The New Frontier

You are in the middle of a school board meeting, checking your emails during someone else’s presentation, and a board member shares this great new “thing” that he heard about at a recent work conference. Your ears perk up, because you know it falls in your area of responsibility.

That happened to me about two months ago! The “thing” was cyber liability insurance. So I kicked into high gear and started seeking answers to the “five Ws:” what, who, where, when and why.

What Is cyber liability insurance?

A cyber insurance policy may include the following types of coverage:

  • First-party coverage against losses such as data destruction, extortion (the creator of malware demands a ransom in order for the restriction to be removed), theft, hacking and denial of service attacks (a machine or network resource is made unavailable to its intended users).
  • Liability coverage indemnifying companies for losses to others caused by, for example, errors and omissions, failure to safeguard data and defamation.
  • Privacy-breach response services, including post-incident public relations, investigative expenses and criminal reward funds.

Cyber liability insurance has been available for about 10 years, but 2014’s high-profile breaches no doubt have increased the demand by all types of organizations.

Who needs cyber liability insurance?

Target, Home Depot and Staples made national news because breaches in their systems compromised thousands of credit card numbers. Initially, my assumption was that the problem was corporate America’s and school districts were not at risk, since I had heard time and again from our technology department that we had a very strong set of security protocols protecting our network.

Then, I saw a report on 60 Minutes that indicated that 97 percent of all companies are being breached, and the average number of days from the time of the breach to the time of discovery is 229! If 97 pecent of the companies across the nation are being breached, we would be naive to think that we are invulnerable.

Where is cyber insurance needed?

In the United States, 46 of the 50 states have mandatory requirements for data breach notification. Because of those notification requirements, all school districts should be considering at least minimal coverage related to privacy-breach response services. Why? In the event of a data breach, most school districts would have difficulty complying with state and federal notification requirements.

When can cyber insurance add value?

Since insurers are required to pay out cyber losses, they have a strong interest in greater security and their requirements are continually improving. That means your district will improve its security in the long term, which will benefit your students and their families. As your security improves, the cost of coverage will decrease.

The application process for cyber insurance is comprehensive and will bring to light any weaknesses in your cybersecurity system that need to be addressed. In many cases, you will be unable to secure coverage if certain security features do not exist, such as encryption. The application process alone equates to a free, independent security assessment.

Another added value to districts that obtain cyber insurance coverage is the public perception of stronger security. The fact that you have the coverage shows that you take cybersecurity seriously and are being good stewards of your patrons’ information.

Why should a district consider cyber insurance?

District staff members must have electronic access to student information, much of which is protected or confidential. In fact, probably no other type of organization, except a bank or other financial institution, stores more personally identifiable information than a school district. It is not uncommon for a school district to have social security numbers, driver’s license numbers, bank account numbers, and confidential personal medical and health data in their information systems.

But school districts don’t have to worry about data security, because they have protections in place on their networks, right? Wrong! Cybersecurity is a goal, not a destination. Even though great advancements have been made in risk protection techniques over the past decade as a result of hardware, software, and cryptographic methodologies, it is impossible to achieve perfect or even near-perfect security protections. Even the most sophisticated cybersecurity system cannot protect against human error or bad judgment.

— Excerpted from the February 2015 issue of School Business Affairs, published by ASBO International (www.asbointl.org.)

This article originally appeared in the issue of .

About the Author

John Hutchison, CPA, SFO, is chief financial and operations officer for Olathe Public schools, Olathe, Kan.

Featured

  • Full Sail University Announces First Student Housing Facility

    Full Sail University in Winter Park, Fla., recently announced that development has begun on its first student housing community, according to a news release. The university is partnering with Nvision Development for construction and long-term management of the facility, which will stand five stories and have the capacity for more than 570 beds.

  • Academy of Classical Education Breaks Ground in Louisiana

    Charter Schools USA (CSUSA) recently announced the groundbreaking of a new public charter school in Covington, La., according to a news release. The Academy of Classical Education at Covington will enroll students in grades K–8 and is scheduled for completion in August 2026, just in time for the new school year.

  • Arizona District Breaks Ground on Community Training, Learning Center

    The Tolleson Union High School District (TUHSD) in Tolleson, Ariz., recently broke ground on a new Training & Learning Center (TLC) for both district professionals and the community at large, according to a news release. The 90,000-square-foot facility has an estimated completion date of spring 2027.

  • University of Pittsburgh to Build New Residence Hall

    The Board of Trustees from the University of Pittsburgh in Pittsburgh, Penn., recently approved the construction of a new residence hall for first-year students, according to university news.