We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X

Risk in Context

Cyber-attacks on Australian and New Zealand universities soar amidst pandemic

Posted by Kristine Salgado 16 November 2020

Published 16 Nov 2020

Ransomware attacks increased during the pandemic in both volume and severity. The average ransom payment increased by 60% during the second quarter of 2020, with each attack leading to an average of 16 days of downtime. With their wealth of personal information and intellectual property in the form of valuable research data, cyber risks for universities and higher education institutions have become a growing concern, with the education sector being prime targets for cyber-attackers.

Cyber risk landscape for higher education

In 2019 alone, 89 universities, colleges, and school districts in the US were hit by ransomware attacks. Locally, a well-publicised example of a cyber-attack in the higher education sector is the attack on the Australian National University (ANU) in Canberra which led to 19 years’ worth of data being compromised, in what was labelled an “Ocean’s Eleven” style attack.[1] The post-breach report published by ANU showed that the hackers operated as a highly sophisticated unit, gaining initial access in late 2018 through a single phishing email, with their intrusion only being detected months later.[2]

Over the past few months, there have been multiple attacks on universities and higher education institutions across the US, with claims trends for the first half of 2020 remaining in line with those for the same period last year. Universities in Auckland and Otago were victims of a cyber security breach this year, linked to an attack against technology firm Blackbaud, which store information on their behalf. In the UK, a report published in July by cybersecurity firm Redscan found that more than 50% of UK universities experienced a data breach in the previous 12 months.[3]

Pandemic expands cyber risk profile

The ongoing COVID-19 pandemic has only aggravated this risk. As universities and other higher education institutions sought to protect students and staff by moving to a mostly remote working and learning environment, this has consequently increased potential cyber risk during the pandemic. Data vulnerabilities increased and potential attack footprints expanded, creating new points of entry for cyber adversaries.

As noted above, the nature of higher education institutions make them prime targets for cyber-attacks. This is because universities and colleges:

  • Produce valuable research, often in cooperation with private entities, with a potentially high economic payoff. These include efforts by university-based researchers to help develop treatments and vaccines for COVID-19.
  • Retain valuable personal data, including credit card numbers and medical information pertaining to students — both current and former — and staff. There are 1.5 million enrolled students across Australian universities, and the sector employs over 130,000 full-time equivalent staff.[4]
  • Use open learning environments, where information is shared among stakeholders and highly visible or symbolic figures are present, which can lead to increased threat activity from cyber activists seeking to disrupt operations for political purposes.

Time to act is now

Cyber risk is intensifying for education institutions at a time when the insurance market is changing. The marketplace has sought to clarify how property and casualty policies might respond to a cyber-event, with some insurers taking the position that policies must expressly include or exclude cyber coverage in order to apply, which could leave schools with dangerous gaps in coverage. It is thus essential for risk managers to review their existing policies with insurers or brokers to identify — and rectify — any such gaps.

It is critical for all higher education institutions to take a collaborative approach to address cyber risk. Risk management and information security departments must work together to train employees, regularly review security policies, develop incident response plans, and conduct real-time tabletop exercises, among other measures. Before a cyber incident takes place, education risk professionals must ensure they have the necessary resources to respond quickly and effectively.

As the pandemic continues to affect individuals around the world, universities and higher education institutions’ primary focus remains the health and safety of their students and faculty. However, the confluence of traditional and new risks make this the right time to review your cyber resilience capabilities. The impact of not addressing key security vulnerabilities can have significant financial and reputational effects in the event of a cyber-attack. It is vital that higher education institutions invest in understanding their cyber risks, and implement effective methods to mitigate both current and emerging cyber threats.

To better understand, manage and measure your organisation's cyber risks and prepare for 2021, please join us at the Marsh Cyber Risk Masterclass (16 Nov – 4 Dec).

LCPA:  20/608

 


[1] https://www.canberratimes.com.au/story/6414841/like-a-diamond-heist-how-hackers-got-into-australias-top-uni/
[2] https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf
[3] https://www.redscan.com/media/The-state-of-cyber-security-across-UK-universities-Redscan-report.pdf
[4] https://www.universitiesaustralia.edu.au/wp-content/uploads/2019/06/Data-snapshot-2019-FINAL.pdf

Kristine Salgado

Kristine commenced her insurance career in 2009 under a graduate program with a global broking organisation, gaining experience across corporate, commercial and financial lines divisions. Kristine specialises in Directors and Officers, Professional Indemnity, Crime and Cyber insurance policies with strong experience in all facets of broking including placement, claims management and technical wording reviews. Kristine has partnered with leading insurers to establish Cyber insurance facilities for various business segments, enabling clients to access competitive rates and comprehensive coverage. Kristine regularly composes cyber risk thought leadership material, including client alerts following major legislative changes or developments in the area of data and privacy protection, and bespoke papers for risk management committees. Kristine has strong experience in the placement of large, complex Cyber insurance programs for multinational companies and works closely with insurers both in Australia and London to drive positive results for clients. Kristine was the winner of the inaugural Wotton + Kearney APIG scholarship in 2015, and named as an Insurance Business Young Gun in 2017.