Obtaining cyber insurance is an option for organisations that are unable or unprepared to handle cyber risks by themselves. This could be perhaps because the expense of employing full-time staff dedicated to mitigating cyber risks is hard to justify, or because the risk cannot be quantified sufficiently well for the organisation to be confident in assessing its response capabilities.
Several organisations in the civil nuclear sector currently ‘self-insure’ against technological accidents, insider threats to computer systems and information, and external hacking. Self-insuring involves setting aside internal funds and resources to cover risks, rather than contracting with an insurance company, and is a natural extension of the use of in-house information security and privacy teams. However, other options also exist for addressing cyber risks. This paper sets out a roadmap for how organisations in the civil nuclear sector can explore their options and review their cyber risk exposure.