What to look for in a School Cyber-Insurance Policy

Written By Mark Steed

Cyber-risk is like any other risk. It can be transferred, mitigated or accepted. The two most significant ways to transfer cyber-risk are to move key data to the cloud, where third-parties take on the lion-share of the responsible for protecting them; and to put in place appropriate cyber-insurance. 

In this article, Mark Steed, the Principal and CEO of Kellett School in Hong Kong shares some lessons that Kellet have learned when it comes to finding the right cyber insurance policy for your school. 

Background – Ransomware Attack  

In October 2020 Kellett School in Hong Kong was subject to a ransomware denial-of-service (DoS) attack orchestrated by a Russian criminal hacker group. The attack prevented access to all the data which were held on our local on-premises servers, including all of our finance and HR data. We decided not to pay the ransom, but it took over three weeks to restore our data from backups and another month to get back up to date. 

This incident spurred the senior team to put in place a number of measures to protect the school from the impact of any future cyber-attack, including a review of our cyber-insurance provision. 

The school has come a long way in the past couple of years and we recently achieved ISO 27001 accreditation – one of a handful of schools in the world to attain this gold standard in Information Security. 

Here are six things to look for in a cyber-insurance policy: 

1. Understanding the threats 

Before selecting a policy, it is vital to have a thorough understanding of the threats facing your school. Cyber threats are not limited to data breaches; they encompass a wide range of incidents, such as: 

  • Data breaches: Unauthorized access to sensitive data, including personal information of students, faculty, and staff, and confidential school records. 

  • Ransomware attacks: Malicious software that encrypts your school's data, rendering it inaccessible until a ransom is paid. 

  • Denial-of-service attacks: Attacks that flood your school's network with excessive traffic, making online services unavailable for legitimate users. 

  • Phishing attacks: Fraudulent emails or messages sent to trick faculty, staff, or students into revealing sensitive information or downloading malicious software. 

  • Cyberbullying and harassment: The use of digital communication tools to harass, intimidate, or harm students and staff. 

  • Insider threats: Unauthorized access or misuse of school data by employees or other trusted individuals. 

A comprehensive policy should address the various threats your school might encounter and provide coverage for the potential damages and costs associated with them. 

2. Coverage Scope 

A cyber insurance policy should provide broad coverage to protect against the multiple threats that schools face. Some essential components of a policy should include: 

First-party coverage 

This covers costs associated with a cyber event affecting your school, such as: 

  • Data recovery and system repair: The expenses incurred to restore and recover lost or damaged data and repair compromised systems. When the Harris Federation  suffered a Ransomware attack in the UK, it cost them £500,000 to restore and recover their data; even though they did not pay the ransom. 1 

  • Notification and credit monitoring: The costs associated with notifying affected individuals of a data breach and providing credit monitoring services to help mitigate potential identity theft. 

  • Public relations and crisis management: The expenses related to managing the aftermath of a cyber event, such as hiring a public relations firm to manage communications and maintain your school's reputation. 

  • Cyber forensic investigation: The costs of hiring cybersecurity experts to investigate the incident, identify its cause, and recommend steps to prevent future occurrences. 

Third-party coverage 

This covers costs related to claims made against your school by third parties affected by a cyber incident, such as: 

  • Legal defence: The costs of defending your school against lawsuits, including attorney fees, court costs, and other legal expenses. 

  • Settlements and damages: The financial settlements or damages awarded to third parties as a result of a successful lawsuit against your school. 

  • Regulatory fines and penalties: The fines and penalties imposed by regulatory agencies for non-compliance with privacy and data protection laws. 

Cyber extortion coverage 

This covers costs associated with ransomware attacks and any associated ransom payments made to recover your school's data: 

  • Ransom payments: The cost of paying the demanded ransom to regain access to encrypted data. The level of ransom demands vary hugely, but £500,000 is not uncommon, in the case of Wooton Upper School in Bedfordshire.2 

  • Professional negotiation services: The fees for hiring professional negotiators to handle communications with cyber extortionists and attempt to reduce the ransom amount. 

Business interruption coverage 

At Kellett, we were very fortunate in that the ransomware attack did not impact on our core business function of delivering teaching a learning because we had moved our Management Information System to the Cloud and were using Google Classroom as our teaching and learning platform. 

However, it is important that schools have Business interruption cover in place which would reimburse lost revenue and additional expenses due to the disruption of your school's operations following a cyber event: 

  • Lost revenue: The income your school loses due to the inability to operate as a result of a cyber-attack. 

  • Extra expenses: The costs of temporary measures taken to continue operations, such as renting alternative facilities or equipment. 

3. Limits and Deductibles 

It is essential to evaluate the limits and deductibles of a policy to ensure it meets your school's needs. In particular, it is important that schools assess the potential financial impact of a cyber event on your school, and choose a policy with limits that can adequately address those costs. Additionally, ensure that the deductible is manageable for your school's budget. 

  • Aggregate policy limit: The maximum amount the insurer will pay for all covered claims during the policy period. It is increasingly common for insurers to only cover one major claim during the policy period. In adopting this approach, the insurance industry is, in practice, forcing schools to invest in their cyber-security measures. 

  • Per-incident limit: The maximum amount the insurer will pay for a single covered claim. 

  • Deductible: The amount your school is responsible for paying before the insurance coverage kicks in. 

4. Incident Response and Support Services 

A good cyber insurance policy should offer incident response and support services to help your school navigate a cyber event. These services may include: 

  • Legal support: Access to legal professionals experienced in handling cyber-related incidents and navigating the complex landscape of privacy and data protection regulations. 

  • Public relations assistance: Expertise in managing communications with the public, the media, and other stakeholders to minimize reputational damage. 

  • Cybersecurity experts: Access to professionals who can help your school mitigate the impact of a cyber-attack, identify vulnerabilities, and recommend security improvements. 

At Kellett we now also have an emergency retainer with a third-party company, which will manage any cybersecurity crisis we face. The firm is pre-authorised by our insurer and already has a basic understanding of our systems, saving important time in the event of a crisis. 

5. Cyber Risk Management Services 

Some insurance providers offer cyber risk management services as part of their policies. These services can help your school proactively identify and address potential vulnerabilities in your systems, reducing the likelihood of a cyber event. Look for a policy that offers these services to help your school stay ahead of emerging threats. 

6. Policy Exclusions 

As with any insurance policy, it is crucial to review any exclusions within the policy's terms. Some policies may exclude specific types of incidents or limit coverage in certain situations. Examples of common policy exclusions include: 

  • Acts of war or terrorism: Cyber incidents resulting from acts of war or terrorism are often excluded from coverage. This is because such events may be too extensive and costly for insurers to cover. 

  • Bodily injury or property damage: Most cyber insurance policies focus on covering financial losses and expenses stemming from cyber events, not physical damages or injuries. These types of damages are typically covered under general liability policies. 

  • Unencrypted devices: Some policies may exclude coverage for losses resulting from the use of unencrypted devices. Insurers may view the failure to encrypt sensitive data as a lack of proper security measures, making it more likely for a breach to occur. 

  • Contractual liability: If your school has agreed to indemnify a third party for cyber-related losses in a contract, the insurer may exclude these claims from coverage. Be sure to thoroughly review your contractual agreements and discuss any concerns with your insurance provider. 

  • Social engineering: Social engineering attacks, such as phishing, are becoming increasingly common. However, some policies may exclude coverage for losses resulting from these attacks. If this is a concern for your school, look for a policy that specifically includes coverage for social engineering losses. 

  • Failure to maintain security: If your school fails to maintain reasonable security measures, such as updating software, patching vulnerabilities, and training employees, the insurer may deny coverage. It is essential to keep your school's cybersecurity practices up-to-date to maintain coverage. 

  • Prior knowledge: If a policyholder had prior knowledge of a cyber event or vulnerability before the policy's inception date, the insurer may deny coverage for any resulting claims. To avoid such exclusions, ensure that your school discloses any known cyber issues when applying for coverage. 

It is important that schools note and act on any exclusions, for example by adopting a policy of encrypting all devices. 

Invest in Cybersecurity to get lower insurance premiums 

Anyone who has filled in the detailed questionnaires when applying for cyber-insurance will know that Insurance companies are collecting ever greater amounts of increasingly more aggregated data to assess the insured cyber-risk. This trend is only set to continue, as the insurance industry grapples with the global rise in cyber attacks and their spiralling associated costs. 

Insurance providers already favour those schools which demonstrate commitment to maintaining a robust cybersecurity posture, recognising that organizations with strong security practices are less likely to fall victim to cyberattacks. As a result, we are beginning to see that the level of the premium tied to the maturity of the school’s cybersecurity. 

It therefore pays for schools to implement additional security measures which cost the school nothing, such as two-factor authentication (2FA) or to enforce all employees to use more complex passwords. 2FA adds an extra layer of security to user accounts by requiring a secondary verification method in addition to a password. This makes it more difficult for cybercriminals to gain unauthorized access to sensitive information.  

If schools want to go further, achieving the internationally recognised ISO 27001 accreditation signifies that an organization has met recognized standards for information security management. Over time, the school will undoubtedly recoup the investment costs of obtaining the accreditation through the lower cyber-insurance premiums.  

By showcasing a proactive approach to cybersecurity through the adoption of advanced security measures and adherence to industry standards, schools can not only better protect themselves from cyber threats but also potentially benefit from reduced insurance premiums. 

Cyber-Insurance is not a silver bullet. 

Cyber insurance, while an essential component of a school's risk management strategy, should not be seen as a silver bullet against cyber threats.  

It is crucial for schools to recognize that insurance policies are designed to address the financial implications of cyber incidents, not to prevent them.  

To effectively mitigate cyber risks, schools must adopt a proactive approach by implementing robust cybersecurity measures, such as firewalls, antivirus software, and intrusion detection systems.  

Additionally, schools should prioritize employee training to raise awareness about phishing attacks, social engineering, and other common cyber threats. Regularly updating software, patching vulnerabilities, and employing strong access controls further strengthen a school's overall cybersecurity posture.  

In summary, a comprehensive approach to cybersecurity that combines both cyber insurance and proactive security measures can better protect schools from the ever-evolving landscape of cyber threats. 

 

This article was originally published in the UK Indpendent School’s Bursars’ Association ISBA’s The Bursar’s Review - Summer 2023 pp.24-30

If you would like support in improving your school’s resliance against a cyberattack, then please contact us at Steed Education. More details can be found on the Cybersecurity page of the website.

 
Mark Steed
Previous

VAT and School Cost Control – How to reduce the staffing budget without impacting on quality.
Next

What to look for in a School Management Information System (MIS)