New cyber insurance requirements place high demands on education

August 2, 2022 4 minute read

The education sector currently faces the highest volume of cyberattacks of any sector, with 60% of educational institutions (higher and lower) suffering ransomware attacks in 2021. Cyberattacks are a source of significant cost and can cause major disruption to school operations, which was the case of the recent attacks at UMass and Baltimore County Public Schools. The UMass Lowell attack shut down the campus for nearly a week, and Baltimore County Public Schools spent more than $8.1 million to recover from its security breach – only a portion of which was covered by cyber insurance

K-12 administrators are also facing mounting pressure from the federal government to address cybersecurity gaps in its infrastructure that could place student privacy at risk. Following a recent study of cybersecurity in K-12 schools in which the US Government Accountability Office (GAO) determined that Education should take additional steps to protect K-12 schools from cyberattacks, Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) was tasked to review its K-12 cybersecurity plans. Further, the recently-passed K-12 Cybersecurity Act also tasked CISA to create new K-12 cybersecurity guidelines. While these tasks signal federal recognition of the growing cyber threats in education, neither report has resulted in mandated security standards. 

While the federal government has not yet mandated minimum security requirements, higher and lower education institutions are facing the need to improve security from another source: cybersecurity insurance (or “cyber insurance”). However, many institutions are finding that cyber insurance premiums continue to rise to extremely high costs due to the continued increase in cyberattacks.

Finding cost savings on cyber insurance with MFA

The growing risk of attack is driving up cyber insurance premiums, which have spiked by as much as 300% in targeted industries such as education. The higher premiums don’t mean higher cyber insurance coverage, and in fact, administrators are finding themselves facing lower coverage limits. This is also only if schools can find an insurer who will cover them: four in ten schools say fewer cyber insurance providers are offering them coverage than a year ago.

To combat the risk, most insurance carriers are adopting new minimum standards for security, and 49% of schools report facing an increase in the minimum level of cybersecurity they must put in place in order to qualify for cyber attack insurance. 

One of the most universally-required minimums is multi-factor authentication (MFA).

Higher education and K-12 schools looking to maintain or apply for cyber insurance will now need to implement MFA – and in some cases phishing-resistant MFA depending on the cyber insurance provider – or face being denied coverage. These new requirements, if not met, could expose a school to significant financial risk if targeted by hackers, phishing attacks, or ransomware attacks. 

Unfortunately, educational institutions face significant barriers to MFA adoption, from training challenges to budget pressures. While there is a strong push to expand E-Rate funding for cybersecurity investments, it is important to come up with a plan to rollout MFA in a way that balances security with resource challenges and end-user flexibility, while ensuring there are no gaps in MFA coverage. 

The good news is that for those organizations that are proactively implementing MFA for the upcoming 2022-2023 year, significant cost savings can be found not only in avoiding costly cyber attacks and saving IT time on costly password resets, but also on premiums. “The more your insurer trusts your cybersecurity infrastructure, the more likely you are to pay a lower premium, especially if you’re aligned with all government regulations,” notes J.P. Pressley in a recent EdTech article.

For more on how to build a flexible and resilient MFA program in education, read our latest whitepaper: Graduating from legacy MFA to modern authentication. For more information on cyber insurance premiums and cyber security insurance requirements, check out our recent webinar here.