Cyber & the education sector: The cyber exposures facing the industry | Insurance Business UK
For anybody taking a class or course during the lockdown, or with children attending school or college, the move to a virtual education environment has been an education itself in the principle of ‘needs must’. For many learning institutions, the last six months and the change to remote-learning practices has been a time of both innovation and challenge. One of the main challenges has been the variety of cyber risks associated with using technology to conduct online classes, and the cyber team at Travelers Europe recently caught up with Insurance Business to discuss the topic.
Find out more: Learn everything you need to know about Travelers Europe here
The head of cyber at Travelers Europe, Davis Kessler (pictured above), noted that cyber risk in the education sector has long been recognised as one of the trickier areas to navigate for a variety of reasons. Firstly, he said, the data involved often includes information pertaining to younger students and people are aware that children’s information is particularly sensitive.
“Generally speaking, schools will have a greater volume of information involved given the number of students, especially when the larger education institutions are considered,” he said. “The information held by these organisations can range from health information to contact details and payment details. So, this has always been a higher risk as it spans lots of key areas.”
Looking to how COVID-19 has impacted the space, Kessler highlighted that the remote conducting of classes via Zoom or other web-and cloud-based platforms has added extra vulnerability to the mix by creating a greater surface attack area for criminals to exploit. Travelers emphasises the need for certain precautions such as using encrypted connections and multi-factor authentication (MFA), he said, but many schools don’t have these structures in place. It’s not as easy for them to implement those security precautions when you consider how many students will be connecting to a remote class on their home networks, which may not be secure.
Read more: Travelers’ cyber team on Premier League hack and the impacts of high-profile cyberattacks
“Also, some educational institutions haven’t got the same security budget as a private company would have to implement these controls,” said Lisa Farr (pictured below), cyber underwriter at Travelers Europe. “We find that they can be lacking in security, such as MFA, which is a good security measure for all companies to adopt. And, with regards to students, some of the bad actors can be students who’ve already got access into the school’s systems, so, they’re already a step ahead.”
Kessler noted that, in some of the claims Travelers Europe has dealt with, it has been the students themselves who are deliberately the cause of a breach. This can range from very minor incidents to the shutting down of an entire network. And because education institutions cannot screen their students for this risk, they can only prepare for that potential circumstance.
“You often hear that when it comes to cyber exposures, employees are the ‘weak link’,” he said. “Well, schools will have their share of employees, sure, but then you will also have all of the students on top of that, who in many cases will be just as connected to the network.”
Like much of the rest of the private business world, the education sector is under-insured for cyber risk, he said, and a lot of schools don’t have any dedicated cyber insurance. They could have some cover under other policies but this may not fully respond financially to an incident at the level of a dedicated cyber insurance policy, such as those offered by Travelers Europe, which also includes immediate access to breach response services. However, he believes that this is an area where there is increasing recognition of the exposures faced and of the benefits that a cyber insurance policy can bring.
Read more: Examining the role of brokers in evolving cyber insurance products
Brokers are crucial to increasing this awareness, he said, and he has seen an uptick in those who have a portfolio of schools expressing interest in cyber coverage. This is a similar change to what is now occurring across numerous industries in the UK, as dedicated cyber insurance policies are starting from such a low uptake.
“Uptake will only start to increase, looking at the statistics,” said Iveren Yongo (pictured above), associate cyber underwriter at Travelers Europe. “The Department for Digital, Culture, Media & Sport has a yearly cyber security breaches survey. The survey that focuses specifically on education found that around only half of further and higher education institutions report being insured against cyber risks.
“There is a further drop when you look at primary schools (31%), and then, again for secondary schools (26%). With those figures in mind, [this uptake] is only going to be increasing in light of COVID and as schools and universities look to more virtual options for teaching.”
For Travelers Europe, the focus now is on educating brokers about the risks out there, Farr said, and about the exposures their clients might face from ransomware and other cyber threats. The important thing right now, in the midst of the pandemic, is to keep that communication going with all broker partners and to keep them updated on everything that is happening in the cyber space.
You can find out more about the range of products and services that Travelers Europe has on offer here.