Pandemic Heightens Cyber Risk for Higher Education

Ransomware attacks are increasing in both volume and severity. The average ransom payment increased by 60% during the second quarter of 2020, with each attack leading to an average of 16 days of downtime. And education institutions are a prime target for cyber-attackers.

In 2019 alone, 89 universities, colleges, and school districts in the US were hit by ransomware attacks. Over the past few months, there have been multiple attacks on higher education institutions, with claims trends for the first half of 2020 remaining in line with those for the same period last year.

Pandemic Expands Cyber Risk Profile

The ongoing COVID-19 pandemic has only aggravated this risk. As higher education institutions moved to a mostly remote environment to protect students and staff, their attack footprint expanded, making it more difficult to secure and creating new points of entry for cyber adversaries.

But it’s not just the pandemic. The nature of higher education institutions make them prime targets for cyber-attacks. Colleges and universities:

• Produce valuable research, often in cooperation with private entities, with a potentially high economic payoff. These include efforts by university-based researchers to help develop treatments and vaccines for COVID-19.
• Retain valuable personal data, including social security and credit card numbers and medical information pertaining to students — both current and former — and staff.
• Use open learning environments, where information is shared among stakeholders and highly visible or symbolic figures are present, which can lead to increased threat activity from cyber activists seeking to disrupt operations for political purposes.
• Face a complex regulatory environment made up of the California Consumer Privacy Act — which recently began to be formally enforced — the EU’s General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the Department of Education’s office of Federal Student Aid.

Time to Act is Now

Cyber risk is intensifying for education institutions at a time when the insurance market is changing. The marketplace has sought to clarify how property and casualty policies might respond to a cyber-event, with some insurers taking the position that policies must expressly include or exclude cyber coverage in order to apply, which could leave schools with dangerous gaps in coverage. It is thus essential for risk managers to review their existing policies with insurers or brokers to identify — and rectify — any such gaps.

Many existing cyber policies include additional services to identify and address risk mitigation and management shortcomings. But it’s critical for all higher education institutions to take a collaborative approach to addressing cyber risk. Risk management and information security departments must work together to train employees, regularly review security policies, develop incident response plans, and conduct real-time tabletop exercises, among other measures. And before a cyber incident takes place, education risk professionals must ensure they have the necessary resources to respond effectively.

As the pandemic continues to infect individuals around the world, higher education institutions’ primary focus remains the health and safety of their student and faculty. But the confluence of traditional and new risks make this the right time to review your cyber resilience capabilities and make the necessary investments.