The Changing Face of Cyber Insurance in K–12
If you’re relying on an insurance policy to rescue you in the event of ransomware or a data breach, it’s time to rethink your cybersecurity strategy.
insurance has become as complicated in K–12 as fire insurance in
rural California. You need it. Insurance carriers are giving a
jaundiced eye to how well prepared you are. And you may find yourself
receiving notification that you’re going to be dropped if the numbers
don’t pencil out or if you don’t prepare the way insurers expect you
But unlike wildfire,
which can quickly grow beyond human control, cybersecurity is
something schools can get better at if they just give it the
attention it deserves.
According to K12
SIX, 2020 “saw a record-breaking number of
publicly disclosed school cyber incidents,… resulting in school
closures, millions of dollars of stolen taxpayer dollars and student
data breaches directly linked to identity theft and credit fraud.”
This year, the share of attacks on schools has
already grown an estimated 17%.
While in the past
many districts may have believed they were protected from feeling the
financial impacts of a cyber hit because they had cyber insurance to
cover the risks, “that model is no longer viable either for
organizations or for insurance providers, given the vast increase in
cybersecurity attacks,” according to Amy McLaughlin, a subject
matter expert in cybersecurity at the Consortium
for School Networking (CoSN).
hosted a webinar
for CoSN members featuring a panel of district leaders, to look at
how cybersecurity insurance is evolving in an increasingly risky
This year, when it
came to filling out cyber insurance paperwork, education has seen
“everything change,” said Rod Russeau, director of
technology and information services at Community
High School District 99, in Downers Grove, IL. From a
page of questions that were “relatively basic and pretty easy to
answer” in years past, this year’s questions took up multiple
pages, Russeau said. And there was a lot of “back-and-forth with
the insurance providers to clarify certain answers.”
The big areas of
focus were multifactor authentication (MFA), policies and procedures,
backup processes, user awareness and training and endpoint detection
and response (EDR) systems.
Tony Harvey, chief
information officer for Indiana’s Muncie
Community Schools, had to reckon with a lot of “not
typical” questions, such as whether data at rest and data in
motion were encrypted. “I wonder how many schools encrypt data
at rest and in motion or even know about it,” he said. “Those
were the kinds of questions asked that were not part of the last
At the end of
October, CoSN will be hosting a three-day
virtual workshop on creating cybersecurity and incident response
CoSN just began its
latest course on advanced
persistent prevention for K–12. This program runs
for seven weeks and covers three areas: network security, risks and
controls, and vulnerabilities and mitigation.
Also, CoSN is
offering a recorded
version of the cybersecurity insurance webinar.
Additional cybersecurity resources are available on
the CoSN website.
offers free membership to any public K–12 school or district. Not
only will the organization help you prepare for an incident, they’ll
come to the rescue as advisors when you’ve had one.
SIX is a membership of K–12 information security
professionals. While there is a fee to join, based on the size of the
district, the organization also issues publicly available resources,
including its most recent: a series of cybersecurity guidance and
best practice resources.