Jul 21 2023

When Combating Ransomware, What Are Higher Ed’s Cyber Insurance Options?

After a ransomware attack, colleges and universities can incur an array of costs. One way to mitigate them is through a cyber insurance policy, but is that the only answer for your institution?

Higher education institutions have long been at a heightened risk for ransomware attacks, with dozens of incidents reportedly impacting more than 1,400 schools just last year, and the tactics used by attackers have only grown more sophisticated over time.

In addition to beefing up network security and implementing safeguards such as managed detection and response, many IT departments have also created robust incident response teams to mitigate the amount of data that might be compromised in an attack and limit disruptions to campus networks

Regardless of those defenses, though, colleges and universities are still at risk, and emerging from a cyberattack can be costly — far beyond whatever ransom an institution might decide to pay. In the aftermath of an attack, extended network downtime is likely, and the recovery efforts and reputational damage caused by an attack can be significant.

According to an October 2022 blog post from NetApp, “The actual cost of a ransomware attack extends far beyond the ransom payment — it can add up to be seven times the ransom demand.” 

“As far as overall costs go, experts estimate that the ransom payment adds up to only about 15 percent of the total cost of the ransomware attack,” the NetApp post continues. “And the real stinger in all of it is that only one in seven organizations who pay a ransom actually get their data back.”

Click the banner below to learn how to increase your ransomware recovery capability.

Cyber Insurance Companies Are Tightening Their Payout Policies

According to Heidi Shey, principal analyst at Forrester, “Cyber insurance is only one component of a bigger enterprise cybersecurity risk management program. However, the cyber insurance market has been on a roller coaster, with skyrocketing premiums, changes in coverage and a demand for policies that outweighs available supply. After years of affordable and readily available policies, the ubiquity of cyber insurance combined with the rise in cyberattacks has changed the power dynamic in favor of the insurers.”

Jason Cray, technical owner of the data protection and information management practice at CDW, has picked up on similar shifts in the cyber insurance market. Cray and Tony Roberts, senior solutions engineer at CDW, have both noticed new limitations on cyber insurance policies during their work with CDW customers.

“The insurance premiums are just going through the roof, if you can even get them,” Roberts says. Plus, “insurance companies now are defining in their contracts that they’re not going to cover an attack if it comes from a specific nation-state.”

READ MORE: How to keep down higher ed cyber insurance premiums.

Cray agrees, citing insurance companies’ use of overly complicated paperwork. Insurance applications used to pose 20 to 30 questions, Cray says, but those forms now routinely include more than 400 questions worded in conflicting or confusing ways that make them nearly impossible for applicants to answer.

Regarding questions about an organization’s immutable storage, Cray says applicants might wonder, “Do I answer yes? My answer is yes. And then the insurer comes in and says, ‘Well, no, you didn’t have it across your entire environment, so we’re not going to pay.’” Of course, if applicants answer no to the question, their rates will certainly go up — if the insurance company doesn’t completely refuse to insure them. “And that’s the reality of what clients are facing today.”

“It’s getting super difficult to get it, to maintain it and then to adhere to it,” Roberts says of cyber insurance. Even when trying diligently to comply with the terms of a policy, organizations run the risk of an insurance company picking apart a policy and ultimately saying, “‘Well, you weren’t doing this one thing, so we’re not going to pay out.’ And I think companies have to take a look at that from a risk perspective.”

Heidi Shey
Cyber insurance is only one component of a bigger enterprise cybersecurity risk management program.”

Heidi Shey Principal Analyst, Forrester

Some Institutions Are Considering Self-Insuring Against Ransomware

Cyber insurance has become a growing trend and, in many cases, an operational requirement. While it can help to defray the costs of a ransomware attack, it could also be a beacon to cybercriminals, indicating a willingness to pay the ransom they intend to demand. In some cases, colleges and universities might want to consider self-insuring to protect themselves in the event of a ransomware attack.

“Self-insurance basically becomes a line item in the budget,” Cray explains. “They budget and say, we already pay X amount on premiums to an insurance company to have insurance. Instead of doing that, we’re going to take that money, budget it and essentially put it into a savings account that is overseen by a third party.”

Yet, some institutions don’t have the resources to self-insure. For smaller colleges, there are still ways to reduce the cost of cyber insurance premiums. Roberts notes that some third-party security providers, such as Rubrik, offer warranties that insurance companies recognize as extra assurance of an organization’s data protection strategy.

“The key to it is that you have to qualify for their ransomware warranty,” Cray says. “When you sign up for their premium support, that means they have somebody who’s actively monitoring your environment to make certain you’re following all the best practices, even when they are updated.” The warranty gives an insurance company greater confidence, and it may be willing to offer a cyber insurance policy at a lower rate.

Brought to you by:

Who_I_am/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.