In January 2022, 3,000 schools were caught up in a cybersecurity incident. And the number of attacks continues to increase. Because of the increase in cybersecurity attacks against schools, many districts are considering cybersecurity protection in the form of cybersecurity insurance. The losses that school districts face are enormous. According to the U.S. Government Accountability Office,

  • Loss of learning following a cyberattack ranged from 3 days to 3 weeks
  • Recovery time could take anywhere from 2 to 9 months.
  • Monetary losses to school districts ranging from $50,000 to $1 million

But to get cybersecurity protection, your district must meet minimum requirements to be considered insurable at a reasonable rate.

What Does My School District Need to Do to Qualify for Cybersecurity Protection?

Districts must make risk mitigation a part of their strategy in order to qualify for cybersecurity insurance. Cybersecurity protection can be denied to districts who are not making sufficient investment in protecting student data and security.

Cybersecurity Measures Districts Should Have

At the very basic level, every school should have firewalls and antivirus software for basic protection. However, it is advisable to also have encryption to protect content when it is being transmitted, as well as vulnerability scanning and comprehensive patch management.

Continuity Measures Districts Should Take

School districts may need to demonstrate that they have developed a disaster recovery plan and incident response plan. These plans should be in writing and updated regularly. These plans should be accompanied by a written information security policy and privacy policy. But more than having written policies in place, schools must also be conducting regular backups of their data to an offsite location.

Access Management Controls that Districts Should Employ

One of the most important access management controls that school districts should consider is multifactor authentication (MFA). According to Microsoft, implementing MFA could reduce successful phishing attacks by 99.9%. Additionally, districts should hold vendors accountable to meet the same or better security standards as well as contractual liability and indemnification clauses.

Compliance Measures Districts Must Have in Place

Most districts are required to comply with a variety of regulations governing data, including HIPPA, COPPA, and FERPA. In order to qualify for any kind of cybersecurity protection like cybersecurity insurance, the district will likely need to demonstrate compliance with these regulations. Additional compliance requirements regarding payment processing may also be required.

Employee Awareness Training – Ongoing

A final area cybersecurity insurance underwriters may analyze is the kind of training program you have in place for your employees. Because well-trained employees can be the frontline defense against things like phishing emails, having an ongoing, comprehensive training program can make it more likely that the district can obtain coverage at a reasonable cost.

About the author

Robert Iskander is a global business transformation leader passionate about leveraging technology to improve the quality of life for all, with a special focus on K-12 education and was nominated as one of the Top 100 EdTech Influencers in 2017 by EdTech Magazine. Prior to his current role as CEO at GG4L, providers of School Passport designed to help schools better protect student data, Robert had several corporate leadership roles, including General Manager of Sun Microsystems in the Middle East and Global Director of Education at Sun Microsystems (now Oracle).