The judges delivered opinions after both civil and criminal deliberations. They ruled that the SNPP management was civilly and criminally liable. According to the rulings, there were clear indications that organizational leadership within the SNPP failed to reasonably address security deficiencies since management did not perceive value in pursuing additional security measures despite security audit recommendations and other signs that improvements must be made. An eroding security culture (i.e., ineffective cybersecurity training) also exacerbated existing vulnerabilities that the adversary exploited. It did not matter whether the actions of SNPP management were in violation of regulations; it recognized the risk, but decided against any significant changes to security practices. The Chief Executive and Chief Security Officer of SNPP were found guilty of connivance – they were aware of the criminal acts (a breach in duty of care) as they were being performed.
VALUE OF THE GOVERNANCE TEMPLATE IN MOUNTING A DEFENSE
Participants were asked if the adoption of the proposed nuclear security governance template would help the SNPP management demonstrate its duty of care, and potentially reduce liability. Participants acknowledged the template as a useful risk assessment and mitigation tool since it forces license holders to explain a holistic strategy – from risk management communication at the executive-level to cultivating security culture among operational personnel – to achieve and maintain nuclear security without divulging any specific, sensitive information. Several participants also noted that the format of the template is quite flexible, allowing license holders to tailor their answers to match a changing threat environment.
But while the template can help outline the license holder’s duty of care as it relates to security, it cannot stand alone as proof. Thus, the template alone only demonstrates reasonable precaution. The judges determined that the template is useful in building a case, as it demonstrates how and why risk management (cost-benefit) decisions were made. Whether those decisions were reasonable under the circumstances is a decision for the trier of fact. Without a more thorough demonstration of their efforts the defendant was found guilty. However, organizational governance efforts that had been made by SNPP, including the adoption of the template, would be taken into consideration as a sentencing factor. Any framework or voluntary standard can be influential in shaping due diligence as the standards can become “de facto” industry requirements. In the wake of a security event, these industry norms can play a defining role in evaluating liability.
Overall, the template is strongest when it is considered as a complement to existing regulation. While regulatory requirements establish the ceiling for culpability, the template helps contextualize organizational decisions around security, and if filled out consistently, can also illuminate trends in how organizational governance adjusts to evolving threats.
*International nuclear liability regimes (The Vienna Convention on Civil Liability for Nuclear Damage and Paris Convention on Third Party Liability in the Field of Nuclear Energy), as well as domestic law (i.e., U.S. Price-Anderson Act) generally cover damage from a radiological release or a precautionary action, such as an evacuation, related to a potential release.
†Full hypothetical scenario is available upon request. Please contact email@example.com for more information.
‡A case in which the defendant company (Empress Car Company) kept diesel in a tank with an unsecured tap, in a yard directly drained into a river. An unknown passerby opened the tap and the diesel consequently overflowed into the river. The House of Lords held that Empress Car Company has still “caused” the incident for maintaining noxious substances unprotected. For more information, see https://webstroke.co.uk/law/cases/environment-agency-v-empress-car-co-1999.
The Nuclear Security: Demonstrating Strong Governance and Due Care roundtable and this report are sponsored by the U.S. Department of Energy – Partnership for Nuclear Threat Reduction, the MacArthur Foundation, and the Carnegie Corporation.
We are grateful to the World Institute for Nuclear Security, 39 Essex Chambers, the Security Awareness Special Interest Group, and Nuclear Risk Insurers for their continued support and feedback to this project. Finally, the roundtable and this summary report would not have been possible without the lively debates and insights from the roundtable participants: Nawah, Freshfields, Context, Northcourt Limited, Norton Rose Fulbright, Burgess Salmon, Chatham House, and Westminster Energy Forum.
Innovative Ideas Changing the World