Duncan Sutcliffe knows a thing or two about cyber insurance, and his company Sutcliffe and Co Insurance brokers has been insuring companies against the eventuality of a cyber attack for over a decade. Sutcliffe and Co are also behind the £25,000 worth of cyber insurance included with Cyber Essentials certification. With cyber attacks against the education sector regularly making headlines, we asked Duncan to talk to us about cyber insurance for schools.
What is cyber insurance?
Cyber insurance is there to cover an organisation in the event of an accidental or malicious data breach or data incident. Sutcliffe and Co have seen claims for school systems disabled accidentally by pupils who have downloaded games onto the system, bringing viruses with them. We have seen school systems breached maliciously which has then enabled fraudsters to send out phishing emails to parents of pupils pretending to be the school, and we have seen schools whose system was brought offline by a virus during the exam season. These are all examples of things that have gone wrong and been put right with cyber insurance.
What does cyber insurance cover?
Cyber insurance is included as part of Cyber Essentials for organisations that certify as a whole organisation with a turnover of less than 20 million. This cover gives up to £25,000 worth of liability.
In the event of a breach, the policy holder would immediately be able to ring an emergency helpline. They would then receive the services of a cyber incident response team whose job is to find the problem, stop the problem, and restore their systems and data. They would also receive help from a legal team who would deal with any litigation and regulation issues. This could be anything from the Data Protection Act, to a breach of contract. Crisis management and PR support would assist them with communications and that might include support to notify data subjects, eg telling parents and pupils what has happened.
A basic cyber insurance policy will cover the technical incident response costs and the legal, regulatory and crisis management costs. This can be compared to an emergency response service. A more comprehensive cyber insurance policy might cover more. Depending on the size of the cyber attack, and the amount of cover you have on your insurance, the policy could pay fines and penalties where legally permissible. It can also cover lost income (which can be highly relevant for an independent school). In the event of ransomware, a policy would help with restoring systems and data.
When an organisation applies for cyber insurance, do they have to prove they have mitigated risk?
Anyone who wants to buy cyber insurance has to prove a certain degree of cybersecurity in the same way that with your house insurance, you have to confirm that you not only have a front door, but that door has a certain standard of lock on it. As with home insurance, if you don’t have many valuables, insurers will be happy with a standard five lever mortice deadlock. But if you live in a palace with lots of possessions, then insurers might insist upon an alarm and CCTV. To determine the risk, cyber insurers will take a look at your size and sector of business, your existing security levels, and the amount of data you keep. Schools don’t have a lot of money changing hands in the state sector, but they have a lot of valuable data, which is subject to regulation, fines and penalties, and they are often poorly resourced, therefore their cybersecurity may be weak. These days, schools are considered high risk.
Another issue to consider, is a school is full of children, many of whom will be very bright, very curious, and, occasionally, very malicious. Some of those children may want to download games or cheats, some may want to see the exam questions or to change the website and some may wish to cause harm to the school.
Since the two alerts to the education sector from the National Cyber Security Centre, have you seen an increase in schools taking out cyber insurance?
Yes, we have, certainly in the last 18 months. There’s a lot of interest from schools now they are starting to realise how vulnerable they are. It’s not just the lessons, everything is reliant on the IT network. This was keenly highlighted recently in a school cyber attack in Kent, where the school had to close because the staff had no emergency contact phone numbers for the children. Criminals are targeting schools due to their poor security resources and insurers are very aware of this, so of course the cost of insurance for schools has gone up.
Can you give us any indication of the cost of a cyber attack for a school?
For a small organisation, that’s any organisation, a small breach tends to come in at between £10,000- £30,000. A large breach for a small organisation tends to come in at between £60,000 and £80,000, but there have been some huge cases recently. Some of the most expensive breaches recently have involved ransomware.
The free cyber insurance included in Cyber Essentials would usually cover the costs for a small breach and certainly cover the essential emergency assistance for a breach. A large breach can cost astronomical amounts as we’ve just discussed. A school can upgrade their insurance cover to higher limits of indemnity. We will always take into account that they have got Cyber Essentials so they get preferential rates because Cyber Essentials is shown to reduce the risk by at least 80%.
Find out more about the Cyber Liability Insurance included with Cyber Essentials certification here.