Security

Should Higher Education Be Worried About the Future of Cyber Insurance?

More frequent attacks and rising costs are causing insurers to re-evaluate their offerings. How can colleges and universities respond and remain protected?

Buck Bell

Buck Bell leads CDW’s Global Security Strategy Office, bringing 20-plus years of experience in cybersecurity and risk management to the role.

The equation powering cyber insurance coverage for higher education institutions isn’t adding up the way it used to.

Colleges and universities remain frequent victims of ransomware and other attacks, those attacks are increasingly costly and disruptive, and cyber insurance providers are paying out more money more often in response to these breaches.

In response, cyber insurers have been making the moves one would expect to shore up their bottom lines, primarily by increasing rates and tightening coverage requirements. In some cases, such as in the insurance marketplace Lloyd’s of London, coverage for certain kinds of cyberattacks is even being cut out of policies entirely.

All of this has placed higher education institutions in a precarious position: Premiums have increased by as much as 300 percent for colleges and universities without proper defenses in place, and improving those cyber defenses can be costly in its own right. And that’s not even considering the complications stemming from a lack of available cybersecurity workers.

If the math doesn’t add up for providers or the institutions they’re meant to protect, it’s time to evaluate whether cyber insurance is still a worthwhile expense.

Click the banner below to receive exclusive content about cybersecurity in higher ed.

Is It Time for Universities to Ditch Cyber Insurance Providers?

I don’t believe cyber insurance is going to cease to exist as a tool available to protect colleges and universities. But at a certain point — and that point may have already arrived in some cases — rising premiums and the required investments in security tools are going to force schools to answer whether cyber insurance can or should be a part of their defense and incident response.

Several of our university partners have asked me recently whether they should continue to pay those hefty premiums. Or is now the time to invest inward, taking the money they would have spent on premiums to set aside as a form of self-insurance or putting it toward their own cyberdefenses?

Each case is unique, but to begin, every institution should be able to quantify precisely what is at stake in a cyberattack and how likely such an attack is to occur. There can be major financial and reputational consequences to a data breach. Understanding what those consequences are requires collaboration between a university’s security leadership, such as a CISO; the overall IT leadership, such as the CIO; and the top financial personnel, such as the CFO. This way, leadership from the top down understands where potential vulnerabilities lie, what type of cyberdefense is required to meet standards for coverage or broader governmental requirements (such as Cybersecurity Maturity Model Certification), and how the financial picture looks.

That calculation is part of accepting the risk of a cyberattack, and I like it as the first step in a three-step approach to cyberdefense. Next comes assigning that risk, which has in many cases been via a cyber insurance provider, followed by mitigating that risk through investment and action.

Understanding those three pieces can help colleges and universities place themselves on a continuum balancing the potential reputational and financial impact of a cyberattack with the resources that must be invested to mitigate such an attack. In some cases, taking the money that has been or could be spent on cyber insurance and reinvesting it in your own cyberdefenses is a smarter financial choice, but it’s not wise to make that call unless you know what’s at stake in the first place.

Where Should Universities Invest Their Cybersecurity Resources?

Whether higher education institutions are reinforcing their cybersecurity positions to meet stricter standards for insurance coverage or they are choosing to self-insure or go uninsured, I recommend they steer those investments into the following areas.

Privileged Access Management

It was only 18 or so months ago that cyber insurance providers were mandating stronger identity and access management programs before continuing to underwrite policies. Today, many have taken that requirement a step further and are beginning to request that policyholders share privileged access management plans for maintaining security for the most at-risk users.

Privileged access management means monitoring the activity of users with high-level credentials, including systems administrators, and it means protecting any user with some connection to a high-value project. This could include student researchers and faculty members, and it can involve establishing time-based access limits, full recordings of user behavior, and password rotations or other techniques to obscure true login credentials to even users themselves.

Network Segmentation and SBOM

Universities are complex network environments, which can make them difficult to protect. At large institutions, individual colleges or research projects may have their own networks that need to coexist with the university network at large. Because many institutions partner with outside vendors for a variety of IT purposes, there are third-party risks to data if one of those vendors suffers a security breach.

To protect that data, network segmentation should be a best practice in higher education. If an attacker were to penetrate a university’s network, keeping that intruder siloed as best as possible can limit the damage, and that goes for cloud-based networks as well as on-premises ones.

In addition, creating a software bill of materials can be an excellent first step in defending against and containing any third-party intrusions. An SBOM helps institutions secure the supply chain as they incorporate outside vendors and understand all of the components of those vendor partnerships, including any open-source software that could be especially vulnerable to attack.

EXPLORE: How campuswide cybersecurity training educates and entertains.

Detection and Response on the Road to Zero Trust

My preference would be for higher education institutions — and the rest of the world vulnerable to cyberattacks — to fully embrace a zero-trust model of defense. A strong opening on the road to zero trust is enabling endpoint detection and response.

Monitoring behavior on the network is the best way to stop attackers before they burrow in too deeply. Things like behavioral analytics also can be of assistance in detecting anomalous behavior from a potentially compromised account.

That said, zero trust should still be the target. The Department of Defense’s phased rollout plan requires organizations engaging with the DOD to comply with CMMC 2.0 by Oct. 1, 2025, and there is significant overlap between the requirements for CMMC 2.0 and best practices that would be instituted in a zero-trust model. Aligning these activities will help prevent malinvestment or undue risk exposure to continuity of research funding.

Most important, many of these same security requirements apply to institutions that receive funding from the Department of Health and Human Services and the National Science Foundation. As these often extend to student financial aid, it’s fair to suggest that virtually all higher education institutions will need to consider compliance and the impact of investment on their cyber insurance coverage.

Protecting university networks is complex and costly, but the team at CDW Higher Education has the expertise and experience to guide you through it all, from analyzing your defenses to ensuring you’re eligible for cyber insurance coverage — and beefing up your security team to make that coverage redundant.

This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.