School Districts Should Be Aware of These Cyber Insurance Underwriting Requirements
Cybersecurity continues to be an imperative for every industry, but the education sector has been hit particularly hard by attacks. Educators’ and students’ personal information are stored in school districts’ servers, and cyber criminals find this repository of information enticing. For that reason, school districts must consider cyber insurance.
This is all tablestakes. You may be thinking, “I already have cyber insurance. It was easy to obtain, and not expensive to maintain. I’m covered!” However, the cyber market is shifting.
Due to the rise and frequency of high-cost claims, cyber insurance is more expensive than it has been in the past, and is increasingly difficult to obtain. School districts must be aware of the changing goal posts that insurance companies have put in place to determine both your insurability and your new rate at renewal.
Cyber underwriters are looking for…
Implementing a multifactor authentication process (MFA) is low hanging fruit for school districts. These processes require users to authenticate their identity by providing two forms of identity – a username and password, and another form of your choice. MFA is often used to provide users access to an internal server when they are working remotely or checking email.
The second form of identity can be a myriad of things, from a biological form (fingerprints, etc.), to systematic questions or code access through an MFA app. Cyber underwriters look for school districts to have MFA implemented for both email and remote desktop connections to lower their risk.
Many cyberattacks begin in the inbox. Luckily, school districts have a few tools at their disposal to make them a better risk for cyber insurers.
- Email quarantining and screening: District-wide email platforms can be set to display a message that reminds users to be aware of potential spam or breach tactics. The message can read something like “External Email: Click links or open attachments with caution.” In addition, instead of providing employees with access to an open spam folder, you can set up an email quarantine that keeps your servers safe while employees self-filter the messages that are meaningful to them.
- Antivirus or malware software: Your IT team can determine which software is best for your needs, but having a digital protection plan in place will look better to cyber underwriters.
- Regular employee training on cyber safety: It only takes one wrong click to open your district’s servers up to threat actors. While you can put many programs and processes in place to prevent dangerous emails from getting in front of your employees, it’s best to prepare them for the messages that may slip through the cracks. Regular training to self-detect phishing emails and other common cybercrime practices will go a long way in protecting your district – and making you more insurable.
End point detection and protection response tools
Your district’s IT department is aware of current threats and how to detect them. By using end point detection and protection response tools, you are putting the health and safety of your district’s information in the hands of the experts.
Endpoint Detection and Response (EDR) is a software solution that provides continuous monitoring of data from desktops, laptops, and other devices (endpoints). With endpoints numbering in the tens of thousands for some districts (particularly over the past year due to remote learning), automating some of this detection is key to protecting your information.
Robust patching policy
Underwriters are also going to want to see that your IT team has a thorough plan in place to keep security software updated on devices throughout your district. Documenting this process is a good start to making yourself a more attractive risk for insurers.
Documented operational continuity plan
Another thing to document? Your operational continuity plan. If a cybersecurity breach were to occur, what are the steps that you and your district would take to ensure continuity of work. As we know, districts are intertwined with so many aspects of the community. If you were to be attacked in a cyber breach, many people and organizations would be affected. Underwriters will want to take a look at your continuity plan should this type of breach occur.
Encryption of sensitive data and regular backups
Finally, underwriters want to know that you’re taking every step possible to protect your data from the inside. Using encryption methods and implementing regular (daily if possible) backups, with backups stored in a separate location, is best practice for school districts.
Though cyber insurance was once cheap and easy to come by, an increase in severe cyber attacks has made underwriters more skeptical of risk. School districts are a prime target for cyber criminals, and so need to be aware of the strategies they need to put in place in order to maintain cyber insurability at a reasonable cost. The tactics described above are a good place to start for school districts year-round, but also in preparation of renewal season. Reach out to your M3 account executive to discuss your cybersecurity risk management practices and your cyber renewal strategy.