Colleges and universities have a great deal of valuable and private data in their systems. Personnel, academic, financial and administrative systems hold everything from research data to student medical records. It all adds up to a lot of sensitive information that requires protection.
This is where cyber insurance comes in: an insurance product that shields the school from the financial disaster that comes with data breach lawsuits, liability findings, regulatory failure fines, and huge legal costs associated with a failure to protect that information and keep it private. Read on for some facts and fallacies about cyber insurance.
DISCOVER: What one university learned after a ransomware attack.
Fallacy: Cyber Insurance Covers My Costs if Someone Steals a Laptop
Cyber insurance isn’t designed to handle the case of someone losing a laptop or having it stolen. Cyber insurance covers the case in which the laptop loss turns into a data breach — and then the university must pay for fraud monitoring for 3,000 students who had their personal financial information exposed as part of the breach.
Of course, cyber insurance isn’t all the same, and every institution will have a policy customized for its own requirements. The point of cyber insurance is to cover the cases that are handled poorly by other types of insurance, such as paying for legal costs and fines related to a regulatory action that came out of a cyber incident: device loss, system break-in, the wrong email going to the wrong person, and so on. Cyber insurance policies can cover liability costs, costs to replace lost data, even loss of income.
One of the most popular coverages in cyber insurance is for ransomware attacks. This insurance is designed to reduce financial risk related to cyber extortion.
Click the banner below for exclusive insights about cybersecurity in higher ed.
Fact: Buying Cyber Insurance Can Be Complicated
Cyber insurance isn’t like fire or theft insurance — you don’t just pick a dollar amount and send in a check. Because the cyber risk landscape is constantly changing and because cyber security is such a complicated area for IT teams, cyber insurance doesn’t come with a one-size-fits-all rate sheet.
To make a fair price, the insurance company needs to be able to estimate the risk: the likelihood of loss and the amount of money at stake. That means the process of buying cyber insurance is going to require a lot of in-depth disclosure from your institution, along with very clear lines delineating what kind of coverage is needed and what is excluded.
FIND OUT: How to support mental health for university cybersecurity professionals.
Fallacy: If I Have Cyber Insurance, I Can Worry About Security Less
In fact, the exact opposite is true. When you buy cyber insurance, the underwriter becomes very interested in your security profile and the attack surface you present to the world. Insurance companies may perform regular vulnerability scans — permitted as part of the policy — on all your internet-connected systems. If they find something they don’t like, you’ll hear about it, first from an automated system and, if you don’t do anything about it, from a human who wants to know when you’re going to solve the problem that’s been identified.
Your security team will be partially beholden to the standards set by the insurance company as well. What your team may have considered reasonable configurations or optimizations for usability, such as allowing old encryption algorithms, may suddenly show up on the insurance company’s radar as a problem that you must solve, lest you see higher premiums or even lose insurance entirely. Cyber insurance underwriters will also want to look at your incident response plan and may insist on changes, especially in areas such as reporting and timelines.
The percentage of education IT decision-makers who falsely believe cybersecurity insurance protects them from ransomware (insurance helps cover the cost of an attack but does not stop the attack itself)
Source: Sophos, “The State of Ransomware in Education 2021,” July 2021
There’s a good side to all this too: Cyber insurance underwriters are interested in reducing risk, so you’ll gain a new partner when it comes to implementing these new security controls. Consulting services, training and automated assessments may all be part of the benefits that come with cyber insurance.
When it’s time to measure risk and make decisions about security investments, insurance companies have in-house experts that you can call on to help understand what types of investments have the best cybersecurity cost-benefit ratios.
EXPLORE: How to avoid security breaches within the IT department.
Fact: CFOs May Buy the Insurance, but the CIO’s Team Are the Experts
Insurance is all about risk transfer: A breach may or may not happen, but if it does, it will be expensive, so you’ll pay an insurance company to take that risk off your shoulders. This means that it’s the CFO who is responsible for buying insurance of all types. Insurance doesn’t solve any problem other than a financial one, so the CFO is the person most interested in reducing the risk to the institution.
However, CIOs and their teams are the ones with the expertise and knowledge in this area. The CIO and CISO will be able to read policies and understand the specific terms of art used in a way that the CFO can’t. The security team will be able to understand what is and isn’t excluded and put it into context for the CFO. That’s a critical step, because if the important risks are not covered properly, then the insurance isn’t meeting the goals of the institution or the CFO.