There is no shortage of issues to address this year when it comes to risk management. The Covenant School shooting in Nashville was one of too many active shooter incidents, and safety and security once again are a front-of-mind priority. The U.S. Surgeon General has issued dire warnings against youth use of social media and called the mental health concerns among adolescents a crisis for our times. Both problems are addressed in feature articles in this issue. But what is top of mind for me right now, what I keep hearing from independent school leaders around the country, is the ever-present threat of cybercrime.
It’s no wonder. More than once in recent years have major vendors to independent schools been hacked. Whether it’s a potential breach of sensitive information or a temporary shutdown of important systems, these events send school leaders scrambling and families asking questions. A breach puts not only the school's data at risk but also its reputation. And if cybercriminals can attack national and global giants in the software industry, we might wonder: Do our much smaller independent schools even stand a chance? One thing is clear: Schools can’t count on being too small to matter to cyber criminals.
It’s not just anecdote that leads me to believe we should all have our eyes on cybersecurity. According to SonicWall 2023 Cyber Threat Report, ransomware attacks targeting K-12 schools worldwide grew by 827% from 2021 to 2022 – the single largest rise for all the sectors studied. Five years ago, educational organizations barely made the top 10 cyber-crime targets, said Robert Olsen, senior managing director and global head of cybersecurity and privacy at Ankura, in a recent conversation. Educational institutions are now one of the top-three cyber-crime targets, he reported, along with professional service firms and health care organizations.
Why would a big-time hacker be interested in a little K-8 school, for example? Because our schools have such valuable data — student data, and a lot of it. And we have fewer resources than large companies to protect that data. I am not sure whether it’s a good or a bad thing that I don’t need to explain what ransomware is anymore – Net Assets ran our first feature on the subject in 2016 — but it’s clear we are well beyond basic concepts. Threat actors are not only stepping up their ransomware attacks against schools but have also ramped up their sophisticated business email fraud campaigns.
Good News in Insurance — For Now
As I noted last fall, when NBOA co-released “Guidance on Cyber Insurance” with the Association of Technology Leaders in Independent Schools (ATLIS), cyber insurance used to be a fairly inexpensive addendum to standard insurance policies. Now it’s a standalone essential with increasingly complex and rigorous requirements for coverage and rising premiums. That’s why we worked with ATLIS to develop this essential guide for understanding both the basics and best practices. It’s not uncommon to see pages-long applications from brokers, asking for evidence that a school has strong cybersecurity measures. Premiums may rise if those safeguards aren’t in place, or coverage could be declined altogether. Some policies even exclude ransomware coverage, given the rise in incidents.
The good news is that while claims are up, both premium prices and new requirements for coverage have leveled off recently, in the range of up to 5%.
I recently spoke with Tom O’Neill, management liability and cyber practice leader for the insurer Fred C. Church, who recommends that most independent schools have an “absolute minimum” of $1 million coverage. Larger schools, those with budgets of more than $25 million, might want to double or triple that, he said. The good news is that while claims are up, both premium prices and new requirements for coverage have leveled off recently, in the range of up to 5%. This is because more insurers have entered the market in the last two years, but this softer market may not last, he warned.
But Insurance Isn’t Everything
Of course, a well-thought-out, holistic cybersecurity plan will help prevent or lessen the impact of cyber-attacks. In the words of Ari Schwartz, who directs cybersecurity services for Venable’s Cybersecurity Risk Management Group: “You’re buying down risk by getting insurance, and insurance is a necessary part of a risk management plan, but building up your defenses is a much better and much bigger part of mitigating risk.”
We should not forget the essential components of a cybersecurity framework, he relayed. These include: identifying and controlling who has access to your school’s data; software and hardware firewalls; web and email filters; anti-virus, anti-spyware and other anti-malware programs; full backup of important data in case of a breach or ransom; and a plan for responding to security incidents.
Next Steps
NBOA has developed a number of resources in conjunction with ATLIS (see sidebar at left), which provide a strong starting point for learning the landscape and ensuring your approach is up to date. Additionally, your cyber insurance broker can connect you with a network of vendors that can conduct assessments and help handle the aftermath of cyber-attacks. In the current environment, expertise runs deep — there are now jobs for not only forensic analysts but also professional ransomware negotiators. You don’t have to go that one alone. It goes without saying that we hope your school will never need to engage them.
One area of cybersecurity highlighted by Ankura’s experts that had not crossed my radar is managed detection and response (MDR), which involves monitoring school networks for active external and internal threats in real time. The solution is pricey — $40,000 to $180,000 a year for a school, depending on the monitoring level — but MDR could become a requirement for cyber insurance, like multi-factor authentication (MFA) is now required. It’s worth keeping an eye on.
Navigating the multiple components and threats in the world of cyberspace can seem overwhelming. That’s why it’s on the mind of so many people I talk to.
And as I’ve said before, it’s important to get everyone involved. All staff in administration must be trained to spot potential cyber fraud, from fraudulent emails asking for gift cards or money to recognizing phony voice calls that use artificial intelligence to imitate an administrator or vendor’s voice. And it’s not just administrators, but trustees as well. When selecting board members, your board might consider bringing on a new trustee who has cybersecurity expertise or knowledge.
Navigating the multiple components and threats in the world of cyberspace can seem overwhelming. That’s why it’s on the mind of so many people I talk to. As O’Neill put it, “Business officers and IT directors don’t know what they don’t know, and that’s where a lot of the fear comes from – that’s what keeps them up at night.”
But fear not! NBOA, as well as our partner associations like ATLIS, and knowledgeable business partners in cybersecurity, insurance and law, all have resources to help you understand the ever-present danger in the landscape, develop a layered plan and follow through. It’s a brave new world, but one with a strong community of support to help you prepare for it.
Follow NBOA President and CEO Jeff Shields @shieldsNBOA.