As cyber threats have continued to grow, one segment of the market that has been especially impacted is education, according to guests on the most recent episode of The Insuring Cyber Podcast.
“This is a segment that is squarely a target for these ransomware threat actors, especially as we went through the pandemic,” said Stephanie Snyder-Frenier, vice president and general manager of insurance at cyber risk ratings firm BitSight, in this episode.
This comes as the threat environment has changed over time from being primarily data breach driven to becoming much more focused on ransomware, she said. The ransomware threat actors are targeting what Snyder-Frenier calls “low hanging fruit,” or organizations that don’t have ideal cybersecurity posture.
“Oftentimes, [educational organizations] do not have very large cybersecurity budgets, and when you don’t have a very large cybersecurity budget, that’s when cybersecurity posture can really start to suffer,” she said. “Frankly, the education sector has long been one of the worst performing sectors from a cybersecurity perspective.”
Indeed, BitSight data show that the education sector performs poorly on a whole when it comes to managing cyber risk, with 80% of education organizations falling below a 750 rating on its cyber risk measurement platform. BitSight assesses cybersecurity performance for organizations by assigning something similar to a credit score, which can range from 250 to 900, with a higher score indicating better overall cybersecurity performance.
Presenting further challenges, however, is the rising cost of cyber insurance. In Illinois, one school district – Bloomington School District 87 – recently reported in a memo to its superintendent a 334% hike in cyber insurance costs. It said in the memo that this increase is indicative of the current cyber marketplace and what other districts have faced as well.
Snyder-Frenier said this is because as schools increasingly become targets of cyber crime, it is becoming harder for insurers to underwrite with confidence.
“The challenge is that there’s only so much budget to go around, and when you think about education providers, they want to be able to both invest in cybersecurity, in people and process and technology, and also invest in cyber insurance as a backstop, essentially,” she said. “So the challenge really is how do they spend a limited pool of dollars between investing in cybersecurity and investing in cyber insurance? And unfortunately, some education providers have decided to forego cyber insurance because it’s just simply too expensive.”
Challenges around cybersecurity expand to the higher education space as well. The federal government is aiming to tackle this issue with its Cybersecurity Maturity Model Certification program (CMMC), in which the U.S. Department of Defense is enhancing requirements to protect sensitive data for its prime and sub-contractors.
The CMMC is a training, certification, and third party assessment program of cybersecurity in the U.S. government Defense Industrial Base (DIB). Its aim is to measure the maturity of an organization’s cybersecurity processes. Although it was originally launched in 2019, the program was revisited and streamlined in November of last year to enhance some of its requirements in the face of growing cyber threats. These requirements apply to all Department of Defense prime and sub-contractors throughout sectors like weapons and communication systems, as well as manufacturers and technology providers. But it also extends to labs and research centers within higher education.
“When you’re doing research on a project, there’s obviously a good chance you’ve got some sensitive intellectual property that you’re dealing with, and that information falling into the wrong hands can have implications,” said John Farley, managing director of Gallagher’s cyber liability practice, earlier in this episode. “You could lose years and years of research, which costs millions of dollars to come up with, and it just gets stolen. And then somebody takes that information and creates a new product and competes, or does something else with it, that really can hurt those that devoted all the time and energy into creating it.”
Farley said the CMMC program raises the bar for higher education because failure to meet these standards could impact a school’s ability to receive critical government funded grants. He also said it will likely change the way underwriters assess risk in higher education in the future.
“A lot of higher education institutions are contracting with the federal government to do a number of different types of research projects, and that could be anything from vaccine research to aerospace programs, and these are really important contracts to these higher education institutions,” he said. “They can really impact the bottom line of these schools. If you don’t meet the standards that CMMC requires, there is a chance that you could lose your government contract, which is a very big deal.”
Another consideration for entities covered under the CMMC is the issue of litigation and reputational risk in the wake of a cyber attack, since attacks will be investigated to ensure an organization’s self-attestation about its cybersecurity posture was accurate.
“If you attested that you have multifactor authentication in place, but it turns out that the hackers got in because you didn’t have it in place, not only can you lose your government contract, but you can also be sued under The False Claims Act,” Farley said. “So there’s also a litigation risk there, and of course, a whole lot of reputational harm that might follow.”
Snyder-Frenier said in the face of all of these challenges, particularly as cyber insurance premiums continue to climb, cyber insurance needs to be increasingly behaving as a partnership between the insured and the insurer.
“Frankly, there are a lot of ways that insurance carriers can help educational providers improve their overall security,” she said.
Be sure to check out the rest of this episode to hear what else John and Stephanie had to say, and check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.
Was this article valuable?
Here are more articles you may enjoy.