Cloud Hosting

Colleges and universities have a great deal of valuable and private data in their systems. Personnel, academic, financial and administrative systems hold everything from research data to student medical records. It all adds up to a lot of sensitive information that requires protection.

This is where cyber insurance comes in: an insurance product that shields the school from the financial disaster that comes with data breach lawsuits, liability findings, regulatory failure fines, and huge legal costs associated with a failure to protect that information and keep it private. Read on for some facts and fallacies about cyber insurance.

DISCOVER: What one university learned after a ransomware attack.

Cyber insurance isnt designed to handle the case of someone losing a laptop or having it stolen. Cyber insurance covers the case in which the laptop loss turns into a data breach and then the university must pay for fraud monitoring for 3,000 students who had their personal financial information exposed as part of the breach.

Of course, cyber insurance isnt all the same, and every institution will have a policy customized for its own requirements. The point of cyber insurance is to cover the cases that are handled poorly by other types of insurance, such as paying for legal costs and fines related to a regulatory action that came out of a cyber incident: device loss, system break-in, the wrong email going to the wrong person, and so on. Cyber insurance policies can cover liability costs, costs to replace lost data, even loss of income.

One of the most popular coverages in cyber insurance is for ransomware attacks. This insurance is designed to reduce financial risk related to cyber extortion.

Click the banner belowfor exclusive insights about cybersecurity in higher ed.

Cyber insurance isnt like fire or theft insurance you dont just pick a dollar amount and send in a check. Because the cyber risk landscape is constantly changing and because cyber security is such a complicated area for IT teams, cyber insurance doesnt come with a one-size-fits-all rate sheet.

To make a fair price, the insurance company needs to be able to estimate the risk: the likelihood of loss and the amount of money at stake. That means the process of buying cyber insurance is going to require a lot of in-depth disclosure from your institution, along with very clear lines delineating what kind of coverage is needed and what is excluded.

FIND OUT: How to support mental health for university cybersecurity professionals.

In fact, the exact opposite is true. When you buy cyber insurance, the underwriter becomes very interested in your security profile and the attack surface you present to the world. Insurance companies may perform regular vulnerability scans permitted as part of the policy on all your internet-connected systems. If they find something they dont like, youll hear about it, first from an automated system and, if you dont do anything about it, from a human who wants to know when youre going to solve the problem thats been identified.

Your security team will be partially beholden to the standards set by the insurance company as well. What your team may have considered reasonable configurations or optimizations for usability, such as allowing old encryption algorithms, may suddenly show up on the insurance companys radar as a problem that you must solve, lest you see higher premiums or even lose insurance entirely. Cyber insurance underwriters will also want to look at your incident response plan and may insist on changes, especially in areas such as reporting and timelines.

The percentage of education IT decision-makers who falsely believe cybersecurity insurance protects them from ransomware (insurance helps cover the cost of an attack but does not stop the attack itself)

Source: Sophos, The State of Ransomware in Education 2021, July 2021

Theres a good side to all this too: Cyber insurance underwriters are interested in reducing risk, so youll gain a new partner when it comes to implementing these new security controls. Consulting services, training and automated assessments may all be part of the benefits that come with cyber insurance.

When its time to measure risk and make decisions about security investments, insurance companies have in-house experts that you can call on to help understand what types of investments have the best cybersecurity cost-benefit ratios.

EXPLORE: How to avoid security breaches within the IT department.

Insurance is all about risk transfer: A breach may or may not happen, but if it does, it will be expensive, so youll pay an insurance company to take that risk off your shoulders. This means that its the CFO who is responsible for buying insurance of all types. Insurance doesnt solve any problem other than a financial one, so the CFO is the person most interested in reducing the risk to the institution.

However, CIOs and their teams are the ones with the expertise and knowledge in this area. The CIO and CISO will be able to read policies and understand the specific terms of art used in a way that the CFO cant. The security team will be able to understand what is and isnt excluded and put it into context for the CFO. Thats a critical step, because if the important risks are not covered properly, then the insurance isnt meeting the goals of the institution or the CFO.

alexsl/Getty Images

Go here to see the original:
What Higher Education Institutions Need to Know About Cyber Insurance - EdTech Magazine: Focus on K-12