Held for ransom: Is cybersecurity insurance worth the investment for colleges?
As cyberattacks have ramped up – there have been more than 1,700 hitting education targets since 2020 – high-end security has become essential. Colleges might think they have strategies in place to stave off phishing emails, DDos attacks and breaches, but what happens when one clever group forces its way through those roadblocks?
It can be costly. Ransomware attackers have forced billions in payments this year by slipping through back doors to steal sensitive data. Colleges can turn to endpoint protection or zero trust security for protection, but many want further assurances.
Bring on cybersecurity insurance, which can be a money saver for institutions facing online threats.
“You have the obvious financial advantage,” says Mike McNerney, Chief Operating Officer at Resilience, a cybersecurity insurance and prevention startup firm. “If you get hit with an incident, have a competent insurance company, and you file a claim, that claim will be paid. You will get some financial recuperation. Maybe not all. It depends on your policy.”
Those policies, like your auto or medical insurance, reward those who are less risky. The more security features and better response plans colleges have to stave off attacks, the more likely companies will back them at a reasonable cost. Those with more risk can expect higher premiums or not be covered at all, like drivers who’ve had a few accidents in the past 36 months.
Institutions should read the fine print, but those that can get solid policies will be rewarded.
“You’re not just going to get money back if you file a claim, but it’s the restoration,” says McNerney. “You get hit with something, you’re going to be scrambling. Who do you call to restore your systems? Who do you call to do forensics? Having a competent insurer, you have essentially all of that settled. You call a claims officer, and that person sets all of that in motion, immediately, so hopefully, you are back up and running that much quicker as a result.”
Down time is one of the many negative outcomes that can cripple institutions, as Howard University recently found out when hackers took down their systems, affecting administration, students and faculty. And there are others.
“In cyber security, you have a thinking, adapting human being on the other side of the internet,” says McNerney. “When you make a move, they make a move to adapt. They say, if you don’t want us to release 20 years of customer data or employee privacy data, you’d better pay us. When that isn’t enough, they get the personal phone number of the CEO and harass that person. Cybersecurity is very much a cat-and-mouse game. A competent partner, whether it’s an insurance provider or your security partner, will help you adapt as the threat adapts.”
Double the coverage
What makes Resilience unique is that it offers both cybersecurity assistance and cyber insurance. Its staff is comprised of both data science/security leaders as well as insurers. Most of its founders, including McNerney (U.S. State Department, Office of the Secretary of Defense), have a security background. Resilience’s CEO Vishaal Hariprasad, a former National Security Agency officer, was tapped in August by the White House to discuss the cybersecurity crisis. The team continues to work with numerous government agencies such as CISA and the Department of Homeland Security on best practices, incentives for improved security and insurance matters.
Here’s how the process works between prospective clients and Resilience. The agency’s underwriters will assess customers from a risk and security perspective (this sort of audit is typical among insurers). After a policy is approved, clients will come in for a 60-90-minute session with the security team to go over a safety plan.
“We want to have not just an insurance relationship, but a very mature, very trusting security relationship with our customers,” he says. “We want to head those threats off at the pass.”
Before institutions sign on for policies, they should try to ensure they have these areas solidified to get the best rates, according to McNerney:
- Adequate coverage. “That includes a suite of post-incident responders and pre-negotiated contracts. If you get hit with a ransomware attack, email compromise or denial of service, do you have plans to deal with that? Do you know who to call and what to do? Oftentimes, having those kinds of plans are as important as the technology.”
- Technology. “Do you have basic cybersecurity hygiene in place? You should have strong usernames and passwords. You should use multifactor authentication. When it comes to ransomware, you should probably have encrypted offline backups and endpoint protection on your phone or your laptop. If you have a large network, maybe you segment it so if someone gets access to one, they can’t get access to everything.”
- Personnel. “Do you have a security team? Are you training users to think about cybersecurity or not click on phishing emails and making sure that they’re using that multifactor authentication? Those are the three dimensions that we really look at when we’re evaluating a customer. And if they don’t, then we we’d like to work with them. We don’t want them to get hacked as much as they don’t want to.”
Cost of policies vary widely depending on existing levels of security, measures being taken to protect data, remote usage and personnel employed to combat attacks. Policies typically may cover legal fees, forensics costs, restoration and recovery of data, device repair and yes, even some of those payoffs frowned on by the FBI.
McNerney says institutions should look closely at federal funding that can be used toward cybersecurity and encourages them to work with industry partners, the state government and federal government on cyber initiatives.