How to determine the financial exposure and limits of cover needed by private schools
With standalone cyber policies the new norm, brokers are experiencing the pressures of assessing the financial exposure and limits of cover needed for each industry sector, in far more depth than previous years. Addressing these challenges, we are creating a series of articles that explore a selection of specific business areas in more detail.
Private schools and cyber insurance
Endsleigh Insurance Services commissioned a survey outlining the cybersecurity of UK Independent schools. Stakeholders from across the sector, including Head Teachers, Deputy Head Teachers, Bursars, Governors, and other senior management professionals were questioned, and a worrying 61% of private schools reported experiencing a cyberattack within the last five years. And the findings were no different across the pond. According to a SecurityScorecard report, of the 17 sectors in the U.S. that were studied recently, the education industry had the worst cybersecurity vulnerability by far, and furthermore, was reported to be unprepared in budgets, staffing, and technical solutions, making them a clear target for hackers.
It may be that schools are perceived as having weaker IT security, and less aggressive cyber standards in place, however, we must also consider the fraud opportunity. Schools, especially those that charge fees, represent an optimum target for fraudsters who typically focus on organisations where there is a complicated or delayed payment process. In the case of schools, it is the latter as parents are often presented with fee invoices at the end of a term, settle their accounts during the holidays and schools then confirm receipt of payment in the new term. This time delay gives cybercriminals weeks before frauds are discovered, easily long enough for them to disappear with stolen funds.
There is increasing integration of technology in the classroom, including the access students have to virtual collaboration tools. One infected device is all a hacker needs to gain access to the school’s networks and data. Additionally, the ‘learn-from-home environment’ brought on by the Covid-19 outbreak has also exposed security vulnerabilities, with the rush to widespread use of communication and collaboration software exposing further entry points for criminals to gain access to school systems.
With continual moves towards cloud-based computing and third-party services, it is important from a risk-management perspective, that school leadership teams understand that accountability and responsibility remain with the school and cannot be outsourced to these third-party providers.
What are the most likely forms of attack private schools should protect themselves against?
Attacks on independent schools are frequently motivated by financial gain, and are commonly conducted through:
Committing invoice fraud against the school and the parents
Selling personal data to other criminal groups
Demanding ransom payments in return for unlocking the school’s encrypted files and promising not to release stolen data
According to an AON report, private schools are seeing an increase in phishing, vishing, and smishing attacks (which use bogus emails, telephone calls, or text messages purporting to be from a trusted entity, tricking recipients into sharing confidential or sensitive information). Findings from research undertaken in June 2020, by Crowe, KYND and University of Portsmouth illustrate the following to be the most commonly observed risks to schools in the UK:
Ransomware risk – 34% of schools had at least one external service exposed, which would place them at a higher risk of a ransomware attack.
Email spoofing – 98.5% of schools analysed are exposed to having their email addresses spoofed and used to send spam, phishing, or otherwise fraudulent emails (either internally or externally).
Vulnerable services – 59.6% of schools were running at least one service with a well-known vulnerability – putting them at high risk of attack from cybercriminals who specifically target services with known vulnerabilities.
Out-of-date services – 13.6% of schools had at least one internet service that was using software which was out of date and no longer supported by its developer, putting them at higher risk of cyberattack and service failure.
Certificate issues – 32.3% of schools had at least one security certificate which had expired, been revoked or distrusted, representing a significant threat to brand reputation.
Domain registration risks – 33% of schools had at least one domain registered to a personal or individual email address, representing a significant threat to the continuity of a school’s operation and domain ownership.
Developing clear and concise incident response plans will help schools to take a proactive stance enabling them to manage impact when cyberattacks occur. By utilising cybersecurity solutions which protect students and teachers from ransomware, trojans, and other active malware, plus off-network backups and multi-factor authentication, independent schools can better protect themselves against cyberattacks. Adopting written resilience plans at board level will help ensure support for the necessary resources to combat cybercrime.
Once incident response plans have been implemented, private schools should outline a schedule for conducting regular, thorough risk assessments to keep ahead of cyber threat. CYBER3, allows private schools to easily assess their maturity in the management of cyber risk, allowing them to identify critical areas in need of improvement and cover needs to enable the purchase of a suitable cyber insurance programme.
However, having an assessment is just the start. Insurance policies must suitably compensate for schools expected losses, and the broker plays a crucial role in assisting clients in choosing a policy with adequate cover sections and limits.
To gauge the adequacy of a cyber policy’s limits, a broker will need to help the school to review their most likely business losses
When a private school is hacked, there is a probability for educational disruption. The loss of saved work will have a detrimental effect on a student’s education and will cause reputational damage to the school. In turn, this will result in lost business income and liability claims, with additional costs in dealing with the incident itself (forensic, notification, legal and reinstatement of data costs). Schools also hold sensitive pupil data, including medical information and the financial details of parents who spend a vast amount of money on fees each term. However, although data and financial loss are the more palpable risks, the subsequent reputational damage caused can have a more catastrophic impact, as private schools depend on their reputation with a network of agents to gain new students.
We know that benchmarking data aids brokers in recommending adequate policy limits, however, with education currently among the lowest in the list of industries to take up standalone cyber insurance, this data is more difficult to come by. For a broker to assist a client in setting their policy limits, they will need to address the most likely risk and look more closely at the potential loss magnitude.
Cyber risk scenarios need to be addressed to calculate the potential loss magnitude and assist in the implementation of a policy which would suitably compensate for these losses. With the general market showing the most concern towards cyber-related business interruption for the third year running (Cyber Insurance The Markets View), and cyber extortion/ransom following closely behind, this may well be an indicator of a need for higher limits. The loss of productivity and services are primary examples of the magnitude of loss to private schools and the occurrence of a cyber incident can result in several areas of cover being impacted. A broker will need to have a good understanding of the aggregation of risks and the costs that may be incurred within each section of the policy (especially as many cyber policies have a section, as well as aggregate limits). To identify the potential loss, risk vendors are commonly used to provide valuable added insight into complex risks and specific industries, as well as for providing information to insurers to enable them to underwrite higher limits more effectively. However, often such services apply intelligence across sectors or provide benchmarking which is too generic and often not useful when it comes to assessing cyber risk for specific cover decisions.
Alan Tune, Director and Chartered Insurance Broker at Education Protect Insurance Brokers tells us:
“When choosing limits for Cyber, an education organisation should consider two main parts. Firstly Crime, which is funds that could be diverted by criminals e.g. diversion of termly fees or emptying the schools' bank account. Secondly, the cost of re-buildings its IT network, (not the hardware) but the cost of redoing all software and re-constituting the data from various sources - plus IT support. Of the education cyber claims we have dealt with, most are in the £50,000 - £500,000 range. For most schools, £1,000,000 limit would be adequate, though the biggest schools should look at higher limits.”
Over the years, STORM has responded to many cyber incidents at private schools, with the ReSecure team we co-founded with leading law firm RPC. A number of these cases had a fraud element associated with the loss - another component which needs consideration when analysing coverage. Some cyber policies now exclude such losses.
Our recent cases are a mix of Ransomware and Business Email Compromise and provide an indication of typical costs as follows:
Digital Investigation incl. forensics: £25k-£75k
Breached Mailbox Content Analysis - £15k-£180k
Legal Advice: £25k-£250k
Crisis PR advice: £10k-£30k
Several incidents we have responded to have involved the targeting of both school and parents to commit fee fraud. The attackers phished and obtained the credentials to school bursary staff email accounts and then used these to identify and target parents, defrauding them of their children’s annual fees. In one case, parents lost £75k for their three children and the school was forced to maintain these places at their own cost. In cases such as this, the cover relating to losses through criminal theft or fraud, need to be considered.
As a result, upper limits for first-party response costs can exceed £0.5m. The business interruption elements are harder to benchmark, but our experience is that they can range from the low tens of thousands - to one occasion which exceeded the initial response costs of £125k.
For many private schools, lost business and fees will be of greatest concern and potentially could cause the most damage to the business. Business interruption is offered in most standalone cyber insurance policies (although often as an optional additional section). Private schools will need to determine their annual, monthly, and daily business interruption exposure. Most business interruption cover for schools is on a gross fees/revenue basis, but careful consideration of potential additional costs should be undertaken.
Another crucial factor is the indemnity period chosen and ensuring that the BI cover in the cyber policy includes all lost income due to reputational damage. It is necessary to establish that cover does not cease when the computer system is repaired/restored to pre-incident functionality as most BI loss is suffered after this (or that there is a 'reputational loss' BI section).
The key issue for brokers is helping their clients to determine which policy best addresses their potential risks. Will their limit be on an aggregate basis, or an any one claim? In the first instance, it raises the issue of failing to have adequate limits and can mean that parts of a claim are not insured, and any subsequent events would not be covered unless the insured has rebought the limit.
However, cover on an any one claim basis is often more expensive and so more difficult to sell. Many policies will contain sub-limits that also need to be checked for adequacy.
With the better use of risk management, insureds are more likely to see cyber incidents result in the best-case and least loss scenario.
 Required to comply with GDPR in the identification of data subjects who may be at high risk