What colleges and universities need to know about cyber insurance


Does your university need a cyber insurance policy? The answer is likely yes.

Insurers view colleges and universities, with their culture of openness and information sharing, as high susceptible to cyberattacks, according to a new resource created by EDUCAUSE and the University Risk Management and Insurance Association (URMIA).

The 15-page document, “Frequently Asked Questions About Cyber Insurance,” addresses topics and issues ranging from the nature of cyber risk to the ins and outs of the claims process. Officials from EDUCAUSE, a nonprofit that brings together higher education technology leaders, and URMIA decided to collaborate on the resource in response to high-profile data breaches and heightened awareness about cybersecurity in the academic community.

“We talked about how we could partner together and co-publish a FAQ that would be broader and helpful to both the risk managers and the EDUCAUSE folks,” said Jenny Whittington, executive director of URMIA.

The resource emphasizes that campus data breaches can turn into high-visibility problems, such as identity theft, electronic stalking, compromise of health data, theft of intellectual property and other liabilities.

One U.S. university — not named in the document — recently fell victim to an attack on its financial management software that compromised information of 80,000 current and former students, employees and vendors, illustrating the liabilities that colleges and universities face today.

“Cyber risks at educational institutions encompass all users, including faculty, students and staff,” the resource states. “Colleges and universities are also a treasure trove of confidential information with the financial records of parents, health care records of students and staff, and credit card data.”

Whittington told EdScoop that the document can serve as a central resource for fostering conversations and collaboration around campus cybersecurity issues.

“The most important part about the [URMIA-EDUCAUSE] partnership is to get the risk manager and the IT folks to align, get together and talk about it, and get on the same page,” she said. “I think success, to us, would be for them to use this document together to guide their conversation, to get a better understanding of cyber insurance and how it really works and how it’s going to help protect their institutions. It’s important to have a relationship built between the risk manager and the IT folks.”

According to the FAQ, insurance coverage exists for a variety of potential losses and liabilities, including:

  • Costs resulting from a privacy breach, such as forensic and investigative services, breach notification services and public relations
  • Regulatory coverage to cover the cost of defending an action brought by federal and state regulatory agencies due to a security breach
  • Liability coverage for the costs of lawsuits relating to breaches; for example, the failure of system security to prevent or mitigate a computer attack
  • Cost incurred by cyber extortion attacks, such as ransomware
  • Institutional loss of income due to security breaches and system failures

Losses that aren’t covered under typical insurance policies, according to the resource, include claims arising from war, intentionally dishonest or criminal acts, breach of contract and theft of trade secrets.

Insurance coverage for cyber risks has evolved over time, as systems and risks have proliferated and become more complex. Common institutional insurance policies may provide only limited coverage. For example, under a commercial general liability policy, electronic data are generally not considered tangible property and are not covered under the property damage provisions.

A modern cyber insurance policy, however, may cover the costs incurred to replace, restore or recollect digital assets from written records, according to the resource.