Aug 04 2022

What Do K–12 IT Leaders Need to Know About Cyber Liability Insurance for School Districts?

As the cost of premiums skyrockets for schools, insurance companies want to see certain cybersecurity measures in place.

As cyberattacks against K–12 districts become more frequent and more sophisticated, school leaders are paying the price in the form of cyber liability insurance premium hikes. One school district in Illinois reported a 334% premium cost increase, and a Gallagher Report suggests this number isn’t out of the ordinary. The 2022 “Cyber Market Conditions” report indicates school districts may face a 100 to 300 percent increase in the cost of premiums if they don’t have “best in class” security controls in place.

In some instances, insurance companies may refuse to cover districts without adequate cybersecurity measures. This could leave school leaders scrambling to find new cyber liability insurance and make upgrades to encourage companies to provide coverage.

“What you’re seeing is an evolution from an informal to a very formalized structure,” says Paul Kinder, managing director of cybersecurity at Focal Point Data Risk. “Insurance is becoming much more strict and much more granular.”

LEARN MORE: 5 ways K–12 schools can prep for cybersecurity insurance risk assessments.

Here’s what IT leaders should know about cyber liability insurance, keeping premiums low and getting the help they need.

What Is Cyber Liability Insurance, and Why Do Districts Need It?

Cyber liability insurance protects school districts in the event of cyberattacks or data breaches. The insurance covers the costs schools could face in the wake of ransomware attacks and other cybersecurity dilemmas.

In 2021, ransomware attacks cost U.S. schools $3.65 billion in downtime and recovery. That doesn’t include the additional cost to districts that paid multimillion-dollar ransoms.

How Can Schools Keep Cyber Liability Insurance Premiums Low?

Schools can keep cyber liability insurance premiums low by upgrading their cybersecurity measures.

“If you’re going up for renewal and you want to lower your premiums, the cybersecurity insurance providers are looking for the least risky clients in their portfolio,” says Victor Marchetto, senior consulting cybersecurity engineer at CDW. “They’re trying to re-evaluate at each turn the level of risk they hold with different policies. So, the less risky you can appear to these entities, the less you’re going to pay in premiums.”

headshot of victor marchetto
The cybersecurity insurance providers are looking for the least risky clients in their portfolio.”

Victor Marchetto Senior Consulting Cybersecurity Engineer, CDW

As for what types of upgrades cyber liability insurance companies are looking for, it’s more than a matter of having the most expensive software in place.

“They’re looking for things such as identity and access management, and two-factor authentication is very big. They want to make sure that people who have access have the proper authorization,” Kinder says. “Also, they’re looking for endpoint detection and response instead of just having a firewall, and security awareness training that’s done frequently.”

One path to appearing less risky to these companies is to undergo a cyber maturity risk assessment. This assessment can help district IT leaders determine where they need to improve their cybersecurity postures before their risk level is evaluated by insurance companies.

“It would benefit schools to do it as early as possible relative to the point of renewal,” says Kinder. This gives districts the most time to make changes ahead of their scheduled renewal.

Why Should Schools Rely on Outside Help for Cybersecurity Upgrades?

School districts should rely on outside help when it comes to cybersecurity upgrades to ensure they’re identifying any weaknesses in their systems. Outside organizations can provide an in-depth and objective look at a district’s security posture.

Click the banner below to access cybersecurity resources for your K–12 district from CDW.

Larger organizations with dedicated CIOs or security teams can conduct their own cybersecurity assessments, but K–12 districts frequently don’t have the in-house resources to do so.

“Having an external partner is like an additional set of eyes, someone whose business it is to evaluate and assess other entities,” says Kinder. “We bring a breadth of scope and experience from looking at various other enterprises that we can bring to theirs.”

Beyond cyber maturity assessments, these partners can offer a variety of services to help schools ensure their security protocols are up to date and ready to shine when the time comes for cyber liability insurance renewals.

gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT