As more large, well-known companies—such as Anthem health insurance, Home Depot, and Target—fall victim to cyberattacks, school districts have begun to realize they could be next.
Some have taken out a new kind of insurance policy called cyberinsurance. Unlike traditional property insurance or general-liability insurance, these new policies are geared specifically toward protecting data, both digital and print, in the event of a breach.
“It’s becoming something that is hard to ignore, and companies across the spectrum are realizing that, and school districts are starting to realize it as well, because of the large amount of data they hold,” said Andrew Laubmeier, a cyber-risk broker with Aon Risk Solutions’ Financial Services Group, one of many brokerage firms now offering cyberpolicies to school districts.
John Gambale, the head of professional liability, Americas region, for the American International Group, or AIG, said student data are “highly sought after” on the black market, and most schools lack the resources to adequately protect the data. “Thieves look at the potentially antiquated IT systems and see them as very appealing targets,” he said, explaining that AIG offers cyberinsurance to schools as well as technology and training to prevent a breach.
Cyberpolicies typically cover data breaches whether they are accidental, such as an employee losing a laptop or emailing sensitive information to the wrong person, or via a coordinated hacking attack.
Expenses following any of those scenarios could be astronomical, depending on how many current or former employees’ or students’ information was compromised. Laws differ by state on who must be notified, how quickly, and how the notifications must be handled.
Cyberinsurance covers all notification costs, as well as the cost of investigating how the breach occurred, who could be affected, and legal assistance to determine notification requirements. Some policies also cover credit-monitoring services and media relations, in addition to third-party costs in the event of a civil lawsuit or class action.
It’s unclear how many districts have purchased cyberpolicies. Laubmeier said Aon covers several districts but declined to say exactly how many. “We are seeing a very large uptick in the number of school districts that have inquired about the possibility of cyberinsurance,” he said.
Mr. Gambale also declined to say how many school systems AIG covers, but said it’s definitely an area of growth. Schools and institutions of higher education are now listed as a category in his firm’s risk portfolio.
“Two years ago, that segment was not big enough for me to track,” he said, adding that across all industries, his firm’s cyberinsurance portfolio has increased 30 percent in the past year.
‘Easy Target’
Trudy Sowar, the director of risk-management services for the Georgia School Boards Association, which provides pooled-insurance coverage to districts via Marsh Insurance, has offered cyberinsurance for the past three years. So far, 59 of the 95 districts in Georgia have taken the coverage.
“If you really think about it, we are probably some of the most fertile ground [for a cyberattack],” she said, referring to the copious amount of personal data—Social Security numbers, medical records, payroll information—that each school district keeps on file.
Michael A. Alao, a former chief internal-audit executive for the Cincinnati school district, said Sowar is right. In fact, he said, districts provide easy targets for cyberthieves.
“If you are going to scam someone, you go against an easy target,” Alao said, pointing out that not all districts have an auditor or a chief technology officer to maintain tight security controls and firewalls.
Sowar said the cost of the coverage is relatively low, about $1 per student. Since many of the state’s school districts have fewer than 10,000 students, it ends up not being that expensive, she said.
Still, there has been some pushback.
“Sometimes, it’s that the technology officer believes that their firewalls are going to protect them,” she said. “And sometimes, it’s a financial issue because we’ve seen so many cuts to school funds lately.”
Why Districts Buy Cyberinsurance
A growing number of districts around the country have recently bought insurance policies with coverage for data-privacy risks. Among them:
GARDEN CITY, N.Y. | Enrollment: 4,000
The district has a new cyberinsurance policy starting this school year with Lloyd’s of London at a cost of about $11,000 a year.
What the insurance covers: The school’s cyberpolicy is in addition to general-liability and property insurance. It would compensate the district for the expenses incurred by making the required notifications in the event of a data breach. It also includes catastrophic insurance to protect the district in the event of a lawsuit stemming from the breach.
Why it purchased cyberinsurance: The Anthem health-insurance data breach this past February was a real “wake-up call,” said Superintendent Robert Feirsen. The district had already been working on making sure its network was secure, but Feirsen said schools needed added protection.
“We have a tremendous amount of data that we store, and a lot of it is personal, regarding the students and staff, and also financial, plus confidential information as well. It’s a brave new world for everyone. Several years ago, this would not even have been a blip on the radar.” - Robert Feirsen
ANN ARBOR, MICH. | Enrollment: 17,000
The school district has had a cyberinsurance policy from Zurich Insurance Group since February 2014.
What the insurance covers: The supplemental-insurance policy covers the cost of regulatory proceedings related to a data breach, Internet media liability (e.g., invasion of privacy, slander, plagiarism, copyright infringement or negligence related to Internet content), privacy-breach costs, cyberextortion and threats, and reward/payment coverage. The plan costs $25,155 per year, compared with about $800,000 the district pays in other liability-insurance coverage each year.
Why it purchased cyberinsurance: Judy Solowczuk, the district’s executive assistant for finance and operations, said the district’s insurance agency recommended the coverage, and since Ann Arbor is a district with lots of sensitive data, she thought it was time for protection. Solowczuk said the cost of the insurance was a “drop in the bucket compared to what it might cost us if we had a cyberattack or something was breached.”
“When you see Target and all these big companies being breached, it’s scary. We aren’t as big, but if someone hacked into our system, they could really do some damage.” - Judy Solowczuk
PAULDING COUNTY, GA. | Enrollment: 28,500
The school system has had cyberinsurance since July 2014. The district pays about $25,000 a year for the policy, which is through the Georgia School Boards Association’s pooled-insurance plan with Marsh, a global provider in insurance brokering and risk management and a subsidiary of Marsh & McLennen Companies.
What the insurance covers: The policy is an add-on to other insurance the school district has, such as workers’ compensation, general-liability, and property and casualty insurance. It covers the costs of investigating the breach, making the required notifications, and any related lawsuits.
Why it purchased cyberinsurance: About 10 years ago, the district was the victim of a “phishing” attack by hackers out of St. Petersburg, Russia. A man walked into the bank that the school district used and withdrew money using the district’s password. The bank was not required to compensate the district, but it chose to refund most of the money that was taken. Superintendent Cliff Cole said the incident shows that “everyone is vulnerable.” When the cyberinsurance policy was first offered, he said it was a “no brainer” to sign up.
“Unfortunately, the society we live in today, it’s almost weekly that you hear about someone’s files being hacked or someone’s identity being stolen. So many people are concerned now about identity theft and privacy rights. It’s another layer of protection for our students and employees.” - Cliff Cole