Schools go to great lengths to make their students, staff and assets secure. Elaborate camera systems, deep and thorough background checks, off-duty police serving as 'campus resource' aids, anti-bullying programs, etc. But what about cyber security and your school. Are you prepared?
Every school has an exposure to cyber liability. The only differentiating factors are the severity and where an organization falls from a risk profile.
Schools have a large amount of personally identifiable information, financial information and credit card information that can be easily identified as targets for cyber-attacks. These attacks are evident from recent well-documented breaches occurring at Anthem, Ohio State University, Seattle Public Schools’ and Yahoo.
Schools are especially vulnerable because they are working with tight budgets and they have a large amount of sensitive information in their care, custody and control which may include:
- Student Information which may include health information
- Employee and family member information
- Proprietary testing information and grades
- Credit card information
Don't let your data be held ransom
When considering whether to buy cyber liability coverage, schools focus on breach response costs, but often overlook the less obvious risks, such as ransomware.
According to the Department of Homeland Security, ransomware is the fastest growing malware and is used as a method to infect users' systems and extort an organization. Oftentimes It is transmitted through e-mail phishing, but it can be transmitted by exploiting security vulnerabilities as well.
Ransomware works by encrypting the organization's computer system and denying user access. Paying the extortion does not always guarantee the decryption codes will be provided. In fact, it could lead to more extortion attempts. In addition, the affected organization may experience:
- Corrupted, stolen or damaged files or servers.
- Disrupted operations/loss of revenue - while the computer system is encrypted, the day-to-day business could be effected. It is important to note that Business Interruption coverage on Property Insurance policies is limited to a physical interruption, so a malware infected system may not be a covered cause of loss since it is a non-physical business interruption.
- Harm to Reputational harm as a result of a breach.
In addition to breach response costs, cyber liability policies will indemnify an organization for their cyber extortion expenses as a result of ransomware. This can also include:
- Data restoration expenses to replace, recreate or restore information
- Cyber business interruption expenses as a result of covered interruption
- Legal and computer expert expenses
In addition to ransomware, there has been a substantial increase in social engineering and phishing attacks. In these situations, an outside third party will induce someone at the school to send sensitive information, transfer money, etc.
Be prepared to respond to a cyber attack
In 2017, in this day and age when news reports of cyber exposures seem to surface daily, it's important that any size or type of school should have a detailed plan to address their cyber security risk. To build this plan a school should consult their legal counsel, a cyber security/monitoring company and cyber insurance liability professionals. These professionals will help build policies and procedures to prevent, respond to and insure a cyber incident.
Are you prepared for a breach of your cyber security?
A.J. Upton is a risk management consultant for Oswald Companies. When A.J.'s not helping organizations of all kinds protect themselves against cyber attacks, he can be found mentoring in the OCEAN Accelerator program or serving on the board of the Dan Beard Council of the Boy Scouts of America. AJ can be reached at firstname.lastname@example.org.