Whether or not a college or university takes out cyber insurance is a question to be considered as part of a wider security and risk management strategy.
It's foolhardy to consider any aspect of security - including insurance - in isolation because it has implications across organisations, which is why we encourage board-level executives to consider cyber security as a strategic priority.
Not even the most comprehensive cover can beat strategic investment in good security practices, although no combination of either measure provides a cover-all safety net against cyber attacks.
Even if an organisation believes that it is well protected, with all the right technical controls, policies, certifications and training in place, insurance could still be sensible.
Where the balance sits between the expense of premiums versus the cost of a cyber incident will likely be different for each provider.
So, what role does cyber insurance have to play, and should colleges and universities invest in such policies?
Time, money and peace of mind
Depending on attitude to risk, one of the biggest plus points of cyber insurance has got to be peace of mind that practical and financial help will be given to recover from attacks.
Members tell us that one of the biggest costs incurred in the event of cyber attacks is the extra staff time required to deal with the initial fall-out and recover. Some smaller institutions may not have the resource or in-house skills to cope, so could benefit from cyber insurance that covers the use of external personnel.
For example, forensic experts could get to the root of the problem and help prevent an incident from spreading. This is also something our Janet Network computer security incident response team (CSIRT) can assist with as part of Jisc membership.
If an insurance company appoints a third-party incident response or digital forensics company as a result of a successful claim, working closely with the sector-specialist Janet CSIRT team could save time, money and effort.
Insurance could also cover the cost of specialist negotiators in the event of a ransomware attack (though Jisc and the NCSC advise not paying ransoms), or PR support to manage reputational risk.
It can also help with legal fees, damage claims in the event of a data breach, or regulatory actions that need completing after an attack – such as fulfilling recommendations of the Information Commissioner’s Office.
It’s clear then, that falling victim to cyber criminals can be extremely costly. Although the precise fall-out is difficult to measure, our November 2020 cyber impact report attempts an assessment. For the first time, it brings together research on the impacts to staff resources, students, researchers, budgets and reputation.
The picture across education
Stats from Jisc’s 2020 cyber security posture survey find that the instance of insurance across the further and higher education sectors is not uniform.
The study shows that 41% of responding higher education institutions (HEIs) and 60% of further education (FE) providers have some form of cyber security cover. There may be some provision as an add-on to business continuity insurance, for example. HEIs are more likely to have specific cyber security insurance (27%) than FE (15%).
Interestingly, cyber insurance take-up in the education sector is greater than for other sectors, with only 11% of businesses and 6% of charities reporting in the 2019 DCMS cyber security breaches survey that they had a specific cyber security insurance policy.
Education and research sectors are no more a target for cyber criminals than other sectors, but perhaps, as public sector organisations, colleges and universities are more cautious about the possible financial implications of a cyber attack. With the extra pressure on budgets brought to bear by the pandemic, that caution may be heightened.
What cover to choose?
When exploring which cover to choose, it’s important to have accurate knowledge of baseline capability, resource and skills.
Brokers will want to understand the level of protection in place and many will offer favourable rates to universities and colleges that can demonstrate certain defensive measures, such as earning Cyber Essentials certification. Be warned though – policies may not pay out if the insured fails to meet agreed protection standards.
When considering cyber insurance for the first time, there will be a number of people in the organisation to check with; technical experts, anyone responsible for security and business continuity, and those responsible for contracts.
Collectively, this team will need to decide what is covered and what is not. Which business-critical systems must have protection, and which are less important?
Remember the threat landscape is constantly evolving so any policy will need regular review to reflect that, and to take into account changes to the organisation. If the defence capability increases, or the expertise and resource in the security and IT teams develops, could the cover be reduced? That’s an incentive to keep improving security posture.
The NCSC’s guide to cyber insurance provides comprehensive advice, a checklist and also a warning: “Do not limit yourself to meeting the minimum cyber security requirements specified by an insurer; these might not adequately protect the things your organisation cares about.”
That’s a sentiment we wholly support.
Colleges, universities or research centres that suffer a cyber attack are urged to contact Janet CSIRT, even if assistance is not required; intelligence about current attacks may help other organisations.
Jisc’s annual Networkshop conference (27-29 April 2021) has more information about the technology and infrastructure to help future-proof your college, university or research centre.