Ask a School Insurance Underwriting Expert: What Does a Cyber Policy Cover?

Question: In Layman’s Terms, What Does a Cyber Insurance Policy Cover?

Great question! It’s important to understand your policy coverage as schools are a target for bad cyber actors who may cause operational delays and potentially expose the school’s personal identifiable information or PII.

Not all cyber policies are equal. Many changes have occurred in the marketplace including high rate increases, reduced limits, higher deductibles and narrower coverage terms. Depending on your individual policy and exposure makeup, coverages may differ, but typical coverages you should look for in your cyber insurance policy include:

• Incident response costs. Coverage for costs to notify those affected by a cyber breach at a school such as parents, students and teachers. This coverage also handles fines and penalties levied by government entities, which put the cyber exposure cleanup responsibility on schools (some of which are due to lax security).
• Information technology security and forensics costs. Coverage for costs to secure a breached network or asset and investigating the incident.
• Cybercrime. Coverage for damage costs related to thefts of funds and records. This coverage usually responds to ransom demands which is controversial. Governmental authorities often discourage schools and other cyber victims from paying any ransoms. There’s certainly an argument that such coverage is morally questionable, and over time it’s becoming less common to meet ransom demands.
• Systems damage and business interruption. Coverage for costs to restore an out-of-operation computer system due to an attack as well as lost productivity.

Since underwriting cyber policies has become more complex, there are additional issues that could affect the availability of coverage including:

Multifactor Authentication (MFA)

This is the security practice of restricting access to systems until a secondary means of confirmation has been approved. Unfortunately, the multifactor authentication tool doesn’t work fully in the education sphere with its diverse users and divergence of their concerns. To illustrate, schools must have open system access to multiple types of users—teachers, administrators, students, alumni, parents and service providers. This range of users and the varied information they need to access, creates a risk to school systems. With a large number of records containing personally identifiable information (including medical records and Social Security numbers), schools have become a target for cybercriminals who see value in stealing this information. Many insurers won’t issue coverage to schools without MFA security tools in place. The only concession seems to be that a few insurers are allowing schools 60 days to implement MFA after the beginning of the policy year.

Legacy System Issues

It’s not uncommon for educational institutions to have antiquated systems and security measures needing upgrades. For this reason, schools of all types are viewed as soft targets by the cyber security community.

Risk Management Practices

Educational institutions that successfully manage cyber risk without security breaches are usually treated more favorably by insurers during quoting and renewal periods in a market that has become increasingly difficult.

The most important risk management tool is annual cyber risk awareness training. This instruction educates users who have access to PII, how to identify and address the various cyber threats including phishing, malware attack and ransomware. According to a recent IBM “Cyber Security Intelligence Index Report,” human error was a contributing factor in 95% of all cyber breaches, making user awareness training a top priority. As expected, the most common interface between systems and users is email which is key to any systems’ defense.

Additional good risk management practices are adding firewalls, updating technologies and replacement of legacy systems, and discarding old email servers.

Checklist items for school cyber risk management include:

• Store critical data backups off premises and test them regularly. If a cyber criminal destroys or holds data ransom, backups are a lifeline. With regular backups, a school may only lose hours or a day of data rather than losing all its data. While the data records might be stolen, when the regular backups retrieved, the school should be able to get back to some level of normal operations relatively quickly.
• Test for phishing by sending out system user emails to monitor responses. Check for system weaknesses by utilizing vulnerability or network penetration testing (hire a consultant or use internal IT experts if financial resources are available). Some schools do no testing, while others may do sophisticated testing as a private corporation might do.
• Employ End-to-End encryption to stop cyber criminals from extracting data. Monitor the IT environment on a regular basis to identify signs of suspicious or inappropriate activity. Detecting an attack as early as possible is key to stopping the attack and minimizing damage.