When Jamie Britto wrote an article for Net Assets in 2015 describing a cyberattack at Collegiate School, where he was then working as chief information officer, the world was a different place. Cyber breaches certainly were not unheard of at the time, but in the seven years since, they have become much more commonplace, with hundreds — perhaps thousands — of K-12 public and private schools falling victim each year. Ransomware attacks alone have doubled since the onset of the COVID-19 pandemic, and ransoms have increased sevenfold, according to some estimates.
Cyber insurance has also changed dramatically in the last seven years. What was once a fairly straightforward, inexpensive add-on to standard insurance policies now has become an essential component of a school’s coverage — and often a costly and complex one as well.
With the increased number and severity of cyber-attacks, which include ransomware, malware, phishing and social engineering, “the underwriting appetite for cyber-related risk has diminished dramatically,” said Cheryl McDowell, vice president of the education practice at Bolton & Co., an insurance brokerage. “This has become painfully obvious for our schools as underwriters are more stringent in terms of mandatory security measures, including strong cyber/IT policies, procedures and protocols.” McDowell noted the trend toward decreased limits of liability, “skyrocketing” pricing and a “more lengthy, tedious application process [for insurance], involving very technical IT-related questions and information gathering.” She also noted increased deductibles means that schools are “forced to participate in the financial exposure to risk at a much higher level than they have in the past.”
Help Is On the Way
To help mitigate this growing and evolving challenge, NBOA is partnering with the Association of Technology Leaders in Independent Schools (ATLIS) to review and release an updated resource, “Guidance on Cyber Insurance for Independent Schools.” We expect this resource for understanding and purchasing appropriate cyber liability insurance coverage for your school will be available later this fall. It will provide insights from technology experts, school business officers and insurance professionals.
I recently spoke with Britto, now director of technology at Lakeside School in Seattle, who applauded the collaboration between NBOA and ATLIS. “It will serve as a rallying point,” he says, “for the right people to be in conversation about all aspects of cyber insurance.”
Part of the topic’s complexity is that it is both a tech and a risk management issue, involving representatives from both the IT department and the business office. Your school’s IT director will of course be the person to identify which security measures are already in place and, more importantly, which still need to be implemented, as well as their cost. It may take some time to add these necessary preventive measures, so this analysis should be the first step in the conversation.
The business officer can provide perspective on your school’s particular risk tolerance. This could include a cost-benefit analysis of needed security improvements as well as the amount and type of coverage most appropriate for your circumstances. Cyberattacks must also be viewed in the larger context of potential risks to the school. What other safety and security policies and procedures does the school already have in place, and how is risk tolerance measured and addressed?
“On a risk management heat map, cybersecurity has certainly gotten very hot,” said Ann Marie Tidona, director of finance, operations and strategic projects at Friends Academy in Locust Valley, New York, and board treasurer on the NBOA Board of Directors. A few years ago, the school engaged a firm to conduct a cybersecurity risk assessment and gap analysis, and as a result hired a full-time network and cybersecurity manager. “We have enhanced our protocols and policies such as instituting multi-factor authentication (MFA) and routine phishing simulation and user education,” explained Tidona. “We have also augmented endpoint protection and traffic monitoring.” After these steps, school leadership felt ready to conduct the first penetration test, “the results of which are informing additional measures as well as the interval and scope of future testing.” While the effort has been significant, Tidona recognizes that the process is “constant and requires ongoing monitoring.”
Realize, as Britto notes, that nearly everything you do to secure the school is going to create inconvenience or add an expense to the budget — and, in most cases, both. To make sure that these necessary improvements are understood and accepted by the school community, the school’s leadership team needs to be part of the conversation and on board with the decisions from the very beginning.
Community Considerations
As you use the “Guidance on Cyber Insurance” to better understand the potential costs of a data breach, ransomware attack, or compromised email addresses, it is also prudent to consider potential harm to the school’s reputation. Because of the increased prevalence of breaches, the mere fact that a school has become a victim will itself likely not lead to significant reputational damage, said Britto. What will matter, though, is how prepared the school is before the attack, how the leadership responds after one occurs, and how clearly this information is conveyed. Having appropriate cyber insurance coverage, with its concomitant security protocols in place, will go a long way in assuring your school community that you operated with foresight and care.
It is likely obvious by now that “the conversation” about security upgrades and cyber insurance will actually be a series of discussions among school leaders.
It is likely obvious by now that “the conversation” about security upgrades and cyber insurance will actually be a series of discussions among school leaders. For this reason, it is important to start the process early, several months before you plan to update your insurance coverage; this is particularly true if you will need to add security measures in order to make your school more attractive to cyber insurance carriers.
As much as we’d like to provide a silver bullet, there is no one-size-fits-all solution. Together, the wide variety of cyber threats, the different types of coverage available, and the school’s capacity, resources and risk tolerance result in many choices for possible approaches. The ATLIS-NBOA resource will help schools choose which of many options is most appropriate for their situation. In addition to the “Guidance on Cyber Insurance for Independent Schools,” an insurance broker and/or security firm can help with policy terms, applications and a needs assessment respectively.
Britto offered one final piece of advice during our recent conversation. It will be tempting, he said, to focus on “this year’s big threat,” whatever that might be. Threats change and evolve, however, and no one can predict with certainty how or when your school might be the victim of a cyberattack. For that reason, Britto recommends a multi-year policy with comprehensive coverage; three years is likely the safest choice for a maximum policy length, he said, due to the constantly-changing nature of these threats.
We have now, unfortunately, moved past the point of simply hoping a cyberattack never happens to us. Schools of all sizes and resources need to take appropriate security measures and seriously consider adding cyber insurance coverage. ATLIS and NBOA will help you to navigate this timely and complex process with greater ease and more confidence.
Follow NBOA President and CEO Jeff Shields @shieldsNBOA.