New cyber insurance requirements place high demands on education

The education sector currently faces the highest volume of cyberattacks of any sector, with 60% of educational institutions (higher and lower) suffering ransomware attacks in 2021. Cyberattacks are a source of significant cost and can cause major disruption to school operations, which was the case of the recent attacks at UMass and Baltimore County Public Schools. The UMass Lowell attack shut down the campus for nearly a week, and Baltimore County Public Schools spent more than $8.1 million to recover from its security breach – only a portion of which was covered by cyber insurance

K-12 administrators are also facing mounting pressure from the federal government to address cybersecurity gaps in its infrastructure that could place student privacy at risk. Following a recent study of cybersecurity in K-12 schools in which the US Government Accountability Office (GAO) determined that Education should take additional steps to protect K-12 schools from cyberattacks, Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) was tasked to review its K-12 cybersecurity plans. Further, the recently-passed K-12 Cybersecurity Act also tasked CISA to create new K-12 cybersecurity guidelines. While these tasks signal federal recognition of the growing cyber threats in education, neither report has resulted in mandated security standards. 

While the federal government has not yet mandated minimum security requirements, higher and lower education institutions are facing the need to improve security from another source: cybersecurity insurance (or “cyber insurance”). However, many institutions are finding that cyber insurance premiums continue to rise to extremely high costs due to the continued increase in cyberattacks.

Finding cost savings on cyber insurance with MFA

The growing risk of attack is driving up cyber insurance premiums, which have spiked by as much as 300% in targeted industries such as education. The higher premiums don’t mean higher cyber insurance coverage, and in fact, administrators are finding themselves facing lower coverage limits. This is also only if schools can find an insurer who will cover them: four in ten schools say fewer cyber insurance providers are offering them coverage than a year ago.

To combat the risk, most insurance carriers are adopting new minimum standards for security, and 49% of schools report facing an increase in the minimum level of cybersecurity they must put in place in order to qualify for cyber attack insurance. 

One of the most universally-required minimums is multi-factor authentication (MFA).

Higher education and K-12 schools looking to maintain or apply for cyber insurance will now need to implement MFA – and in some cases phishing-resistant MFA depending on the cyber insurance provider – or face being denied coverage. These new requirements, if not met, could expose a school to significant financial risk if targeted by hackers, phishing attacks, or ransomware attacks. 

Unfortunately, educational institutions face significant barriers to MFA adoption, from training challenges to budget pressures. While there is a strong push to expand E-Rate funding for cybersecurity investments, it is important to come up with a plan to rollout MFA in a way that balances security with resource challenges and end-user flexibility, while ensuring there are no gaps in MFA coverage. 

The good news is that for those organizations that are proactively implementing MFA for the upcoming 2022-2023 year, significant cost savings can be found not only in avoiding costly cyber attacks and saving IT time on costly password resets, but also on premiums. “The more your insurer trusts your cybersecurity infrastructure, the more likely you are to pay a lower premium, especially if you’re aligned with all government regulations,” notes J.P. Pressley in a recent EdTech article.

For more on how to build a flexible and resilient MFA program in education, read our latest whitepaper: Graduating from legacy MFA to modern authentication. For more information on cyber insurance premiums and cyber security insurance requirements, check out our recent webinar here.

Talk to our teamTalk to our team

Share this article:


  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU
  • Securing critical infrastructure from modern cyber threats with phishing-resistant authenticationAcross the globe, 2024 has seen a whirlwind of change. With ongoing wars, recent political change-ups and more, growth in data breaches targeting critical infrastructure continue to be on the rise. Critical infrastructure is integral to our everyday life – from the energy and natural resources powering our hospitals and providing clean drinking water, telco […]Read moreCISAcritical infrastructurezero trust