Why Schools May Lose Cyber Threat Insurance Coverage

Recent research from Microsoft suggests that education providers across the world are increasingly falling victim to malware encounters. In January 2021, over 60% of all reported enterprise malware encounters across all industries involved organisations in the education sector. This isn’t just a blip though,  the education sector has averaged this disproportionate volume of malware encounters for over three months. Previously, the education sector accounted for around 20-25% of all reported malware encounters  - therefore proportionally, similar to other industries.

We already know some of the reasons why this increase in malware encounters is occuring. Schools have traditionally taught children in the classroom, at school. Distance learning creates a larger attack surface though, with people at home often having lower security protections than at school. Weaknesses in device and system security and management make it easier for attackers to compromise accounts, spread malware and potentially gain access to sensitive information.

These challenges have been widely reported. The National Cyber Security Centre in the UK, for example, notified all educational organisations in September 2020 of the increasing cyber risks. In December 2020, the FBI and associated authorities published an urgent security notice communicating the risk of cyber threats to distance learning programmes.

This threat is becoming so severe that even schools that have not directly suffered from a malware encounter are starting to be impacted.  The increased frequency of cyber attacks on schools has increased the number and severity of risks posed to schools’ information systems. For those schools who are insured, an additional consequence is that there is an increased likelihood of insurers having to cover consequential damages in the event of a successful attack.

To minimise the impact, many insurers are removing their insurance coverage for cyber attacks from school policies, increasing the thresholds that have to be in place in order for the insurer to underwrite the risk, or, when an attack does not happen, interpreting the cover that is provided with a degree of scepticism.

An article published recently by the BBC emphasised this finding from our own intelligence:

... insurers do require that "reasonable precautions" are taken to prevent cyber-attacks from succeeding in the first place, just as cars and houses require security measures in place to deter thieves.

With this in mind it is likely that insured schools who suffer an attack will first be asked about what ‘reasonable precautions’ they had taken to mitigate the loss. 

Given that NCSC and FBI provided suggested actions that schools should undertake to mitigate the increasing threats, a school that doesn’t follow that guidance would be hard pressed to argue they had taken ‘reasonable precautions’ when asking their insurer to underwrite their losses.

What are ‘reasonable precautions’?

In 9ine’s analysis of the cyber vulnerability assessments we’ve completed with independent schools, we found that almost all the identified cyber vulnerabilities can be resolved at either no cost, or very low cost. In the majority of cases, the cost is time that the school’s IT team takes to complete certain engineering tasks.

The majority of identified vulnerabilities in that research related to update management or End of Life (EoL) systems or software. Another 25% of the vulnerabilities pertained to weaknesses within the configuration of systems and services. In effect, this research highlights how schools can decrease risk  by identifying and correcting certain common engineering issues. And do so, at little or no cost. These precautions are reasonable and are often legal obligations.

For a deeper dive into how to improve information security in your school, you can book a free workshop with one of our experts

How to complete a cyber vulnerability assessment?

Our cyber vulnerability assessments take one week to complete. That’s from the start of the assessment to you receiving a report and having a call with our cyber security team. The steps we take include:

• Scanning and intelligence gathering
• Ethical attack if required
• Evidence compromise
• Determine cyber risk
• Document & report
• Review
• Evaluation of proportionate actions and future monitoring

Working with a trusted partner such as 9ine will help you to protect your school, enhance your security protections and improve the capability and capacity of your IT team and senior managers, in understanding and managing cyber risk.

Here is what one of our clients had to say about the Assessment

“9ine's Cyber Vulnerability Assessment Report has been thorough and was an effective way to learn about uncovered network issues that needed to be fixed within the school infrastructure.

Using their remote evaluation ecosystem, 9ine has been able to discover risks both small and large, and also have provided valuable information/advice to point the IT team onsite towards the right direction.

It has been a fresh and eye-opening experience to have a trusted 3rd party come in and save the day before things could rapidly go south.

I would especially recommend those with small-sized IT teams that cannot provide enough surveillance over their IT infrastructure to have a go and see to what volume 9ine can help them out with.”

- Marist Brothers International School, Japan.

To receive more information on our cyber vulnerability assessment, get in touch with us - 

ABOUT THE AUTHOR: