Each week, more public education sites report phishing attacks, data hacks, and ransomware demands. In 2021, 62 school districts and 26 colleges or universities were hit. On January 4, 2022, 3,000 K-12 schools were caught in an international ransomware attack.
“It’s gotten to the point that it’s not ‘if’ we are attacked, but ‘when’ it will happen,” says Sandra Paul, director of information technology at Township of Union Public Schools in New Jersey. “There are at least four districts in our area that have been hacked in the last few years.”
While everyone is trying to save money, they are also loading more items onto their data network such as security cameras, HVAC systems, and other Internet of Things devices, which create more potential openings for hackers, says Paul. Protecting it all grows proportionally, so investing in cyber insurance is becoming a necessity. And even those districts that can't afford it can benefit from exploring the process.
“Not everyone can buy cyber insurance. There are a lot of requirements before you can get approved, such as multifactor authorization, specific filters, and so on,” she says. “Cyber insurance doesn’t protect you from getting hacked but complying with the insurance company’s requirements can make you a lot safer.”
Paul reports that policies are different. If you have a DNS attack and your data is held for a ransom, your insurance may cover some of the ransom, but it usually just covers what it would cost to remediate your equipment back when you need it. For example, it generally takes 48 to 72 hours to get servers back in service.
“We don’t feel safe, but we’re doing everything we can to protect our network,” says Paul. “We have a $1 million policy, which is standard, and we use outside services to help us monitor our systems looking for holes.”
She shares the list from her insurance company to help districts see what system and process requirements are in play to be approved for cyber insurance.
Cyber Insurance: Questions about Security, Privacy, and Media Controls
Some school leaders are upset to find out that they don’t qualify for cybersecurity insurance. Schools and districts have to make investments in protecting themselves before insurance underwriters will approve a policy.
To start that process, here is a list of some of the typical questions an insurer wants districts to answer:
- Do you have firewalls in place to protect your data and devices?
- Do you have antivirus software in place to protect your data and devices?
- Do you encrypt your data at rest, in transit and/or on mobile devices?
- Do you have an intrusion detection/prevention system in place to protect your data and devices?
- Do you conduct vulnerability scanning and patching?
- Do you require the use of multi-factor authentication?
- Do you back up your electronic data?
- Do you have a business continuity plan, disaster recovery plan, and an incident response plan?
- Do you have a written information security policy and/or privacy policy?
- Do you have vendor risk management protocols in place that address cyber risk controls, contractual liability, indemnification, etc.?
- If you are a covered entity under HIPPA, COPPA, FERPA, the Red Flag Rule or any other similar law, do you have measures in place to comply with your obligations under the applicable laws?
- If you process credit card payments or store credit card payment information, do you comply with Payment Card Industry Data Security Standard (PCI-DSS)?
- Do you have an employee who is trained to address cyber risk issues?
- Do you have a content review process in place to review content/material being disseminated prior to release?
- Do you obtain proper licensing for content/material?
- Do you have procedures in place to remove controversial content/material?
HINT: the answers to most of these questions should be “yes.”