Incentivizing Good Governance Beyond Regulatory Minimums: The Civil Nuclear Sector

The consequences from a blended cyber‐physical terrorist attack on a nuclear power plant are potentially catastrophic. Sabotage of the plant or theft and subsequent use of radiological materials can potentially lead to blackouts, deaths, and injuries and even a release of radiological materials. This threat continues to evolve in sophistication and complexity and is outpacing the ability and resources of governments to anticipate risks and to protect their critical infrastructure and the public from harm. Policymakers are working to keep up with the rapid onset of these threats to reinforce the resilience of critical infrastructure. Cyber vulnerabilities including insider threats are also evolving, with cyberattacks on nuclear facilities the tip of the iceberg as more sophisticated advanced persistent threats develop. This paper suggests governments look beyond regulations and policy directives to harness the power and energy of the market to incentivize operators to voluntarily adopt security measures beyond regulatory requirements. Good organizational governance is important and necessary to secure critical infrastructure including nuclear facilities and increasingly can be rewarded by the market. The definition of what is good organizational governance matters to investors, lenders, insurers, regulators, and the public. Is the organization going to be able to function effectively as an enterprise and provide a return to investors, pay back its loans, protect its workers and community, including the environment? In the nuclear field, the stakes can be high—with stakeholders depending on a stable baseload electric supply without safety or security incidents, especially of a radiological nature. This article documents findings from a multi‐year project to identify incentives for nuclear security beyond regulatory minimums, with a focus on nuclear power plants. We assessed the importance of standards and developed a “Good Governance Template” to support owners/managers in obtaining benefits and reducing potential liabilities. We found that market incentives are developing in areas such as insurance, credit, and other rating systems to support the development of good governance, including incentives for companies to demonstrate due care in the management of risks, especially cyber risks. Building a business case for nuclear security based on these incentives is an important step forward in securing our nuclear future, especially in terms of cyber risks.