The Changing Face of Cyber Insurance in K–12

If you're relying on an insurance policy to rescue you in the event of ransomware or a data breach, it's time to rethink your cybersecurity strategy.

• By Dian Schaffhauser
• 10/12/21

Cybersecurity insurance has become as complicated in K–12 as fire insurance in rural California. You need it. Insurance carriers are giving a jaundiced eye to how well prepared you are. And you may find yourself receiving notification that you're going to be dropped if the numbers don't pencil out or if you don't prepare the way insurers expect you to.

But unlike wildfire, which can quickly grow beyond human control, cybersecurity is something schools can get better at if they just give it the attention it deserves.

According to K12 SIX, 2020 "saw a record-breaking number of publicly disclosed school cyber incidents,... resulting in school closures, millions of dollars of stolen taxpayer dollars and student data breaches directly linked to identity theft and credit fraud." This year, the share of attacks on schools has already grown an estimated 17%.

While in the past many districts may have believed they were protected from feeling the financial impacts of a cyber hit because they had cyber insurance to cover the risks, "that model is no longer viable either for organizations or for insurance providers, given the vast increase in cybersecurity attacks," according to Amy McLaughlin, a subject matter expert in cybersecurity at the Consortium for School Networking (CoSN).

Recently, McLaughlin hosted a webinar for CoSN members featuring a panel of district leaders, to look at how cybersecurity insurance is evolving in an increasingly risky environment.

'Everything Changed'

This year, when it came to filling out cyber insurance paperwork, education has seen "everything change," said Rod Russeau, director of technology and information services at Community High School District 99, in Downers Grove, IL. From a page of questions that were "relatively basic and pretty easy to answer" in years past, this year's questions took up multiple pages, Russeau said. And there was a lot of "back-and-forth with the insurance providers to clarify certain answers."

The big areas of focus were multifactor authentication (MFA), policies and procedures, backup processes, user awareness and training and endpoint detection and response (EDR) systems.

Tony Harvey, chief information officer for Indiana's Muncie Community Schools, had to reckon with a lot of "not typical" questions, such as whether data at rest and data in motion were encrypted. "I wonder how many schools encrypt data at rest and in motion or even know about it," he said. "Those were the kinds of questions asked that were not part of the last questionnaire."

All of those topics came into play at High Desert Education Service District, which provides services to districts in central Oregon, according to CIO Rachel Wente-Chaney. "Multifactor authentication, encryption and backups, things like that we've been working on collectively and individually for quite a while now, continuing to get better," she said. But one area where there's some "catch-up" is EDR — "not only [being able to] detect quickly but respond quickly with the software and security tools."

Filling Out the Insurer Questionnaire is Complicated

Harvey found answering certain questions on the insurance form a challenge. For example, he was asked about the use of MFA at his school system. In his district, he has run into a problem in forcing users (the "weakest link in the ecosystem") to use their personal cellphones as a means to authenticate themselves.

"If you say no [to the insurers], you have to explain why. So, you are stuck between answering it the way you think it should be and the way that you feel you should not."

Another area of nuance that confounded Harvey's completion of the questionnaire: whether the district has an "up-to-date active firewall." "What is up to date? What is active? it's all relative. So it could be, yes, I am downloading all the patches. Or it could be, is my firewall able to do threat analysis? Am I able to look at logs and determine whether they are threat actors? Do they mean to passively look at your data and then let it pass through? Do they mean a firewall that can check for DDoS attacks?" he recalled. "Those are questions that went beyond, and I'm wondering what will be expected the next time we do this process."

Russeau, who referred to himself as a "perfectionist," said he has come to rely on the "reasonable person test."

One question asked about the incident response plan. "Yes, we have an incident response plan, but this part needs to be tweaked a little bit or that part isn't as good as it can be," he explained.

Another question covered email security filtering. "Well, that's like two or three or four different things, so I kind of answered that, yes, with a footnote — we have these specific things in place," he said. "There are so many questions that I struggled with a little bit in terms of that. I had to put on my reasonable person hat and really answer them in that way."

Also, this year, the insurance provider came across as more attuned to the latest vulnerabilities. For Russeau, that meant getting a separate addendum regarding the district's use of Microsoft Exchange, "because of some of the very critical Exchange problems that have occurred in the past year." Fortunately, he added, "we're not using Exchange anymore. But if we had, there was literally a page of questions where they drilled down into pretty good detail about that."

MFA has Become a Big Deal

High Desert Education Service District began using MFA in 2017 with administrators, the business office, HR and the technical staff. Wente-Chaney said she has heard a lot of concern among her peers around the state for mandating MFA because of the requirement that people use their personal devices to receive their temporary login codes. But for her organization, there has been no real obstacle.

"Out of almost 1,000 people, we had two who didn't want to use their phones. So, we purchased a hardware key for them. We had a simple solution," she said.

Russeau's district, which has been requiring MFA for VPN access and for tech staff work, also saw very little pushback. "A lot of it goes to that organizational leadership part of it and involving them in the process and the message. We've been communicating over and over again about security and encouraging people to use MFA in their own lives, even before we required it here."

The solution for Muncie was to use a "soft rollout." "We are trying to get people to understand that this small step has the potential to protect the entire district's network, to protect who has access to data, and if we all don't buy in, one person's mistake would cost us a lot of downtime," said Harvey. "There are a few holdouts, as expected. We are hoping that with time, they will buy into this practice."

Using the Demands of Cyber Insurance as a Launch Pad

While insurance companies have made obtaining cyber insurance a more onerous job, they have also helped elevate cybersecurity to the leadership level, and that has brought added resources to the work of security.

"Prior to this, I thought security was just a technical thing. It's so much an organizational, administrative and human thing," observed Russeau. Like a lot of districts his doesn't have a full-time cybersecurity staff. "There are a few of us who share that role, but we all have a bunch of other things to do to," he noted.

To fill in the gaps in the past few years, the school system has been working with a "V-CISO," an "expert from the outside who spends time with the IT organization on a regular basis." And much of the time those meetings drill down not into the nuts and bolts of security but into the policies, procedures, expectations, risk management and planning.

"Are we where we need to be? No way," Russeau emphasized. "Were we able to pretty easily go through the insurance list and answer a lot of the questions from knowledge and from what we have done? We were able to. It goes back to those fundamentals and just starting to work on that at an organizational level. By virtue of doing that, you'll end up in a better position."

Final Advice on Cybersecurity Insurance

The participants each offered advice for getting through the insurance cycle:

Learn the language of risk management. That will enable you to work alongside your CFO and other district leaders in communicating at the board level. "Once the board understands that there is risk involved and that that risk involves money in most of these cases, they will be able to help direct the superintendent to allocate resources," said Wente-Chaney. A place to start is with the various cybersecurity self-assessments made available by the Center for Internet Security (CIS) as well as an education-specific one from CoSN.

Read your insurance policy. Know what the coverage is and how to contact people when something comes up. "Your policy may not allow you to use firms for incident response assistance other than the ones they provide," Russeau explained. "Otherwise, when that time comes, you might be caught not getting the reimbursement that you thought."

Use the insurance assessment as a learning tool. Requirements wouldn't be included if they weren't useful. "They cover a lot of ground," noted Harvey. "You need to practice using those assessment questions." Doing so not only prepares you for answering questions, he suggested, but it will help you be ready for whatever cybersecurity issues come along.

McLaughlin provided the final word. She encouraged districts to leverage the assessment to move the organization forward. "Use these kinds of things as messaging to get the funding you need to do the work that has to be done," she advised. But don't assume that it's one-and-done, she added. "Security is always a continuous improvement process. We're never done."