Is It Time for Universities to Ditch Cyber Insurance Providers?
I don’t believe cyber insurance is going to cease to exist as a tool available to protect colleges and universities. But at a certain point — and that point may have already arrived in some cases — rising premiums and the required investments in security tools are going to force schools to answer whether cyber insurance can or should be a part of their defense and incident response.
Several of our university partners have asked me recently whether they should continue to pay those hefty premiums. Or is now the time to invest inward, taking the money they would have spent on premiums to set aside as a form of self-insurance or putting it toward their own cyberdefenses?
Each case is unique, but to begin, every institution should be able to quantify precisely what is at stake in a cyberattack and how likely such an attack is to occur. There can be major financial and reputational consequences to a data breach. Understanding what those consequences are requires collaboration between a university’s security leadership, such as a CISO; the overall IT leadership, such as the CIO; and the top financial personnel, such as the CFO. This way, leadership from the top down understands where potential vulnerabilities lie, what type of cyberdefense is required to meet standards for coverage or broader governmental requirements (such as Cybersecurity Maturity Model Certification), and how the financial picture looks.
That calculation is part of accepting the risk of a cyberattack, and I like it as the first step in a three-step approach to cyberdefense. Next comes assigning that risk, which has in many cases been via a cyber insurance provider, followed by mitigating that risk through investment and action.
Understanding those three pieces can help colleges and universities place themselves on a continuum balancing the potential reputational and financial impact of a cyberattack with the resources that must be invested to mitigate such an attack. In some cases, taking the money that has been or could be spent on cyber insurance and reinvesting it in your own cyberdefenses is a smarter financial choice, but it’s not wise to make that call unless you know what’s at stake in the first place.
Where Should Universities Invest Their Cybersecurity Resources?
Whether higher education institutions are reinforcing their cybersecurity positions to meet stricter standards for insurance coverage or they are choosing to self-insure or go uninsured, I recommend they steer those investments into the following areas.
Privileged Access Management
It was only 18 or so months ago that cyber insurance providers were mandating stronger identity and access management programs before continuing to underwrite policies. Today, many have taken that requirement a step further and are beginning to request that policyholders share privileged access management plans for maintaining security for the most at-risk users.
Privileged access management means monitoring the activity of users with high-level credentials, including systems administrators, and it means protecting any user with some connection to a high-value project. This could include student researchers and faculty members, and it can involve establishing time-based access limits, full recordings of user behavior, and password rotations or other techniques to obscure true login credentials to even users themselves.
Network Segmentation and SBOM
Universities are complex network environments, which can make them difficult to protect. At large institutions, individual colleges or research projects may have their own networks that need to coexist with the university network at large. Because many institutions partner with outside vendors for a variety of IT purposes, there are third-party risks to data if one of those vendors suffers a security breach.
To protect that data, network segmentation should be a best practice in higher education. If an attacker were to penetrate a university’s network, keeping that intruder siloed as best as possible can limit the damage, and that goes for cloud-based networks as well as on-premises ones.
In addition, creating a software bill of materials can be an excellent first step in defending against and containing any third-party intrusions. An SBOM helps institutions secure the supply chain as they incorporate outside vendors and understand all of the components of those vendor partnerships, including any open-source software that could be especially vulnerable to attack.
Detection and Response on the Road to Zero Trust
My preference would be for higher education institutions — and the rest of the world vulnerable to cyberattacks — to fully embrace a zero-trust model of defense. A strong opening on the road to zero trust is enabling endpoint detection and response.
Monitoring behavior on the network is the best way to stop attackers before they burrow in too deeply. Things like behavioral analytics also can be of assistance in detecting anomalous behavior from a potentially compromised account.
That said, zero trust should still be the target. The Department of Defense’s phased rollout plan requires organizations engaging with the DOD to comply with CMMC 2.0 by Oct. 1, 2025, and there is significant overlap between the requirements for CMMC 2.0 and best practices that would be instituted in a zero-trust model. Aligning these activities will help prevent malinvestment or undue risk exposure to continuity of research funding.
Most important, many of these same security requirements apply to institutions that receive funding from the Department of Health and Human Services and the National Science Foundation. As these often extend to student financial aid, it’s fair to suggest that virtually all higher education institutions will need to consider compliance and the impact of investment on their cyber insurance coverage.
Protecting university networks is complex and costly, but the team at CDW Higher Education has the expertise and experience to guide you through it all, from analyzing your defenses to ensuring you’re eligible for cyber insurance coverage — and beefing up your security team to make that coverage redundant.
This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.