According to research analyzing 2019 K-12 cybersecurity, school districts saw a 62% increase in attacks over 2018. Some IT leaders are taking the view that purchasing cyber insurance is a cost-effective and easy way to address the issue. But while investing in cyber insurance is an important part of a comprehensive cybersecurity strategy, it isn’t a substitute for cyber defense. Nor does it cover “good enough” compliance with most student data privacy laws.
Cyber insurance is sometimes called cyber risk insurance or cyber liability insurance coverage (CLIC). Its purpose is to help school districts mitigate risk by offsetting the costs of recovering from a cyberattack.
According to AT&T’s 2017 Global State of Cybersecurity report, over one-quarter (28%) of all organizations surveyed view cyber insurance as a substitute for cyber defense. Rather than as a part of a multilayered cybersecurity infrastructure and strategy.
It’s an unusual way to think of insurance.
For example, most companies carry property insurance, but they still make sure that their buildings are maintained in order to avoid electrical fires or other preventable threats. In any other case, people view insurance as a method for recovering from a disaster that occurred despite their best efforts to avoid it.
While cyber insurance has benefits, there are things that it can’t do for your school district. It’s important to understand what a cyber insurance policy will and will not cover in order to understand the benefits as well as the disadvantages.
Currently, there are no standards for cyber insurance policies, but some common expenses that the policies cover include:
The key disadvantage of cyber insurance is that policies are in their infancy. Purchasing cyber insurance requires in-depth analysis because the lack of standards makes coverage that typically varies by insurer and policy even more dissimilar. A cyber insurance policy may not cover the following situations that are common in K-12 environments.
All a cyber insurance policy will do is cover some of the financial losses after an attack has taken place. Also, a cybersecurity insurance policy can’t help you deal with the disruption an attack leaves in its wake. That disruption has closed schools and caused severe cases of bullying, identity theft, and even physical threats against students.
One of the most important reasons to invest in a cybersecurity defensive strategy is to comply with regulations. Federal and some state laws require that your school district secure a variety of data including social security numbers, W2 information, and health information.
If being compliant isn’t enough motivation, you know that a cyber insurance policy can’t prevent an attack. Implementing a K-12 cybersecurity infrastructure may seem like a daunting task—particularly for smaller districts. But it doesn’t have to be. Chances are, you already have some of the elements in place, such as a next gen firewall and a content filtering tool. If your district uses G Suite and/or Office 365, your next step should be to start looking into cloud security platforms.
No homeowner has ever said, “Oh, I don’t need to fix the dishwasher. If it floods the first floor, my insurance will fix it.” Like most insurance, K-12 leaders need to use cyber insurance to offset losses from events that they have already worked hard to prevent.