacy staff, turning to the growing cyber insurance market provides an alternative option.