Ask a School Insurance Underwriting Expert is a quarterly column addressing insurance and risk management related questions for ABACC members.
If you have a question for Kevin Beer, please submit it via email.
Ask a School Insurance Underwriting Expert is a quarterly column addressing insurance and risk management related questions for ABACC members.
If you have a question for Kevin Beer, please submit it via email.
Great question! It’s important to understand your policy coverage as schools are a target for bad cyber actors who may cause operational delays and potentially expose the school’s personal identifiable information or PII.
Not all cyber policies are equal. Many changes have occurred in the marketplace including high rate increases, reduced limits, higher deductibles and narrower coverage terms. Depending on your individual policy and exposure makeup, coverages may differ, but typical coverages you should look for in your cyber insurance policy include:
Since underwriting cyber policies has become more complex, there are additional issues that could affect the availability of coverage including:
This is the security practice of restricting access to systems until a secondary means of confirmation has been approved. Unfortunately, the multifactor authentication tool doesn’t work fully in the education sphere with its diverse users and divergence of their concerns. To illustrate, schools must have open system access to multiple types of users—teachers, administrators, students, alumni, parents and service providers. This range of users and the varied information they need to access, creates a risk to school systems. With a large number of records containing personally identifiable information (including medical records and Social Security numbers), schools have become a target for cybercriminals who see value in stealing this information. Many insurers won’t issue coverage to schools without MFA security tools in place. The only concession seems to be that a few insurers are allowing schools 60 days to implement MFA after the beginning of the policy year.
It’s not uncommon for educational institutions to have antiquated systems and security measures needing upgrades. For this reason, schools of all types are viewed as soft targets by the cyber security community.
Educational institutions that successfully manage cyber risk without security breaches are usually treated more favorably by insurers during quoting and renewal periods in a market that has become increasingly difficult.
The most important risk management tool is annual cyber risk awareness training. This instruction educates users who have access to PII, how to identify and address the various cyber threats including phishing, malware attack and ransomware. According to a recent IBM “Cyber Security Intelligence Index Report,” human error was a contributing factor in 95% of all cyber breaches, making user awareness training a top priority. As expected, the most common interface between systems and users is email which is key to any systems’ defense.
Additional good risk management practices are adding firewalls, updating technologies and replacement of legacy systems, and discarding old email servers.
Checklist items for school cyber risk management include:
About the Author: Kevin Beer is president of Wright Specialty Insurance, an underwriting manager of specialty insurance and risk management solutions for public and private universities, colleges and K-12 schools. Visit their website or call (877) 976-2111.
Association of Business Administrators
of Christian Colleges
4578 Hidden Ridge Drive
Hudsonville, MI 49426
(877) 303-8666
Fulfill your calling, solve challenges, and maximize resources to accomplish the mission of Christian higher education.