Schools and Underwriters Do Their Cyber Security Homework

Since Remote Classes, $1 Million Ransomware Claims Have Become the Norm

The overall number of cyberattacks fell by more than half in 2021 for K-12 schools but the number of ransomware attacks is on the rise.

According to a report from the K12 Security Information Exchange, or K12 Six, ransomware attacks increased from 50 in 2020 to 62 in 2021, while the number of cyberattacks in general declined for the first time in three years, from 408 in 2020 to 166 in 2021.

Ransomware attacks are the new norm in cyber risk for schools with ransoms often reaching the million-dollar range, says Jessica Blushi, vice president at Keenan & Associates, an Assured Partners’ organization based in California. Blushi handles the cyber insurance portion of Keenan’s large insurance program for more than 500 school districts.

Ransomware attacks, or cyber breaches where hackers steal a district’s data and refuse to give it back until they have received payments, now make up the largest category of attacks for the first time, according to K12 Six, which began tracking cybersecurity incidents in schools in 2016. Schools have upped their game in cyber risk management over the past year and managed to lower the number of incidents overall. But when a ransom attack does hit, it’s still costly, Blushi said.

“In a good situation, it ends up getting negotiated down but claims over a million dollars are absolutely the norm,” she said. Blushi says that a ransom event might encompass the cost of the ransom itself, plus forensics, legal and IT fees bring the total cost of a claim above $1 million.

Schools and other public entities have been particularly vulnerable to cyberattacks since the start of the COVID-19 pandemic because budget allocations for cyber security were often less robust than other industries and hackers could more easily access their systems.

“Schools became a very big target when schools went to remote education during the pandemic,” Blushi said. While schools were not alone in moving remote during that time, the biggest challenge was their lack of cyber security. “The IT infrastructure on the school side wasn’t prepared for that shift and threat actors found themselves a nice, soft place to land.”

Today, cyber security on campuses has changed since those days, she added. “But even today, our clients who are well protected from a network hardening, cyber protection standpoint, have still seen ransom attacks get through,” Blushi says.

Insurance Market

The growing prevalence of ransomware has changed the landscape of the cyber insurance marketplace dramatically. Insurers have hiked cyber coverage and retentions while lowering limits. Underwriters are now requiring security controls in many scenarios as well.

“What we had was a perfect storm, a knee-jerk reaction, specifically in the public entity and educational sectors because they were hit a little bit more severely than others,” said Kasey Armstrong, senior vice president at AmWins Brokerage, adding that the insurance market saw drastic premium increases for cyber insurance for 2021 July 1 renewals. But Armstrong says right now he’s seeing a more “sensible approach” to market conditions as schools look to renew again on July 1.

“I would say right now we’re coming out the tail end of that storm,” Armstrong says. “Now we have a tampering in market conditions and more accurate inquiries are being made from the carrier side.”

While the cyber market for public entities remains challenging, Armstrong sees more willingness from carriers to “listen.” That wasn’t happening a year ago, he said.

Armstrong cited a public entity client — not a school but a port authority — that wanted to tout its cybersecurity measures to possible markets prior to receiving a renewal quote.

He was able to connect the client and retail broker with several markets where the port authority reviewed its in-house IT and risk management efforts with underwriters.

“They got to say, ‘Hey, we’re doing this, that, and the other.’ And then the underwriters started asking questions. ‘What about this? What do you think about this? What are you doing here?'” Armstrong says that 12 months ago as the cyber market pushed for a strong correction, there was no desire to listen. That’s not the case as he works through July 1 renewals today, he said.

“They’re coming back to the table and saying, ‘OK, we don’t need to have such a hard line. We have a couple key things that we’re looking for and what we want to do now is come back to the table and listen.’ That is the tectonic shift that is occurring in public entity cyber today,” he said.

Blushi agrees but noted that Keenan had to get a bit creative with its program’s cyber component this year.

“This year we found that we needed to get a little less traditional with our cyber replacement and put a significant group retention in place, to provide a little bit of insulation for the carriers, before they attach,” she said.

“When we approached the market this year, we said, ‘Of course we’d love to have coverage directly above member retention, but if that’s not an option, we’d be willing to take on a funded retention for the group and then build coverage above that.’ We’re not finalized yet but we’re pretty close,” she said, adding that the program will likely end up with a funded layer between $1 million to $2 million.

Schools Hacks

When K-12 schools began teaching online they were unprepared for cyber risks they face, Blushi said.

Since 2016, the K-12 Cyber Incident Map published by K12 Six has cataloged a total of 1,331 publicly disclosed school cyber incidents affecting U.S. school districts (and other public educational organizations) across a wide array of incident types. Averaged over the last six years, this equates to a rate of more than one K-12 cyber incident per school day being experienced by the nation’s public schools.

“It’s pretty incredible because if you look at the data, schools are tracking worse than the general average,” Blushi said. That’s not surprising, she says, because schools focus on teaching students, and not technology, she added. But with the rising threats in cyber they have been forced to shift their focus, she said. “We saw a few cyber claims, just before the pandemic, but it was like somebody flipped the switch when schools went remote. The attacks have been pretty aggressive ever since.”

Blushi says many schools have implemented security measures over the past two years to reduce threats. One key security measure has been the implementation of multifactor authentication when school staff are working from any remote environment.

“School districts are being forced not only to pay dramatically higher premiums but also to implement commonsense cybersecurity controls — such as multifactor authentication for employees — for the first time,” according to the State of K12 Cybersecurity report. “Thanks to this market dynamic and heightened awareness … school districts may have done a modestly better job of defending their communities from cybersecurity threats during 2021.”

Education — something schools know about — for staff is also key when it comes to cyber risk management. Schools need to make sure that people are cognizant of what they’re doing when they are clicking on links or visiting websites. “You can have the best risk management from a network security perspective out there,” she said, “but if you have people who are just blindly clicking on links, you’re going to still have threat actors intrude into your network.”

The other key risk management tool that Keenan has found helpful is storing data backups offsite and offline.

“Whether they be in the cloud, or at another physical location, they must be encrypted because if you don’t have those backups protected, they’re not any more useful than anything else once someone has hacked into your network,” Blushi said.

Blushi has seen school districts get attacked and backups were no help because they were not stored properly.

“That’s one area that we’ve been really encouraging our clientele to focus on — ensuring that those backups are offline, offsite, and with separate credentials for access so that the likelihood of the threat actors being able to encrypt those as well is limited.”

Looking Ahead

The market changes are not yet done, Blushi said, especially when it comes to ransomware coverage.

“Our ransom coverage last year, and likely going forward into next year, is sub-limited, pretty dramatically where, in the past we didn’t have a sub-limit for ransom,” she said. On top of that there is also co-insurance on the ransom side, she added. “So, we have both and that’s managed to at least keep a lid on the exposure to the program but it also puts some of that onus back on the district.”

She thinks the market will continue to evolve at least for the near-term.

“I honestly don’t think that the market’s done adjusting. And if folks aren’t actively engaged in risk management, or network security process at this point, they will ultimately not be able to get coverage in the future. Underwriters are no longer willing to just write the coverage, without the protections.”