Schools are in business to educate kids. Yet in 2022, educators can be distracted by managing cyber risk, which costs money and disrupts school operations.
Since March 2017, K-12 schools have experienced an estimated 1,000 cyber incidents, “resulting in mass identity theft, the loss of hundreds of millions of taxpayer dollars, and the loss of significant instructional time,” according to the K-12 Cybersecurity Resource Center, which tracks publicly disclosed school cyber incidents.
K-12 schools were the target of 57% of reported ransomware incidents in late 2020, according to a Joint Cybersecurity Advisory from various agencies, including the FBI.
Schools are now a target-rich environment for bad cyber actors. A cyber loss can bring a school to a standstill and expose the personal information of multiple parties.
Cyber risk management and coverage for schools are different in 2022 than in 2021. Issues include finding adequate coverage, multifactor authentication, legacy system issues and risk management practices.
K-12 schools face a shortage of insurance capacity and increased cost for coverage. This is shown by the 25% to 300% rate increases in cyber insurance that school insurance buyers face. Other restrictions include reduced sublimits, higher deductibles and narrower coverage terms.
In 2022, schools of all sizes are facing harder questions from underwriters. And schools with larger budgets are facing insurance markets that are hardening more than for smaller-budget institutions. The larger the budget number, the more complex the risk can be in the eyes of underwriters.
Educational institutions can struggle to keep up with the evolving cyber risks. Schools’ financial resources and the makeup of their technology departments have an impact on their ability to respond quickly and evade cyber issues.
Overall policy limits tend to start at $1 million for many schools. Cyber coverage tends to be relatively new for many of these entities.
Cyber liability policies are typically rated with one premium for all categories of coverage; therefore, there is no indication in the overall premium of which coverage areas might be more affected by rate increases.
An exception to this is ransomware coverage, which is driving up premium cost. Coverage is not a combined single limit; rather, the standard $1 million policy limit is an aggregate limit.
Let’s look at the specific coverages in a typical cyber insurance policy:
- Incident response costs. This coverage is for costs to notify those affected by a cyber breach at a school, such as parents, students and teachers. It also covers fines and penalties levied by government entities, which are putting the onus on schools to clean up after cyber messes (some of which are due to lax security).
- Information technology security and forensics costs. This is for the costs of securing a breached network or asset and investigating the incident.
- Cybercrime. Intended for damage related to thefts of funds and records, this coverage usually responds to ransom demands. This has raised some controversy because governmental authorities often discourage schools and other cyber victims from paying ransoms. There’s certainly an argument that such coverage is morally questionable, and over time it’s become less common to meet ransom demands.
- Systems damage and business interruption. This coverage is designed for the costs of restoring an out-of-operation computer system due to an attack, as well as lost productivity.
Insurers that once asked few questions about cyber risk are taking a hard line in underwriting and asking more in-depth questions. Others have gotten out of the marketplace for schools entirely.
Cyber policy nonrenewals are a potential outcome if the policyholder has had a claim or has not taken the appropriate risk management precautions. While that outcome is not as common as rate increases or restrictions on coverage, it can expose a school to significant risk should it be targeted by hacks, phishing or ransomware.
When schools do market for another insurer for coverage, they’ll likely raise a big flag in underwriting if they’ve had a cyber claim, as can happen in other lines of business.
Multifactor authentication is the practice of restricting access to systems until a secondary means of confirmation has been approved. Many insurers won’t issue coverage to schools without MFA.
But this security tool doesn’t work fully in the education sphere because of the diversity of users and the divergence of their concerns. To illustrate, school districts must keep open access to a plethora of users — teachers, administrators, students, alumni, parents and service providers.
The range of security practices among these groups of users is a risk to school systems. Since K-12 school districts have a large number of records containing personally identifiable information, including medical records and Social Security numbers, they have become a target for cybercriminals who see value in stealing this information.
Some teachers unions have objected to using MFA because it would require their members to use personal devices. Nonetheless, insurers are requiring MFA; the only concession seems to be that a few of them are giving schools 60 days to implement MFA after the beginning of the policy year.
Legacy system issues
It’s not uncommon for educational institutions to have antiquated systems and security measures in place. One of the reasons for this is the lack of pressure put on not-for-profit public schools to implement MFA, email security and other cybersecurity measures. Likewise, training has lagged in the K-12 world.
Risk management practices
Educational institutions that better manage cyber risk are usually treated more favorably upon quoting and renewal. The most important risk management tool is cyber risk awareness training. CBS News reported in 2021, though: “While most educators said they rely on virtual and remote learning tools, 60% of teachers say they have received no additional security training during the pandemic, and half of the respondents have not received any cybersecurity training.”
Other good risk management practices are firewalls, updated technology, replacement of legacy systems, and discarding old email servers.
Some of the checklist items in cyber risk management for schools are:
- Are backups of critical data being stored off premises?
- Are backups being tested?
If someone destroys or holds data to ransom, backups can be a lifeline. With regular backups, a school usually would lose only hours or a day of data, rather than losing all its data. While the data records might be stolen, there are copies of the data to fall back on.
- Is the school testing for phishing by sending out emails to see users’ response?
- Is the school doing vulnerability testing (by hiring a consultant or otherwise checking for weaknesses)?
The use of vulnerability testing often depends on the sophistication and financial resources of a school. Some schools do none, but others do all the testing that a private corporation would do.
Similar to vulnerability testing is network penetration testing.
Email still poses a significant risk for schools. Email providers are seemingly ubiquitous and inexpensive. But many schools continue to run their own email servers, giving them a higher risk potential.
Kevin Beer is president of Wright Specialty Insurance, a unit of Brown & Brown Inc. and a specialty provider of property/casualty insurance programs and risk management solutions for public/private universities, colleges, K-12 schools and government entities.