The Changing Face of Cyber Insurance in K–12
If you're relying on an insurance policy to rescue you in the event of ransomware or a data breach, it's time to rethink your cybersecurity strategy.
- By Dian Schaffhauser
insurance has become as complicated in K–12 as fire insurance in
rural California. You need it. Insurance carriers are giving a
jaundiced eye to how well prepared you are. And you may find yourself
receiving notification that you're going to be dropped if the numbers
don't pencil out or if you don't prepare the way insurers expect you
But unlike wildfire,
which can quickly grow beyond human control, cybersecurity is
something schools can get better at if they just give it the
attention it deserves.
According to K12
SIX, 2020 "saw a record-breaking number of
publicly disclosed school cyber incidents,... resulting in school
closures, millions of dollars of stolen taxpayer dollars and student
data breaches directly linked to identity theft and credit fraud."
This year, the share of attacks on schools has
already grown an estimated 17%.
While in the past
many districts may have believed they were protected from feeling the
financial impacts of a cyber hit because they had cyber insurance to
cover the risks, "that model is no longer viable either for
organizations or for insurance providers, given the vast increase in
cybersecurity attacks," according to Amy McLaughlin, a subject
matter expert in cybersecurity at the Consortium
for School Networking (CoSN).
hosted a webinar
for CoSN members featuring a panel of district leaders, to look at
how cybersecurity insurance is evolving in an increasingly risky
This year, when it
came to filling out cyber insurance paperwork, education has seen
"everything change," said Rod Russeau, director of
technology and information services at Community
High School District 99, in Downers Grove, IL. From a
page of questions that were "relatively basic and pretty easy to
answer" in years past, this year's questions took up multiple
pages, Russeau said. And there was a lot of "back-and-forth with
the insurance providers to clarify certain answers."
The big areas of
focus were multifactor authentication (MFA), policies and procedures,
backup processes, user awareness and training and endpoint detection
and response (EDR) systems.
Tony Harvey, chief
information officer for Indiana's Muncie
Community Schools, had to reckon with a lot of "not
typical" questions, such as whether data at rest and data in
motion were encrypted. "I wonder how many schools encrypt data
at rest and in motion or even know about it," he said. "Those
were the kinds of questions asked that were not part of the last
All of those topics
came into play at High
Desert Education Service District, which provides
services to districts in central Oregon, according to CIO Rachel
Wente-Chaney. "Multifactor authentication, encryption and
backups, things like that we've been working on collectively and
individually for quite a while now, continuing to get better,"
she said. But one area where there's some "catch-up" is EDR
— "not only [being able to] detect quickly but respond quickly
with the software and security tools."
Filling Out the
Insurer Questionnaire is Complicated
answering certain questions on the insurance form a challenge. For
example, he was asked about the use of MFA at his school system. In
his district, he has run into a problem in forcing users (the
"weakest link in the ecosystem") to use their personal
cellphones as a means to authenticate themselves.
"If you say no
[to the insurers], you have to explain why. So, you are stuck between
answering it the way you think it should be and the way that you feel
you should not."
Another area of
nuance that confounded Harvey's completion of the questionnaire:
whether the district has an "up-to-date active firewall."
"What is up to date? What is active? it's all relative. So it
could be, yes, I am downloading all the patches. Or it could be, is
my firewall able to do threat analysis? Am I able to look at logs and
determine whether they are threat actors? Do they mean to passively
look at your data and then let it pass through? Do they mean a
firewall that can check for DDoS attacks?" he recalled. "Those
are questions that went beyond, and I'm wondering what will be
expected the next time we do this process."
referred to himself as a "perfectionist," said he has come
to rely on the "reasonable person test."
One question asked
about the incident response plan. "Yes, we have an incident
response plan, but this part needs to be tweaked a little bit or that
part isn't as good as it can be," he explained.
At the end of
October, CoSN will be hosting a three-day
virtual workshop on creating cybersecurity and incident response
CoSN just began its
latest course on advanced
persistent prevention for K–12. This program runs
for seven weeks and covers three areas: network security, risks and
controls, and vulnerabilities and mitigation.
Also, CoSN is
offering a recorded
version of the cybersecurity insurance webinar.
Additional cybersecurity resources are available on
the CoSN website.
offers free membership to any public K–12 school or district. Not
only will the organization help you prepare for an incident, they'll
come to the rescue as advisors when you've had one.
SIX is a membership of K–12 information security
professionals. While there is a fee to join, based on the size of the
district, the organization also issues publicly available resources,
including its most recent: a series of cybersecurity guidance and
best practice resources.
covered email security filtering. "Well, that's like two or
three or four different things, so I kind of answered that, yes, with
a footnote — we have these specific things in place," he said.
"There are so many questions that I struggled with a little bit
in terms of that. I had to put on my reasonable person hat and really
answer them in that way."
Also, this year, the
insurance provider came across as more attuned to the latest
vulnerabilities. For Russeau, that meant getting a separate addendum
regarding the district's use of Microsoft Exchange, "because of
some of the very critical Exchange problems that have occurred in the
past year." Fortunately, he added, "we're not using
Exchange anymore. But if we had, there was literally a page of
questions where they drilled down into pretty good detail about
MFA has Become a
Education Service District began using MFA in 2017 with
administrators, the business office, HR and the technical staff.
Wente-Chaney said she has heard a lot of concern among her peers
around the state for mandating MFA because of the requirement that
people use their personal devices to receive their temporary login
codes. But for her organization, there has been no real obstacle.
"Out of almost
1,000 people, we had two who didn't want to use their phones. So, we
purchased a hardware key for them. We had a simple solution,"
which has been requiring MFA for VPN access and for tech staff work,
also saw very little pushback. "A lot of it goes to that
organizational leadership part of it and involving them in the
process and the message. We've been communicating over and over again
about security and encouraging people to use MFA in their own lives,
even before we required it here."
The solution for
Muncie was to use a "soft rollout." "We are trying to
get people to understand that this small step has the potential to
protect the entire district's network, to protect who has access to
data, and if we all don't buy in, one person's mistake would cost us
a lot of downtime," said Harvey. "There are a few holdouts,
as expected. We are hoping that with time, they will buy into this
Using the Demands
of Cyber Insurance as a Launch Pad
companies have made obtaining cyber insurance a more onerous job,
they have also helped elevate cybersecurity to the leadership level,
and that has brought added resources to the work of security.
"Prior to this,
I thought security was just a technical thing. It's so much an
organizational, administrative and human thing," observed
Russeau. Like a lot of districts his doesn't have a full-time
cybersecurity staff. "There are a few of us who share that role,
but we all have a bunch of other things to do to," he noted.
To fill in the gaps
in the past few years, the school system has been working with a
"V-CISO," an "expert from the outside who spends time
with the IT organization on a regular basis." And much of the
time those meetings drill down not into the nuts and bolts of
security but into the policies, procedures, expectations, risk
management and planning.
"Are we where
we need to be? No way," Russeau emphasized. "Were we able
to pretty easily go through the insurance list and answer a lot of
the questions from knowledge and from what we have done? We were able
to. It goes back to those fundamentals and just starting to work on
that at an organizational level. By virtue of doing that, you'll end
up in a better position."
Final Advice on
each offered advice for getting through the insurance cycle:
language of risk management. That will enable you to work
alongside your CFO and other district leaders in communicating at the
board level. "Once the board understands that there is risk
involved and that that risk involves money in most of these cases,
they will be able to help direct the superintendent to allocate
resources," said Wente-Chaney. A place to start is with the
various cybersecurity self-assessments made available by the Center
for Internet Security (CIS) as well as an
education-specific one from CoSN.
insurance policy. Know what the coverage is and how to contact
people when something comes up. "Your policy may not allow you
to use firms for incident response assistance other than the ones
they provide," Russeau explained. "Otherwise, when that
time comes, you might be caught not getting the reimbursement that
Use the insurance
assessment as a learning tool. Requirements wouldn't be included
if they weren't useful. "They cover a lot of ground," noted
Harvey. "You need to practice using those assessment questions."
Doing so not only prepares you for answering questions, he suggested,
but it will help you be ready for whatever cybersecurity issues come
the final word. She encouraged districts to leverage the assessment
to move the organization forward. "Use these kinds of things as
messaging to get the funding you need to do the work that has to be
done," she advised. But don't assume that it's one-and-done, she
added. "Security is always a continuous improvement process.
We're never done."