This document contains advice intended for general information only. To learn how cyber insurance applies to your institution, please contact your institution's risk management office or chief information officer. This document is not legal advice. For legal advice, please contact your legal counsel.

FAQs

• What is cyber risk?
• What is cyber insurance?
• What does cyber insurance cover?
• What losses are not covered by cyber insurance?
• What is the process for procuring cyber insurance?
• What should an institution know before entering the cyber insurance underwriting process?
• Is self-insuring an option, as opposed to purchasing insurance?
• Will other types of insurance cover cyber risk?
• Are there special concerns for public institutions?
• What should happen when an event occurs that might be covered by cyber insurance?
• How can cyber insurance complement an institution's existing systems and processes?
• Are there special concerns for institutions with academic medical centers?
• What key stakeholders should be included when discussing cyber insurance?
• Are there benefits from working with an insurance broker?
• How can cyber insurance complement an institution's approach to third-party risk management?

What is cyber risk?

Cyber risk refers to the potential negative impact to an organization resulting from the failure, disruption, damage, or destruction of its information systems. This includes unauthorized use or access to data contained in the information systems.

Insurers view colleges and universities—with their culture of openness and information sharing—as highly susceptible to cyber risk. Data breaches can turn into high-visibility problems, such as identity theft, electronic stalking, compromise of health data, theft of intellectual property (either the institution's own or that of another entity), and other liabilities. The education sector saw an increase in ransomware attacks in 2023, and multiple higher education institutions have now confirmed they were victims of data theft related to a security flaw in file transfer software sold by IT security company Accellion.

Cyber risks at educational institutions encompass all users, including faculty, students, and staff. Colleges and universities are also a treasure trove of confidential information, with financial records of parents and donors, healthcare records of students and staff, credit card data, etc. The types of computer systems in use at an institution today are varied and include both on-campus systems controlled by the institution and off-campus (cloud) systems managed by third parties. Examples of the varied computer systems include equipment for remote monitoring of and access to infrastructure systems like boilers and HVAC systems, stadium scoreboards, centrally managed classroom video display computers, and biometric access control systems. News stories about ransomware attacks plaguing colleges and universities and third-party security breaches that impact campus operations are not uncommon.

Back to top

What is cyber insurance?

Cyber insurance is a financial risk transfer product that helps protect organizations from cyber and IT risks by transferring those risks away from the insured. Cyber insurance may cover direct organizational losses (such as the costs of forensic services, data breach services, or credit monitoring) or third-party claims and lawsuits, along with regulatory fines and penalties. Today, insurance coverage exists for a variety of potential losses and liabilities caused by cyber risks. Insurance for a particular institution could include some or all of the following:

Breach and event response coverage: This coverage would reimburse for costs arising from a privacy breach: forensic and investigative services; breach notification services (including legal fees, call center, mailing of materials, etc.); identity and fraud monitoring expenses; and public relations and event management.

Regulatory coverage: This coverage reimburses the costs to defend an action by federal or state regulators due to a privacy breach. Coverage would be triggered by the failure of security controls that might lead to a privacy breach, such as someone losing a laptop, failing to encrypt the data on a device, or emailing a document to the wrong person. Coverage might also apply to nongovernmental regulations, in particular the payment card industry and its PCI standards.

Business interruption or extra expense: Business interruption insurance covers the loss of income and extra expenses resulting from the actions or efforts of an institution to respond to a breach or an unintentional or unplanned outage. Typically, the insured entity must satisfy a waiting period or meet a damage threshold before coverage will apply.

Security breaches of contingent third parties: Many policies now recognize the interdependence of businesses and contain contingent business interruption provisions. Contingent business interruption insurance covers an insured's income losses and extra expenses due to a security event that interrupts the service of an entity not owned, operated, or controlled by the insured but that is relied upon to conduct business. For example, if a ransomware attack prevents a payroll service from processing an institution's payroll and the institution incurs costs to manually provide the payroll, the extra cost of doing so would be covered.

System failures: A system failure generally means any unintentional and unplanned outage of a computer system. A system failure may occur, for example, after an organization implements a system patch that proves to be incompatible with existing functions, resulting in an unplanned outage.

Data replacement costs due to a security breach: This coverage applies to the costs incurred by the insured to replace, restore, or recreate digital assets from written records or from partially or fully matching electronic data records due to their alteration, corruption, or destruction from a network operations security failure.

Liability coverage: A cyber policy would reimburse an insured for damages paid because of a lawsuit or other legal claim. Liability insurance would cover defense of a claim or lawsuit, but it would not provide any reimbursement for costs the policyholder incurs to fix the issue. Common types of cyber insurance liability coverage include:

• Privacy liability: This covers defense and liability for failure to prevent unauthorized use/access of confidential information.
• Security liability: This covers defense and liability for the failure of system security to prevent or mitigate a computer attack, including but not limited to the spread of a virus or a denial of service.
• Multimedia liability: This provision would respond to claims such as oral or written defamation in an online publication, including disparagement, misappropriation of name or likeness, plagiarism, copyright infringement, or negligence in content.

Cyber extortion: Cyber extortion usually takes the form of a ransomware attack, whereby a cyber criminal will encrypt a victim institution's files and/or threaten the release of sensitive data unless a ransom is paid. Cyber extortion insurance covers the costs of consultants and monies—including cryptocurrencies—for threats related to interrupting systems and releasing private information, as well as the rebuilding of such systems after an attack.

Social engineering fraud: Deceptive fraud transfer is a type of cyber crime that occurs when a person is tricked into transferring funds to an unauthorized person or account. This is typically not covered under basic policies but in some cases might be available as an optional endorsement.

Back to top

What does cyber insurance cover?

Cyber insurance policies may include some or all of the following key components:

Media in the control of others: Cyber insurance may cover unencrypted media in the care or control of third-party processors.

Events occurring during policy period but discovered afterward: Coverage under a cyber insurance policy is triggered, in part, by an insured's report of a claim to the carrier. Depending on the wording of the policy, it may cover events that occurred during the policy period but were only discovered after the expiration of the policy period. Under a "claims made and reported form," for example, a claim must be made and written notice of the claim must be received by the insurer during the policy period or, if applicable, during any extended reporting period that may extend the discovery period for a period of time beyond the expiration of the policy.

Coverage for privacy breaches other than electronic or computer related: In addition to a breach of a computer system, personal data may be compromised when paper records are lost, stolen, or improperly handled, resulting in an unauthorized disclosure. For example, a privacy breach may occur when personal data paper records are not properly disposed of.

Errors and omissions—negligence or breach of contract: This encompasses legal defense costs or indemnification resulting from a lawsuit or dispute with customers when cyber events prevent companies from fulfilling contractual obligations or delivering services to customers.

Cyber insurance also provides great benefits often offered but rarely discussed. These include annual tabletop exercises through their data privacy legal partners, vulnerability scans, dark web monitoring, and business continuity / incident response plan reviews.

Back to top

What losses are not covered by cyber insurance?

Like any insurance policy, cyber insurance policies exclude coverage for certain losses. Exclusions are usually grouped together in a section of the policy, though coverage may also be excluded or limited by the definitions or policy language. Typical exclusions include claims attributable to or arising from war, operation of a nuclear facility, intentionally dishonest or criminal acts, breach of contract, theft of trade secrets, unfair trade practices, and employment practices. Cyber insurance policies also exclude losses that are traditionally insured through other insurance products, losses that are more appropriately handled by a federal government agency, or losses that would result in bad public policy—for example, if a cyber incident leads to widespread consumer fraud or identity theft, state or federal consumer protection agencies might step in to assist affected individuals.

Cyber insurance typically won't cover a loss of future profits resulting from a cyber attack—if a cyber attack causes you to lose customers and consequently lose profit, cyber insurance will not reimburse you for that loss. Also, most cyber liability insurance policies don't cover your business for a decrease in company value. For example, your intellectual information could be stolen through digital crime. Without that information, your company becomes less valuable overall, but insurance providers will not cover that loss of value. Cyber insurance also won't pay for a security system upgrade. Even if you want to enhance your security system after a cyber attack to prevent future attacks, your insurance will not cover the cost of those upgrades. Cyber insurance policies typically exclude coverage for any incident or claim that arises from or is based on a willful, intentional, deliberate, malicious, fraudulent, dishonest, or criminal act or omission committed by the insured. The general intent of this exclusion is to prevent the insured from receiving a financial benefit for committing an unlawful or dishonest act.

Each cyber insurance policy is different, and it is important to read the policy terms carefully to understand what is and is not covered. Depending on the policy form and grant of coverage, additional exclusions can include losses due to a lack of security measures, vicarious liability, loss of electronic device, and intellectual property (note: some policies allow for an endorsement to protect companies from losses of intellectual property).*

Back to top

What is the process for procuring cyber insurance?

Higher education institutions procure cyber insurance through a licensed insurance broker, preferably an insurance broker with experience placing cyber insurance for higher education risks. Once a cyber insurance broker has been selected, an institution typically completes a cyber risk self assessment or application/questionnaire that will collect the necessary underwriting information for a cyber insurance carrier to price and offer competitive terms and conditions. In recent years, most cyber insurance applications have consolidated their questions around several core cybersecurity controls. Those control areas include but are not limited to identity access management, endpoint protection, data backup procedures, faculty and staff cybersecurity awareness training and anti-phishing simulations, change management, and regulatory compliance. For larger institutions, an underwriting meeting in which cyber insurance underwriters ask targeted questions might replace the completion of a comprehensive cyber insurance application. In recent years, cyber insurance underwriters have leveraged external vulnerability scanning tools to help gauge the cybersecurity maturity of potential insureds. It is prudent to review and remediate the findings discovered in these scans because they are notorious in flagging false positives within higher education networks.

Upon completion of the underwriting process, an institution's cyber insurance broker should present the structural, pricing, coverage, and risk management options. In addition, a value-added service provided by most cyber insurance brokers is peer benchmarking and loss modeling data to assist with the cyber insurance aggregate limit decision-making process.

Like organizations in other industries, institutions of higher education face cyber risk exposure. On average, higher education institutions warehouse significant amounts of sensitive data and are also susceptible to losses related to business interruptions. Because not all cyber risk can be minimized through robust processes or technical controls, risk transfer is a viable means of limiting the scope of an educational institution's exposure. Institutions should note that commercial insurance markets are cyclical, meaning that insurers are more or less willing to provide coverage and policy limits on cost-effective terms. This cyclicality is due partly to supply and demand (as insurers, for their own reasons, choose to become more invested in this coverage line or market for higher education), partly to their claims payment history in this coverage, headlines that insurers perceive as making the risks more likely to turn to losses going forward, technological changes that affect the risks, and policyholders' willingness to invest in risk mitigation techniques to differentiate themselves in the insurance marketplace.

In addition, institutions should note that commercial insurance companies are growing more savvy about understanding institutional computer systems and requiring that those systems meet basic information security protective thresholds. As a condition of insurance, insurers may require a campus to demonstrate compliance with an industry best practice information security framework (such as NIST or ISO). They may also require an institution to demonstrate a particular information security control, such as the use of multifactor authentication across the campus network or institutional computer systems. Cyber carriers are also providing more risk mitigation resources and are partnering with third-party training and risk mitigation vendors, sometimes included in their programs and offered at a discount to their customers.

Although no outright federal or state law mandates that higher education institutions carry cyber insurance, officials may nevertheless determine that carrying such coverage is in the best interests of the institution. Benchmarking the purchase of cyber insurance is typically based on comparisons with organizations of a similar industry and revenue size. Insurance brokers may have benchmarking information based on client data. Other sources are surveys of peer institutions.

Best practices for obtaining a cyber liability insurance quote include the following:

• Work with an experienced insurance broker: An effective broker should have a strong, comprehensive grasp of the scope of an organization's cyber risk; understand and explain how this risk is quantified; provide recommendations on insurance carriers or policies that might be a good fit for the organization; and obtain appropriate coverage and favorable pricing. Selecting a broker with cyber insurance expertise may be essential to securing cyber insurance that addresses the institution's needs. Because insurance companies use policy forms for all kinds of organizations, colleges and universities should review policy language to look for terms and provisions that are unclear in the higher education context and address these prior to purchasing the policy.
• Conduct a security risk assessment to reduce premiums: A risk assessment provides greater transparency into the organization's cybersecurity controls and helps the organization identify vulnerabilities and potentially make changes to areas in need of improvement, changes that, if properly implemented, could result in a premium reduction. Another form of assessment that insurers will look favorably on is for the institution to conduct tabletop exercises to gauge their own response to critical incidents and then implement improvements for the gaps identified.
• Implement security controls that reduce premiums: Cohesive and interconnected practices geared around people, process, and technology-related cybersecurity improvements reduce risk and can lead to lower premiums. Restricting network access to certain users is an example of a practice that impacts all three categories: an institutional policy mandates the network access restriction; the restriction is executed by an information security or information technology team; and one of the policy's core objectives is to limit human error.

Back to top

What should an institution know before entering the cyber insurance underwriting process?

The majority of information requested in cyber insurance applications is IT related information. This does not mean that the cyber insurance application process is solely an institutional IT effort—risk management and finance are critical stakeholders as well. It's not uncommon for portions of applications to appear redundant, where the same or similar question is asked in multiple sections. Applications might request information such as gross revenue, gross profit, or IT budget expended, and they might also ask about risk appetite for different categories of coverage. Finance and risk management input are needed for these areas. Sometimes a broker can give you suggestions about these areas of the application.

Be prepared to provide a great amount of granular information about your IT operations—assets (desktop/labs and data center equipment), endpoint protection, cloud services utilized, backup processes, perimeter security information, and network security information are just some of the items needed for applications. Cyber insurers will often request a count of records maintained across a variety of business areas (e.g., health records, financial records, social security numbers, general PII). Although specific requirements can vary by insurer and on the basis of responses in the application, most cyber insurers will expect you to have relatively mature controls around endpoints, servers, accounts, email, network connectivity (wired and wireless, and including remote access like VPN), vulnerability management, backup and restoration, business continuity and disaster recovery, and monitoring.

After an application is submitted, the cyber insurance provider may come back to the institution with questions asking for clarification or more detailed information. As a condition of offering insurance, they may require changes to cybersecurity controls (e.g., requesting MFA on a specific application or server). It is up to the institution to make the changes or explain why a certain change cannot be put into place, which potentially increases risk.

Back to top

Is self-insuring an option, as opposed to purchasing insurance?

Self-insuring for cyber risk is a choice that comes with potential risks and benefits. Potential benefits include increased control over institutional cyber posture (e.g., no insurance-based requirement for tools or capabilities such as security awareness training, endpoint detection/response software, MFA), less time spent in the underwriting process, and a clearer understanding of roles and responsibilities should a cyber incident occur because some insurers require that specific incident-response vendors be used. Assuming no or limited incidents, costs will likely be significantly lower, given the lack of a premium and deductible. Other benefits include certainty around claims handling and easier budgeting since premium increases are not applicable.

Drawbacks of self-insuring include not having adequate money on hand to respond to an incident; the burden of identifying and securing incident response firms, breach coaches and third-party counsel, notification and credit monitoring firms, etc.; and the necessity of having a mature cybersecurity program and risk management program. Relatedly, self-insuring removes insurer requirements surrounding cyber controls, and those requirements are often useful levers to push through institutional roadblocks for funding and deployment. In other words, are you considering self-insurance because you don't want to spend the money or do not see the value in cyber insurance, and if so, do you believe your cybersecurity program is both mature and well resourced? Is that belief based on objective evidence?

In all cases, institutions must consider the likelihood and impact of a cyber incident and the potential costs associated with responding to and remediating that incident to ensure adequate coverage or reserves. In many situations, an insured may find that they are already meeting underwriting demands due to external compliance requirements (e.g., administrative, physical, or technical controls required for PCI, GLBA, or HIPAA compliance), and such requirements might improve posture and maturity more than self-insuring.

Back to top

Will other types of insurance cover cyber risk?

In some cases, umbrella policies such as general liabilities can cover cyber risk. Various other types of policies may have coverages impacted by a cyber event or loss. For example, crime insurance could be triggered due to a theft arising from social engineering fraud. Some property policies might have limited coverage for tangible and physical damage arising from a cyber event that causes damage to servers or other property. However, it is important to check with your insurance carrier to clarify whether your particular policy provides such coverage. Typically, when cyber coverages exist under general liability policies, the maximum aggregate liability coverages are low, typically $25,000–50,000. It is always best to purchase a separate cyber liability insurance policy through a reputable carrier, one that has an A.M. Best Company rating of A- or better, which is based on the financial security of the insurance carrier.

When working with third parties that might be hosting or collecting confidential and restricted data, it never hurts to ask about getting on their cyber coverage as an "Additional Insured" for the duration of the agreement you may have with them. Security is a shared responsibility, one which could be argued you do not need to bear alone! This is a great way to increase coverage where your policies are lacking.

Back to top

Are there special concerns for public institutions?

The legal doctrine of sovereign immunity protects some governmental entities, including some public educational institutions, from being sued. State legislatures, however, have passed laws waiving immunity for certain actions, defining limits for the immunity provisions, and setting forth procedures to bring a claim. For example, although a suit might be brought against a public entity, the law might prohibit punitive damages or place a cap on a monetary award. This could mean that, in some situations, private individuals are not allowed to sue a state or public institution for a data breach or would be required to follow certain procedures in order to sue a public institution for a data breach. The best approach is to address specific state immunity laws with legal counsel.

Back to top

What should happen when an event occurs that might be covered by cyber insurance?

Ideally before an incident ever occurs, the institution will engage in proactive risk management activities, starting with ensuring relevant governance is in place and that a current incident response plan exists and expanding to tabletop exercises and other simulations involving key stakeholders. A cyber incident can be a complex and dynamic situation, and ensuring that key roles are defined and communicated to responsible individuals ahead of time can make a highly stressful situation less chaotic. Who will handle notification internally (IT/risk/legal, executive leadership, board, etc.)? Who will handle external notification (cyber insurance, law enforcement, regulatory bodies, etc.)? Does the technical team know what their role is in an incident? Does the institution maintain a list of external entities that may require notification (e.g., Department of Education Federal Student Aid, Health and Human Services Office of Civil Rights, state Attorney General, research partners), and are the deadlines for such notification understood?

Many insurers have preapproved vendors that the organization can use in the aftermath of a breach for technical remediation, notification, legal, and other response components. To avoid delays and maximize organizational operability, it is highly recommended that the organization have met with or have some familiarity with the vendors prior to a breach. If an organization wants to use a vendor that is not on an insurer's preapproved list, this usually is not a problem as long as the insurer is made aware prior to engagement. Depending on the institution's maturity and complexity, establishing an incident response retainer with a vendor that is also approved by the insurance provider may be valuable in increasing vendor familiarity with the institution's environment and reducing barriers during incident response. EDUCAUSE maintains several resources to assist institutions in responding to an information security incident, including the Cybersecurity and Privacy Guide.

In the immediate aftermath of a cyber event, an institution with cyber insurance should notify its insurer and broker. Prompt notification is preferred but, in any event, should not occur beyond the requirements specified in the insurance policy. Prompt reporting is highly recommended even if the organization—for any of a number of reasons—decides not to file a claim.

Back to top

How can cyber insurance complement an institution's existing systems and processes?

Cyber insurance is a companion piece or safety net that sits alongside and complements organizational cybersecurity controls. It is not intended to substitute for technical, process, or human-related cybersecurity (e.g., ongoing training and awareness for end users about cybersecurity protocols). That said, if organizational computing systems or processes are victimized or otherwise fail to prevent a cyber attack, cyber insurance helps minimize the resulting financial impact.

Key organizational cybersecurity stakeholders (the CISO, CIO, CPO, CFO, GC, CRO) should be fully engaged in all cyber insurance–related purchase discussions, given that—similar to discussions about predictive analytics and other quantification or comparative tools provided by insurance brokers, carriers, or outside consultants—these stakeholders are best positioned to understand the scope of their organization's cyber risk and provide recommendations on how much risk transfer may accordingly be necessary.

Other implications of purchasing a cyber liability insurance policy include the following:

Improved cybersecurity through pre-breach services: Many cyber insurance policies include free or discounted services that can be used by policyholders before a breach occurs to reduce the likelihood or severity of a future cyber incident. These services can include online security assessments, access to cybersecurity expertise through consulting services or white papers, and cybersecurity awareness training programs for users. Many insurers also maintain lists of preapproved vendors or third-party partners that provide discounted services, such as incident response planning, tabletop exercises, and compliance assessments. Using pre-breach services that are included as part of a cyber insurance policy can be a cost-effective way for an institution to improve its cybersecurity posture.

Assistance to institutions in making security decisions: Some insurance brokers and carriers have in-house personnel who provide security enhancement recommendations on matters such as third-party vendor exposure, measuring organizational compliance with voluntary frameworks such as NIST and ISO, and gauging the potential financial impact of business interruption losses.

Adding cyber insurance requirement imposed on contract partners: For organizations with an extensive supply chain or reliance on third-party vendors, requiring cyber insurance is highly advisable. Higher education institutions might add cyber insurance to contracts with partners or might find that contract partners require that the institution maintain cyber insurance. Special consideration should be given to any system containing PII—a number of systems store regulated PII, and writing this into the third-party contract might be advisable.

Insurer requirements to encrypt portable media/computing devices: Insurers do not necessarily require encryption of data at rest or in transit, but demonstrating this capacity to insurers either on an insurance application or during the underwriting process might lead the insurers to consider the institution less risky, which could result in a premium discount.

The underwriting process for cyber insurance plays a crucial role in motivating institutions to adopt stronger cybersecurity standards. When applying for cyber insurance, insurers often require institutions to meet specific security controls or implement certain best practices to qualify for coverage. These requirements can include advanced authentication mechanisms, regular vulnerability assessments, incident response plans, and employee training programs. By establishing these as prerequisites for coverage, insurers effectively set a baseline for cybersecurity expectations, which encourages institutions to strengthen their cyber defenses to qualify for or maintain their policies. Over time, this results in improved cybersecurity systems, policies, and a proactive approach to cyber risk management. In turn, institutions not only enhance their security posture but might also reduce the likelihood of breaches, potentially lowering their insurance premiums in the future. This partnership between insurers and institutions fosters a continuous improvement cycle, where meeting insurance requirements leads to stronger cybersecurity and a reduced overall risk.

Back to top

Are there special concerns for institutions with academic medical centers?

Academic medical centers have increased cyber risk exposure due to the multitude of patient medical records. The use of an electronic health records (EHR) system by medical staff, researchers, and students increases the exposure. Ransomware attacks on the healthcare sector have nearly doubled since 2022. In the United States, attacks against the healthcare sector were up 128% in 2023.

Back to top

What key stakeholders should be included when discussing cyber insurance?

Risk management plays a key role in managing and procuring cyber insurance for an organization. Nevertheless, risk management cannot do this alone, especially given the degree to which insurers insist that organizations commit to training staff on cybersecurity and having various risk mitigation measures in place to address cyber risk. Information technology and an organization's CIO are key stakeholders in the process. Human resources and general counsel are also key players in the cyber insurance process. Other stakeholders likely have a role, such as student affairs, provost, facilities, and procurement.

Back to top

Are there benefits from working with an insurance broker?

In addition to coverage for incidents, working with an insurance broker that specializes in cyber insurance carries other benefits, including peer benchmarking consultation, cyber loss modeling consultation, cybersecurity control advisement, education about complimentary or discounted carrier or broker cyber risk management offerings, approved incident response vendor recommendations, and knowledge sharing about claims handling best practices. Some cyber insurance policy underwriters provide IT security training that can be offered to employees and student workers. A policy might offer a free penetration test to show where the institution is vulnerable—this can be a good baseline for an institution to see where it might need to remediate. The provider might have a cybersecurity app that provides information about cyber breaches or notifications when data from the domain of the institution appears on the dark web.

Back to top

How can cyber insurance complement an institution's approach to third-party risk management?

The move to the cloud has increased the importance of third-party risk management in the area of cybersecurity. Auditors are now level-setting with requirements that institutions use MFA and have security measures in place to protect institutional data from being compromised. Cyber insurance policies are asking for this information on applications for new policies and also renewals. Hardening third parties' cloud services with these protections provides an added level of protection for campus communities from being exposed to breaches. In some cases, laws compel cyber insurers to include specific requirements in their coverage, such as an annual penetration test of the institution's perimeter network. In these cases, institutions are required to dedicate additional resources or funding to meet those requirements, and this improves the overall security of third-party applications.

Back to top