For colleges and universities, insurance companies typically provide coverage for general liability, property, employee liability and employment process liability. However, the insurance landscape is quickly changing as higher education becomes an attractive target for hackers to steal personally identifiable information (PII) and important research data. In addition, institutions are increasingly falling victim to phishing and ransomware attacks. As a result, the insurance portfolio for many higher education institutions now includes cybersecurity insurance (CSI), and it’s becoming an integral part of the overall insurance strategy for universities and colleges worldwide. Just as forensic investigators attempt to solve cases through lab science in the popular TV drama “CSI,” higher education now needs to research, investigate and position their campuses to obtain cybersecurity insurance to protect their institution, data and employee actions to avoid potential costs and losses due to cyber crime.
As higher education continues to monitor potential threats and strengthen their cybersecurity posture, they must also prepare their environments to be “cyber-insurable.”
Katherine Mayer, associate vice president for information security at the University of Wisconsin, emphasizes, “The nature of higher education demands a collaborative, teaching, learning and research environment routinely based on an open, shared technology. This demand is often at odds with tight security controls. Additionally, the threat is becoming more sophisticated and agile, and the frequency of cyber attacks is on the rise. Many institutions of higher education are pursuing coverage for their cyber liability insurance to focus on catastrophic event(s) that might occur.”
In some ways, higher education can take clues from corporate business, which has embraced the need for cyber insurance to ensure they are protected. Bob Turner, field CISO for higher education at the cybersecurity firm Fortinet, says, “Larger corporations often have more business rules and increasing challenges in meeting compliance requirements. They also see the value proposition connected to a well-run cybersecurity program.” Turner points out the importance of higher education making cyber risk a business imperative. He states, “Security should be woven together into a fabric that protects institutional resources and people by using tools engineered to work together.”
Cyber insurance is sold by many of the same insurers used by businesses, including Berkshire Hathaway, Hartford, Liberty Mutual, AIG, and Lloyd’s of London, which is a British insurance market where members join together “to form syndicates to insure risks,” according to its website. It’s important to note that companies providing cyber insurance require specific cyber risk controls for insurability. While businesses have the same challenges as higher education in requiring these controls, private companies sometimes have more leverage in enforcing appropriate cybersecurity policies and practices.
For institutions to better position themselves to obtain cyber insurance, Turner suggests creating “data-centric strategies which offer real-time protection by continually assessing and remediating risk across all IT and data assets.” In addition, he says, institutions should provide “access controls which give visibility of all devices within their network, including devices connecting employees from remote locations.” Lastly, Turner argues it’s necessary to have SSO (single sign-on) and privileged access management, secure application and system development, and continual security learning for users, IT and cybersecurity staff.
Your ability to obtain cyber insurance for your institution could be negatively affected by several factors. For example, if you experienced a previous security breach, encountered cyber issues caused by employees, had insufficient cyber protection within your data and network infrastructure, or had insufficient security processes and protocols, you may become uninsurable.
The need for cyber insurance for higher education is expected to grow, and as the number of potential threats and breaches increase, so will the cost for insurance. From the University of Wisconsin, Mayer stresses, “There is reported as much as a 300-percent increase both in premiums and deductibles, coupled with sub-limits on certain types of events (such as ransomware) and even co-insurance requirements. The result is many organizations and higher education institutions are finding cyber liability insurance unaffordable.”
Some institutions and state systems are considering self-insurance. When you self-insure, you basically plan on setting aside funding to pay for potential cyber breaches. The downside is that this makes your institution vulnerable to one large catastrophic data breach or multiple ones, costing you millions of dollars which you may be unable to pay. While self-insurance saves you from paying premiums and having to find an insurance provider, it can put an institution in major legal and financial jeopardy.
According to the research company Cybersecurity Ventures, ransomware costs are expected to reach $265 billion in 2031, with a new attack “every 2 seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities.” In addition, more than 80 percent of data breaches in 2020 were financially motivated, according to Verizon’s 2020 Data Breach Investigations Report.
While some institutions may feel hackers are more likely to attack businesses for financial gain, higher education provides a proverbial treasure trove of student data, research material and other information. Inside Higher Education has reported that phishing emails, stolen credentials and ransomware demands have risen dramatically over the past several years. Brett Callow, a cyber-threat analyst at Emsisoft, says, "Criminal organizations operate like regular businesses in that they will keep on doing whatever they've found to work. The education sector has proved to be particularly profitable, so they will keep targeting them over and over again."
In an FBI “flash alert” from March 16, the Cyber Division discourages paying cyber ransom because “payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.” Cyber insurance for ransomware, typically called “cyber-extortion coverage,” can provide institutions coverage for losses attributed to ransomware attacks and breaches. To prevent ransomware loss in the first place, institutions need to ensure their infrastructure is secure, with appropriate encryption, strong data backup, and critical cyber protocols such as multifactor authentication and a zero-trust model.
Where does this leave higher education in obtaining cyber insurance? First, institutions need to ensure their cybersecurity is mature. Katherine Mayer encourages higher education to embrace “defense-in-depth” as the best strategy to mitigate the impact of a breach or avoid one altogether.
“Institutions should focus on basic hygiene practices, such as some form of continuous monitoring, implementing the principle of least privilege, multifactor authentication which includes the student population, conducting periodic penetration testing, limiting remote access points wherever possible, and creating a culture of security awareness and training for the entire university population,” she says.
Following a prescription for strong cybersecurity protections may provide the best pathway to obtain cyber insurance, as well as make your institution more cyber safe. It is a strategic and continual process. If you follow best practices in keeping your data safe and secure, augmented with some form of cyber insurance, you likely will “be in (your own) good hands.”