Cyber Risk Management for Colleges and Universities

Jean Demchak, Marsh Education Industry Practice Leader, led a disussion of cyber risk and solutions with Mary Dewey, Director of Risk Management, University of Vermont, Sandra Mitchell, Director of Insurance, MIT, and Martin Leicht, Marsh's Education Cyber Leader. 

The panel covered topics related to the changing cyber environment, the impact of virtual learning on higher education's risk profile, the cyber insurance purchasing decisions of colleges and universities and how higher education risk management departments should interact with incident reponse teams.

The COVID-19 pandemic and the shift to remote and online learning has pushed colleges and universities to create innovative education solutions. Embracing technology has delivered new opportunities for students but also created operational risks – especially technology and cyber risks.

Cyber threats for higher education institutions are no longer limited to data breaches. An attack that brings down online platforms or blocks access to research data could be even more damaging than the loss of personal identifiable data (PII).

Prior to 2020, cyber risk for colleges and universities was primarily limited to data breaches. Today, however, a data breach is the only or biggest threat. Educational institutions should look at a variety of attacks and threat actors that could affect an institution from a technology standpoint. Colleges and universities have to be sure their cyber liability insurance protects them from new and existing threats.

Ransomware attacks have especially grown as a threat in 2020. For example:

  • Ransomware attacks increased 72% during the pandemic.
  • Ransomware demands increased 60%.
  • Average ransomware demand exceeds $200,000 but 7- and 8-figure demands are not uncommon.
  • Cost to remediate following a ransomware attack is typically equal to the ransomware demand -- a $2 million demand will cost an institution $4 million total to resolve.
  • The average ransomware attack can create 16.2 days of downtime – a stark increase from five years ago when outages lasted hours not weeks.

Most colleges and universities understand they have a cyber risk – 72% of Marsh education clients purchase cyber insurance, the best take-up rate by industry. However, they also purchase some of the smallest limits – averaging $40 million in coverage. This may not be enough to account for a potential catastrophic cyber loss.

With tight budgets, however, insurance purchasers at college and universities may find it difficult to push for additional cyber coverages. Peer risk managers recommend looking for support in other departments to help justify the need for expanded cyber coverage. Build alliances with groups such as:

  • IT security.
  • Risk and audit.
  • Incident response teams.
  • Legal.

These groups are all involved in cybersecurity but might not understand the full picture of what cyber coverage can provide. For example, chief information security officers (CISOs) are starting to understand that insurance coverage can provide financial security and additional services and insights. The claims that the insurance community has seen can help inform security organizations about what is happening with cyberattacks.

Many insurance carriers also provide proactive vulnerability scanning and other services that can help identify potential weak points before a hacker can exploit them. Identifying these potential points of failure allows IT security departments to improve network security.

The question of how much cyber coverage colleges and universities really need is complex and can’t be answered with a checklist or simple benchmarks. Claims data, analytics, threat assessments and industry experience are all required to develop the right cyber insurance solution. Contact Marsh’s education industry practice or your local Marsh representative to evaluate the adequacy of your current program structure and to learn more about how Marsh can help colleges and universities develop a comprehensive cyber risk program.