The Keenan Blog

Blog

Schools May Not Receive Cyber Coverage Without Implementing Cyber Controls by July 1

Cyberattacks used to be a mere blip on the radar screen for insurance underwriters. Today, cyber-crime against public entities and schools has increased tremendously. Hackers are extorting millions of dollars in ransom, and the number of claims is increasing.

Last year was a tough one for everyone in the public entity insurance world. When the cyber insurance renewal date of July 1, 2021 arrived, many public entities couldn’t demonstrate that they had proper controls in place, and, in some cases, cyber carriers refused to provide coverage. In other cases, coverages were reduced, deductibles were increased, and premiums skyrocketed – even then, they were lucky to get this coverage without proof of proper controls.

As we approach the next renewal date of July 1, 2022, the environment continues to be difficult for public entities and any organization looking to secure cyber coverage. Recent feedback from the market indicates cyber coverage might not be available if entities cannot demonstrate proper risk controls are in place. At AP Keenan, we knew this would be a possibility. So, we have been doing all we can over the past year to help K-12 schools and community colleges put controls in place to prevent and mitigate cyber-attacks and maintain coverage.

We started with helping schools and community colleges meet the best practices that were outlined by their cyber carrier. These best practices included items such as processes for implementing encrypted data backup, multi-factor authentication, data segmentation, and password policies. At that time, there was an incentive from carriers that allowed members to cut their deductible by 50% with proof of these best practices. Moving forward, this carrot will likely get replaced with a stick. If members do not have these best practices in place, they likely will not get coverage.

When first identifying ways to help, we immediately learned that the number of resources is overwhelming. Some of it is free, and some is very costly. Ultimately, we realized the most helpful resources were those that were targeted to K-12 schools and community colleges and took into account their unique culture. More specifically, we learned about the value of crowdsourcing organizations.

Work with Info-Sharing Organizations
One national organization that AP Keenan is especially proud to be associated with is K12 Security Information Exchange (K12 SIX). They are a non-profit cyber threat intelligence sharing hub aimed at preventing and mitigating cyber threats for K-12 schools.

One of the most valuable aspects of this forum is it allows schools to share things such as best practices, policies, challenges, breach experiences, and breach solutions amongst themselves. In addition, K12 SIX provides a platform to alert members of any cyber threats targeted to schools, giving them a head start on preventing serious breaches. Finally, a critical component of this group is that they not only understand the technical aspects of implementing controls, but the cultural aspects of getting controls implemented in a K-12 school environment, which can be quite challenging.

For community college districts, we have found similar higher education crowdsourcing groups, such as EDUCAUSE and REN-ISAC. We are currently working on similar partnerships with them to get our members connected. One thing to note about crowdsourcing is that, even though it sounds like a simple concept, it’s difficult for some to grasp. Until they experience it for themselves, it’s hard to sell people on the value of being a member. We have found the best way to garner interest is to have schools talk to their peers that are already members. This has been the key to getting more people involved.

Additional Community College Resources
In many cases, there are great resources sponsored by governmental organizations and others that are provided at no cost. For example, the California Community Colleges Information Security Center, funded by a grant through the California Community Colleges Chancellor’s Office, is an excellent resource dedicated to helping community colleges prevent cyber-attacks. They provide services such as vulnerability assessments, phishing assessments, and security gap analyses at no cost.

Moving into the Future
Another cyber challenge for schools is the threat of ransom demands from cyber criminals. Operating in “gangs,” some hackers have selected schools as a niche target and have become experts in exploiting schools’ weaknesses. Ransom demands in exchange for the release of school data are often millions of dollars, and losses can amount to more than money. Some schools have had to come up with temporary systems or shut down for a week or more.

At the moment, schools are still permitted to pay ransom to many hackers because the criminals are typically outside the country and outside of federal jurisdiction. In other cases, the criminals are on the U.S.’s national terrorist list, and schools are not permitted to pay them ransom.

Today’s question is: will schools always be permitted to pay ransom? There is a great deal of debate on this topic right now, and the State of Virginia is one of the first to propose a bill that would prevent public entities from paying ransom. On the one hand, such laws might reduce ransom attacks, as schools would become less profitable, desirable targets. On the other hand, schools could become paralyzed, unable to access their data and without recourse when under attack. The debate is sure to continue, so set a Google alert and be sure to stay current on the topic.

Begin Now
You never believe a cyber-attack could happen to your school until it does. We implore schools to look at the resources mentioned in this blog and work to implement change now. Talk to other schools to learn from each other, and check out AP Keenan’s SAFER cyber landing page, as well.

The cyber insurance renewal deadline of July 1, 2022 is fast approaching, and you don’t want to be in a position where your organization cannot obtain cyber coverage or experiences deductible increases. At AP Keenan, we feel a very real urgency to help our clients be better protected. Take these steps now, and reach out to us if you’d like help getting started.

About Jeff Johnston
Jeff Johnston, Vice President, Property & Casualty, has more than 25 years of experience in the pooling industry. Jeff builds innovative solutions and provides customer service to create savings and security for AP Keenan clients, so they can focus on the education, health and vitality of our communities.