Security

When Combating Ransomware, What Are Schools’ Cyber Insurance Options?

K–12 organizations can incur an array of costs after a ransomware attack. One way to mitigate them is through cyber insurance, but is that the only answer for your district?

Joe Kuehne

Joe Kuehne is a Senior Editor at BizTech magazine.

Rebecca Torchia

Twitter

Rebecca Torchia is a web editor for EdTech: Focus on K–12. Previously, she has produced podcasts and written for several publications in Maryland, Washington, D.C., and her hometown of Pittsburgh.

In recent years, the frequency and sophistication of ransomware attacks have continued to escalate. In many cases, those attacks have piled up significant costs for their victims, and not just from ransom payments. Extended downtime after an attack, expensive recovery efforts and reputational damage all impact K–12 districts after a breach.

“The actual cost of a ransomware attack extends far beyond the ransom payment — it can add up to be 7 times the ransom demand,” notes NetApp in a blog post. “As far as overall costs go, experts estimate that the ransom payment adds up to only about 15 percent of the total cost of the ransomware attack,” the post continues.

“And the real stinger in all of it is that only one in seven organizations who pay a ransom actually get their data back.”

Click the banner below to learn how to increase your ransomware recovery capability.

Cyber Insurance Companies Tighten Their Payout Policies

While cyber insurance is only one part of a comprehensive cybersecurity strategy, K–12 IT professionals are finding it harder to retain this component.

“The cyber insurance market has been on a roller coaster, with skyrocketing premiums, changes in coverage, and a demand for policies that outweighs available supply,” notes Heidi Shey, principal analyst at Forrester, in a company blog post.

“After years of affordable and readily available policies, the ubiquity of cyber insurance combined with the rise in cyberattacks has changed the power dynamic in favor of the insurers.”

Jason Cray, technical owner of the data protection and information management practice at CDW, has picked up on similar shifts in the cyber insurance market.

Cray and Tony Roberts, senior solutions engineer at CDW, both have noticed new limitations on cyber insurance policies during their work with CDW customers. “The insurance premiums are just going through the roof, if you can even get them,” Roberts says. Plus, “insurance companies now are defining in their contracts that they’re not going to cover an attack if it comes from a specific nation-state.”

DIVE DEEPER: Learn about the internal and external partnerships schools need for cybersecurity.

Cray notes that paperwork from insurance companies is becoming more arduous. Insurance applications used to include 20 to 30 questions, Cray says, but those forms routinely include over 400 questions worded in confusing ways that make them nearly impossible for applicants to answer.

“Now, our main application is five pages long, and then, when you go back to the supplemental, it’s five more pages,” Kristen Landis, technology director at North Penn School District in Pennsylvania, said at ISTELive 23. “There’s a lot of detailed information they’re asking about.”

Regarding questions about an organization’s immutable storage, Cray says applicants might wonder, “’Do I answer yes? My answer is yes.’ And then the insurer comes in and says, ‘Well, no, you didn’t have it across your entire environment, so we’re not going to pay.’”

Of course, if applicants answer no to the question, their rates will certainly go up — if the insurance company doesn’t completely refuse to insure them. “And that’s the reality of what clients are facing today.” “It’s getting super difficult to get it, to maintain it and then to adhere to it,” Roberts says of cyber insurance.

Even when trying diligently to comply with the terms of a policy, organizations run the risk of an insurance company picking apart a policy and ultimately saying, “‘Well, you weren’t doing this one thing, so we’re not going to pay out.’ And I think schools have to take a look at that from a risk perspective.”

KEEP READING: How can schools improve cybersecurity protection on a tight budget?

Warranties and Self-Insurance Give Schools More Security

Cyber insurance has become a growing trend in K–12 IT circles. And while it can help defray the costs of a ransomware attack, it can also be a beacon to cybercriminals, indicating a willingness to pay a ransom if necessary.

Although many schools don’t have the budget to self-insure, there are still ways to reduce the cost of cyber insurance premiums. “I wish there was more money being spent on preventing an incident and figuring out how to respond to it,” said Doug Levin, director of the K12 Information Security eXchange, at ISTELive 23.

“Insurance is important, but it's overplayed. School leaders view the insurance as the solution to the problem as opposed to being the backstop.”

Roberts notes that some third-party security providers, such as Rubrik, offer warranties that insurance companies recognize as extra assurance of an organization’s data protection strategy.

“The key to it is that you have to qualify for their ransomware warranty,” Cray says. “When you sign up for their premium support, that means they have somebody who’s actively monitoring your environment to make certain you’re following all of the best practices, even when they are updated.”

The warranty gives an insurance company greater confidence, and it may be willing to offer a cyber insurance policy at a lower rate. If schools can self-insure, they may want to consider it as a way to protect themselves in the event of a ransomware attack.

“Self-insurance basically becomes a line item in the budget,” Cray says. “They budget and say, ‘We already pay X amount on premiums to an insurance company to have insurance.

Instead of doing that, we’re going to take that money, budget it and essentially put it into a savings account that is overseen by a third party.’”

travelism/Getty Images