Cyber coverage in the public school arena is challenging. In a recent demographic study of K-12 public school districts, school districts with larger enrollments and lower economic metrics are more likely to see a cyber event than those with a smaller enrollment and higher economic metrics. Further, half of all cyber events stem from third-party providers. Ransomware claims are the most common type of cyber incident faced by public schools.1
The number of carriers in the market is shrinking, the availability of coverage and higher limits are more difficult to obtain, and insurability is being closely scrutinized. Public schools are considered a “soft target,” meaning they are perceived as highly vulnerable to data breaches or compromise.
Schools and other public entities are seeing rate increases of 30-100% for cyber coverage. Additionally, when renewal policy terms and conditions are offered, they may include reduced limits of insurance, higher deductibles and narrower coverage terms. Qualifying for coverage has become more difficult, as well. Insurance carriers are applying detailed underwriting requirements, including an applicant’s operational exposures and documentation of the implementation and monitoring of cyber security safeguards.
Key focus areas include multi-factor authentication (MFA), integration of legacy systems with newer technology, privileged identity and access management, and the number and structure of service accounts. Budget size, enrollment numbers and claim history are also key factors in determining eligibility for coverage.
The upshot is that markets will no longer provide coverage without significant cyber-security controls in place. Those controls will be discussed further in the Risk Management Section.
Coverage
Cyber insurance is provided on a “modified claims made” basis, and limits of insurance may vary among coverage types. An annual aggregate limit of insurance will be applicable, and defense costs are included within the aggregate limit. Core insurance protections in a cyber policy should include, among other things:
First Party (Policyholder) Damage
- Data Restoration Costs
- Data Re-creation Costs
- System Restoration Costs
- Loss of Business
- Public Relations Services
- Cyber Extortion Coverage
- Forensic Information Technology
- Legal Review
- Notification to parties whose personal information may have been breached or disclosed
Third-party Defense and Liability Coverage
This category includes coverage for defense and settlement costs related to:
- Suits by parties whose personal information was compromised by a data breach
- The breach of third-party business information
- The unintended propagation or forwarding of malware
- The unintended abetting of a denial-of-service attack
Other Cyber Policy Benefits
Two, often overlooked, parts of cyber coverage are the insurer’s response team and available supplemental support services. As soon as you are aware of a cyber event, you should notify your insurance representative for guidance. Typically, you will be guided by the insurer’s incident response team, which will facilitate and coordinate service providers involved in guiding the claim process. That assistance can include guidance from legal, forensic, notification, public relations, and systems operations professionals. Most insurers have a panel of firms the insured can select from. Should a school district want a different firm, it must first seek approval from the insurer before the engagement. Preselection and approval should be discussed with your insurance representative prior to a cyber incident to ensure that the claim process will not be delayed.
Many cyber insurers offer loss mitigation services for policyholders, which may include vulnerability scans, employee training, an online information portal, risk alerts, newsletters, cyber-security consulting and more. Check with your broker to determine what services are available as soon as your policy is placed.
Risk Management Techniques
The following 10 security protocols are sound risk management techniques. Additionally, they cover the guidelines cyber underwriters will examine to determine insurability.
Multi-factor Authentication
A valuable, easily installed feature that validates the identity of an individual signing into an account or system is multi-factor authentication. After the initial successful sign-in, an email, text, or telephone call with a four-to-nine-digit code is sent to a registered device. The code must be entered to gain system access. Without multi-factor authentication in place on remote access, staff email, privileged IT accounts and secure backup systems, there is little chance of obtaining cyber coverage in today’s market. Multi-factor authentication is the standard all insurers are looking for.
Board of Education Policies
Districts and BOCES should implement sound data protection policies that touch upon acceptable-use, strong password, scheduled password changes, access control and download policies. Each entity must also have a data protection officer.
Email Filtering
The use of Domain Message Authentication, Reporting and Confirmation (DMARC) provides protection and verification of emails received internally and externally, reducing the potential for spear-phishing attacks.
Personally Identifiable Information (PII)
Protection of PII is critical; all PII data at rest or in transit should be encrypted.
Firewall Security and Other Protections
Which countries’ emails can pass through your firewall? Most districts and BOCES limit permission to the U.S. and Canada and block all others. Revisit country codes granted permission on your IT system. It’s also important to have procedures in place to temporarily open other country codes for student coursework or projects.
Endpoint and malware protection are other essential tools for preventing viruses and sensing malware in systems. Software patches must be kept current and be updated as new versions are released. Proper system configurations are also critical.
System Vulnerability Testing
The use of penetration testing and vulnerability scans on a regular basis helps to keep systems operating at peak performance and close vulnerabilities, preventing breaches or compromises. Many insurers and third-party providers have tools to aid in testing.
Regular Back-ups
Regularly backing up mission-critical data is a must. There must be redundant protection for backed-up data, including offside on an air-gapped server. Data must be stored on two forms of media. Districts and BOCES should also be testing to ensure that back-ups are complete and will allow for minimal data loss and downtime if compromised. Don’t be like the Titanic. Ensure you have an adequate number of “lifeboats” ready for use.
Incident Response Plan
As in other school emergencies, an Incident Response Plan for cyber breaches or compromises must be developed. Drills using different scenarios must be conducted. Vulnerabilities or other gaps identified must be incorporated into the plan and other protection areas as required.
Employee Training
NYS Ed Law 2-d requires that employees receive annual training in. Since phishers are getting smarter, it is essential to train and regularly test your employees in how to protect against harmful phishing emails. Spear-phishers are waiting for one mistake to cash in.
Security Information and Event Management Software (SEIM)
There are many providers of SIEM software. Districts and BOCES should review different programs and find what works best for their systems. One size does NOT fit all.
In summary, always remain vigilant. Watch out for viruses of every sort. No one wants to read “We got your data and …”
1The State of K-12 Cybersecurity: Year in Review, 2022 Annual Report, K12 Security Information Exchange, July 2022
Frederick Black, Director of Underwriting
Brett Carruthers, Director of Risk Management
Anthony Fardella, Senior Underwriter