When it comes to cybersecurity, an ounce of prevention is worth a pound of cure
According to research analyzing 2019 K-12 cybersecurity, school districts saw a 62% increase in attacks over 2018. Some IT leaders are taking the view that purchasing cyber insurance is a cost-effective and easy way to address the issue. But while investing in cyber insurance is an important part of a comprehensive cybersecurity strategy, it isn’t a substitute for cyber defense. Nor does it cover “good enough” compliance with most student data privacy laws.
What is Cyber Insurance?
Cyber insurance is sometimes called cyber risk insurance or cyber liability insurance coverage (CLIC). Its purpose is to help school districts mitigate risk by offsetting the costs of recovering from a cyberattack.
According to AT&T’s 2017 Global State of Cybersecurity report, over one-quarter (28%) of all organizations surveyed view cyber insurance as a substitute for cyber defense. Rather than as a part of a multilayered cybersecurity infrastructure and strategy.
It’s an unusual way to think of insurance.
For example, most companies carry property insurance, but they still make sure that their buildings are maintained in order to avoid electrical fires or other preventable threats. In any other case, people view insurance as a method for recovering from a disaster that occurred despite their best efforts to avoid it.
Advantages and Disadvantages of Cyber Insurance
While cyber insurance has benefits, there are things that it can’t do for your school district. It’s important to understand what a cyber insurance policy will and will not cover in order to understand the benefits as well as the disadvantages.
Currently, there are no standards for cyber insurance policies, but some common expenses that the policies cover include:
- Investigation Expenses The insurance company needs to investigate to discover what happened, how to fix it, and how to prevent the same type of attack in the future. Third-party security firms, law enforcement, and the FBI may participate in the investigation process.
- Monetary Losses The policy may cover losses caused by negligence, system downtime, and interruption. It may also reimburse for the costs of recovering data and controlling the crisis, which may include repairing damage to your reputation.
- Notification and Credit Monitoring In most situations, you’ll be responsible for notifying the individuals a data breach affected. Some jurisdictions have laws requiring this notification. The policy may also cover the costs of credit monitoring for the affected individuals.
- Legal Expenses The policy may cover legal fees incurred to deal with the release of private information and intellectual property, legal settlements, and fines from regulatory organizations. In some cases, the costs required to recover from extortion attacks such as ransomware may be covered.
The key disadvantage of cyber insurance is that policies are in their infancy. Purchasing cyber insurance requires in-depth analysis because the lack of standards makes coverage that typically varies by insurer and policy even more dissimilar. A cyber insurance policy may not cover the following situations that are common in K-12 environments.
- Breaches Caused by Vendors or Third-Party Providers This is a big issue in K-12. A variety of EdTech vendors could unintentionally allow cybercriminals to gain access to your school’s networks and systems.
- Social Engineering Attacks Most policies will cover network attacks. But, social engineering attacks such as phishing, and advanced persistent threats (APTs) are becoming more common and can happen without being detected as an attack on the network.
- Data Breaches Caused by Users Employees, students, and other internal users can cause data breaches either intentionally or unintentionally. In fact, people within the school community caused slightly over half of the data breaches in K-12 schools in 2018.
- Advanced Persistent Threats An APT can be active for weeks, months, or years. If the policy includes coverage timeframes, it may not cover an APT.
Why You Need a Cybersecurity Defensive Strategy
All a cyber insurance policy will do is cover some of the financial losses after an attack has taken place. Also, a cybersecurity insurance policy can’t help you deal with the disruption an attack leaves in its wake. That disruption has closed schools and caused severe cases of bullying, identity theft, and even physical threats against students.
One of the most important reasons to invest in a cybersecurity defensive strategy is to comply with regulations. Federal and some state laws require that your school district secure a variety of data including social security numbers, W2 information, and health information.
If being compliant isn’t enough motivation, you know that a cyber insurance policy can’t prevent an attack. Implementing a K-12 cybersecurity infrastructure may seem like a daunting task—particularly for smaller districts. But it doesn’t have to be. Chances are, you already have some of the elements in place, such as a next gen firewall and a content filtering tool. If your district uses G Suite and/or Office 365, your next step should be to start looking into cloud security platforms.
No homeowner has ever said, “Oh, I don’t need to fix the dishwasher. If it floods the first floor, my insurance will fix it.” Like most insurance, K-12 leaders need to use cyber insurance to offset losses from events that they have already worked hard to prevent.