The New Frontier

You are in the middle of a school board meeting, checking your emails during someone else’s presentation, and a board member shares this great new “thing” that he heard about at a recent work conference. Your ears perk up, because you know it falls in your area of responsibility.

That happened to me about two months ago! The “thing” was cyber liability insurance. So I kicked into high gear and started seeking answers to the “five Ws:” what, who, where, when and why.

What Is cyber liability insurance?

A cyber insurance policy may include the following types of coverage:

  • First-party coverage against losses such as data destruction, extortion (the creator of malware demands a ransom in order for the restriction to be removed), theft, hacking and denial of service attacks (a machine or network resource is made unavailable to its intended users).
  • Liability coverage indemnifying companies for losses to others caused by, for example, errors and omissions, failure to safeguard data and defamation.
  • Privacy-breach response services, including post-incident public relations, investigative expenses and criminal reward funds.

Cyber liability insurance has been available for about 10 years, but 2014’s high-profile breaches no doubt have increased the demand by all types of organizations.

Who needs cyber liability insurance?

Target, Home Depot and Staples made national news because breaches in their systems compromised thousands of credit card numbers. Initially, my assumption was that the problem was corporate America’s and school districts were not at risk, since I had heard time and again from our technology department that we had a very strong set of security protocols protecting our network.

Then, I saw a report on 60 Minutes that indicated that 97 percent of all companies are being breached, and the average number of days from the time of the breach to the time of discovery is 229! If 97 pecent of the companies across the nation are being breached, we would be naive to think that we are invulnerable.

Where is cyber insurance needed?

In the United States, 46 of the 50 states have mandatory requirements for data breach notification. Because of those notification requirements, all school districts should be considering at least minimal coverage related to privacy-breach response services. Why? In the event of a data breach, most school districts would have difficulty complying with state and federal notification requirements.

When can cyber insurance add value?

Since insurers are required to pay out cyber losses, they have a strong interest in greater security and their requirements are continually improving. That means your district will improve its security in the long term, which will benefit your students and their families. As your security improves, the cost of coverage will decrease.

The application process for cyber insurance is comprehensive and will bring to light any weaknesses in your cybersecurity system that need to be addressed. In many cases, you will be unable to secure coverage if certain security features do not exist, such as encryption. The application process alone equates to a free, independent security assessment.

Another added value to districts that obtain cyber insurance coverage is the public perception of stronger security. The fact that you have the coverage shows that you take cybersecurity seriously and are being good stewards of your patrons’ information.

Why should a district consider cyber insurance?

District staff members must have electronic access to student information, much of which is protected or confidential. In fact, probably no other type of organization, except a bank or other financial institution, stores more personally identifiable information than a school district. It is not uncommon for a school district to have social security numbers, driver’s license numbers, bank account numbers, and confidential personal medical and health data in their information systems.

But school districts don’t have to worry about data security, because they have protections in place on their networks, right? Wrong! Cybersecurity is a goal, not a destination. Even though great advancements have been made in risk protection techniques over the past decade as a result of hardware, software, and cryptographic methodologies, it is impossible to achieve perfect or even near-perfect security protections. Even the most sophisticated cybersecurity system cannot protect against human error or bad judgment.

— Excerpted from the February 2015 issue of School Business Affairs, published by ASBO International (www.asbointl.org.)

This article originally appeared in the issue of .

About the Author

John Hutchison, CPA, SFO, is chief financial and operations officer for Olathe Public schools, Olathe, Kan.

Featured

  • Greenheck Launches Optics Sensors for Kitchen Hoods

    Greenheck recently announced the launch of factory-installed optics sensors as an enhanced option for its kitchen ventilation hoods, according to a news release.

  • Addressing the Housing Affordability Crisis Through Creative Campus Development

    Many Southern California college and university campuses are living amidst surging housing costs, driving the need to house more of their populations on campus. Especially for community colleges, the need to support millions of unhoused and housing insecure students has become a prominent issue that lawmakers and institutions alike are trying to solve.

  • New Campus Stadiums Evolve Beyond Sports into Community Assets

    New campus planning documents reveal an abundance of high interest in new stadiums, or renovations and repurposing projects for existing facilities. Many universities, in fact, are developing campus complexes with new stadiums as a draw for retail, hotels, and student housing. Multipurpose facilities with high-end features are being designed to attract large sports events of various types, concerts, and other university functions.

  • Extron, CENTEGIX Partner for Comprehensive School Security Solution

    Professional audiovisual solutions provider Extron recently announced a partnership with CENTEGIX, which provides rapid incident response technology, to integrate two of their top products in the name of school safety.

Digital Edition