A lack of funding and untailored cover has meant schools are easy prey for hackers, but what can brokers do? 

Cyber attacks are a major concern for UK schools with their data systems often being an easy target for hackers.

In the wake of GDPR’s guidance on protecting children’s data, 48 UK schools reported cyber incidents between September 2017 and March 2018, 12 of these lost £145,124 between them and one lost £19,150, according to figures from the National Fraud Intelligence Bureau. The UK’s national reporting centre for fraud and cybecrime, Action Fraud has also seen schools return from holidays to foot a £100,000 bill related to a cyber attack.

In March, the Sir John Colfox Academy in Bridport saw hackers use ransomware to encrypt files causing loss of some GCSE coursework after an email containing the virus was opened.

But despite this spate of attacks, Ecclesiastical revealed that only 25% of schools in the UK actually have cyber insurance.

As more and more schools look to technology, their exposure to cyber-attacks increases, however the amount of attacks where school’s are at a loss demonstrate that it might not be a top priority for them. But should it be?

Bearing this in mind, is this an untapped market for brokers? And what’s preventing schools from purchasing it?

What can brokers do?

Ecclesiastical’s education heritage director, Faith Kitchen said that despite cyber threats evolving, uptake is still scarce.

“Brokers can help schools to navigate policies to avoid paying for cover they don’t need and optimising what would really help, such as a top-notch breach response to minimise harm to students, parents and staff if sensitive data is compromised,” she told Insurance Times. 

“If not dealt with correctly, there can certainly be a reputational impact but also financial harm. We know that schools are incredibly stretched financially.”

She also alluded to the internal threat of students themselves hacking systems to change grades or show-off to their friends, which is unique to education. 

Better mitigating risk

Ecclesiastical has soft-launched its Cyber Scenario Planner– a tool to help brokers have more detailed conversations with their education clients while also identifying the risks that schools face to better manage them and raise awareness about what cyber insurance does. The latter being an overall industry problem for most cyber insurers with many SMEs also believing that they do not need this type of cover.

The visual tool aims to move the conversation away from selling cyber towards identifying assets and risks.

Nic Hartley, Ecclesiastical’s head of business improvement and innovation told Insurance Times that the idea arose following feedback from its brokers and customers.

The broker wanted to get more senior people understanding the crux of the problem such as trustees or governors, instead of leaving it solely in the hands of an IT staff member or team.

As data protection research firm Ponemon Institute’s 2017 survey cited, 72% of hackers are opportunistic so preventative measures could act as a deterrent.

Top concerns – Source: Ecclesiastical, 2019 

Most common attacks:

Malware (71%)

Phishing (50%)

 

After a cyber-attack the top concerns for schools were:

Loss of data (82%)

Cost of putting things right (47%)

Data breach (46%)

Public trust of the organisation (37%)

Reputation (34%)

 Limitations 

A lack of funding for education does not help matters.

Eva Berg-Winters, chief executive and co-founder at cyber MGA, Bewica told Insurance Times: “There is wide variety in how much information schools share online and how they do it, such as whether they have a portal for parents and pupils, and whether there are self-developed tools or only third-party platforms.

“And as schools, they tend to have limited IT budgets and in-house expertise on cyber security, which makes it hard for them to manage the risks.”

Ecclesiastical revealed that 45% of those surveyed lack in-house knowledge of cyber insurance, 30% had outdated software and 30% stored data in only one location.

Porous environment

Hartley explained that cyber criminals’ motivation for stealing data is usually to monetise it.

“It always comes back down to money. Generally, they [hackers] will go for the lowest hanging fruit. A lot of attacks we have seen will involve them trying to defraud schools or parents out of money directly,” James Burns, cyber product leader at CFC Underwriting told Insurance Times.

Another problem for schools is the “porous environment where data is flying around everywhere” with pupils and teachers sending work in remotely, making it tricky to control. 

Education, education, education

“Ironically, education is probably the most important thing,” Kitchen said, adding that raising awareness on the risks and helping brokers and customers understand them is crucial. 

Burns welcomed Ecclesiastical’s move to raise awareness on this issue. He suggested backing up data, keeping anti-virus software up-to-date and educating those using the network to be aware of unsolicited emails and suspicious links.

He told Insurance Times: “In the last couple of years we have started to see a real uptick in [cyber] claims across the board,  including the education sector and schools are a unique target.

“I think brokers need to be more on the forefront in raising cyber security with their education clients, I think lots of brokers do a great job of it but I think insurers need to do a better job of giving them the tools to do that.”

Burns spoke of a school fee fraud scam last year where attackers gained access to a database that contained contact details of parents.

The hackers were able to send emails out from a school’s email account explaining to parents that if they paid the education fee before a certain date that they would be eligible for a discount.

Overall the hackers pocketed around £40,000 and CFC has seen similar scams in the US and Australia.

CFC is releasing monthly anonymised claims case studies to help brokers with this. Burns said that the most common attacks on schools that he sees are theft funds, data breaches and ransomware attacks.

“Due to the nature schools are run and their constraints on funding it limits their investment in IT infrastructure. I think that we need to try and raise awareness with the relevant stakeholders in the education sector,” he concluded.