Rod Russeau, technology and information services director at Illinois’s Community High School District 99, speaks at CoSN2022.

Apr 13 2022

CoSN2022: 5 Ways Schools Can Prepare for Cybersecurity Insurance Risk Assessments

With security threats bombarding K–12 institutions, IT leaders can take these steps to keep districts safe and premiums low.

As devices and online applications become more robust, cybersecurity becomes more important. Because of this, it also becomes more expensive to insure.

Amy McLaughlin, cybersecurity expert at the Consortium for School Networking, compared cybersecurity insurance to auto insurance Wednesday in a CoSN2022 session, “Navigating Cybersecurity Insurance Risk Assessments.” She compared 1990s technology to early automobiles and modern technology to the vehicles of today.

“Your insurance today wouldn’t cover this car,” she said, gesturing to the early 20th-century automobile on the screen.

Amy McLaughlin CoSN2022

Cybersecurity expert Amy McLaughlin compares cyber insurance to auto insurance at CoSN2022.

With more risk factors in today’s online environment, cyber insurance companies are requiring risk assessments before determining a district’s premiums. Here are five things district leaders and IT departments should do to prepare for cybersecurity insurance and risk assessments.

1. Understand the Cybersecurity Insurance Policy’s Requirements

District leaders should consider what the policy will cover, what the stipulations of the coverage are and what is required of them. This means they must read the insurance policy carefully, and they should do so before an attack occurs, and they need to use it.

LEARN MORE: A district shares what not to do to prevent a ransomware attack.

Perhaps the most important thing for K–12 leaders to remember is to answer the insurance company’s risk assessment questions honestly.

“It’s becoming really critical to make sure we answer this assessment correctly and honestly,” McLaughlin said. “If you answer it dishonestly and have an incident, you will still not be insured.”

Amy McLaughlin
It’s becoming really critical to make sure we answer this assessment correctly and honestly.”

Amy McLaughlin Cybersecurity Expert, CoSN

2. Emphasize the District’s Student Data Protections

Cybersecurity insurance companies are looking very closely at data and how schools are protecting it, said Rod Russeau, technology and information services director at Illinois’s Community High School District 99.

The risk assessment will include questions on how much data the school stores, how the data is protected and how the district is backing up the data. Student data is extremely vulnerable, and many applications now collect and store data, so IT leaders should understand where all the school’s data lives before answering risk assessment questions.

DISCOVER: Download a checklist with five steps to securing student data.

3. Document Simple, Actionable Policies and Plans

District leaders can also expect questions on their policies, including any districtwide privacy and security policies they have in place. The cybersecurity insurance companies want to know how schools are documenting policies for users prior to and in the event of an incident.

The companies also want to know if districts have plans in place and how these are documented. They will ask about business continuity and disaster recovery plans.

“Complexity is the enemy of security,” Russeau said about policies, borrowing the words of Bruce Schneier. “You can find plans like this online that are 250 pages long, but when you’re starting somewhere, it doesn’t have to be complex. Keep it simple.”

MORE ON SECURITY: Create an effective incident response plan for your district.

It can also be helpful to include information on compliance with laws such as the Family Educational Rights and Privacy Act (FERPA), among others, as risk assessments will frequently ask about compliance.

4. Implement a Layered Approach to Cybersecurity

When implementing cybersecurity measures, districts should consider a layered approach, as this will better protect district networks, subsequently keeping insurance premiums lower.

Deborah Ketring, CIO of Missouri’s Rockwood School District, said that her district is encouraging staff to use passphrases instead of passwords.

“We went to 16 characters, and they can’t reuse the same password that they’ve used within the past year,” she said.

While it’s keeping the district safer, “it’s been a little bit of a struggle for a lot of them,” she admitted.

Rockwood School District also implemented multifactor authentication with its tech staff through Cisco Duo. This adds another layer of protection to the district’s network.

DIVE DEEPER: Multifactor authentication should no longer be optional for K–12 schools.

“That’s something that insurance companies are looking for,” Ketring said. “As you see the questions, you can tell they’re going for that layered approach.”

5. Check Data and System Backups Regularly

Insurance companies will want to see that school districts not only have backups in place but that these backups are tested regularly.

McLaughlin shared a cautionary tale of failing to test a device backup. “I only did this once, and it was a long time ago, but I backed up a machine and then I rebuilt it. But the backup didn’t actually work, and I hadn’t tested it,” she said. “The good thing is I knew how to handle somebody who burst into tears in my office.”

Risk assessments will want to know if schools are backing up business-critical systems and data weekly.

Ketring said schools should focus on a 3-2-1 approach, with three backups, two locations and one air gap.

Click the banner for customized cybersecurity content when you sign up as an Insider.

What Will the Next Cybersecurity Insurance Risk Assessments Ask?

Looking ahead, cybersecurity insurance will require that schools have more protections in place to keep premiums low, speakers said in Wednesday’s session.

District leaders can expect multifactor authentication to become a requirement on all systems that house personally identifiable information in the next two to three years. Some systems don’t offer MFA, and districts should continue putting pressure on these vendors. McLaughlin said she only recently implemented MFA on her district’s timesheet software.

Internet of Things networks are already beginning to come under scrutiny by insurance companies, and more schools will be seeing questions around their IoT networks in coming years.

Additionally, companies are increasingly asking for documentation over attestation. They want proof of the plans, policies and protections K–12 districts have put in place.

The best way school leaders can be prepared for insurance companies’ risk assessments, now and in the future, is to document and understand their districts’ cybersecurity posture. They can also look to companies that offer cybersecurity services and join organizations like the Student Data Privacy Consortium that discuss K–12-specific cybersecurity measures.

For all of EdTech’s CoSN2022 coverage, keep this page bookmarked. Visit @EdTech_K12 on Twitter for live updates and join the conversation using the hashtag #CoSN2022.

Photography by Rebecca Torchia

aaa 1

Register