McAllister defined cyber insurance as a specialized form of coverage that protects organizations from the financial consequences of cyber incidents, like data breaches, ransomware attacks and system failures. These days, it doesn’t take much to spark a large and costly incident.
“I remember reading about an institution that had a laptop stolen that had the personal identifiable information for all their students and their employees,” McAllister said. “It cost about a half million dollars to go through the forensics and the notifications and getting the credit monitoring for them.”
This is one of the first major cyber incidents McAllister remembers encountering. At the time, he said, even a large incident like this was not a compelling case for cyber insurance due to the variability of coverage. Each company had a different policy that covered different types of incidents. He estimates there were 30 or 40 different forms of cyber insurance on the market.
Today, McAllister said, there is much more overlap among types of coverage, which is in part linked to a better understanding of the major threats to higher education cyber infrastructure.
“Now, probably 90 percent of the policies that are being issued have consistency,” he said.
Policies today will cover incidents like the recent CrowdStrike issue, where a “bad actor” is not responsible, McAllister said. Where previously schools might look for a property policy to cover downed systems, cyber insurance now includes this.
Jodi Ito, chief information security officer at the University of Hawaii System, said cyber insurance companies have increased the number of questions they ask institutions before they create a policy. She said that the questionnaire was 53 pages long in 2021 and has more than doubled in three years, sitting at 116 pages in 2024.
While cyber insurance policies have grown more similar, their acquisition and use looks different at different institutions.
For Juan Azcarate, senior director of risk management at Dallas College, the key to successful cyber insurance lies in fostering partnerships between risk management, IT, procurement and legal teams. At Dallas College, he said, these groups meet monthly to ensure they’re on the same page about cyber issues and goals. For example, the group evaluates vendor requirements for cyber insurance on a case-by-case basis.
“It takes a village to get this done, because there’s a lot of moving parts,” he said.
In contrast, at the University of Hawaii, the risk manager takes the lead on procuring and assessing cyber insurance, Ito said, but it is still important that other IT professionals understand the coverage and how to file a claim.
Because each institution has a different structure, McAllister recommended that university leaders work closely with insurance brokers that meet the specialized needs of their institution.
