According to a 2018 study by IBM and the Ponemon Institute, the average cost per compromised record of a data breach is increasing. Across the business spectrum, the cost per record is $148, but it can be as much as $166–-$245 per record in higher ed. On average, it takes most organizations 196 days to detect a breach. This means that hackers have 196 days to use stolen information for nefarious means without hindrance.
As a result, more organizations are turning to cyber insurance to help manage risk. Cyber insurance is typically used to help cover the cost of a data breach in terms of forensic investigations, the cost of notifying students and/or employees of the breach, and the subsequent liability costs that may come out of having sensitive information compromised. Insurance may also be purchased to apply to the costs of recovering compromised data or the repair of damaged computer systems.
Three main types of cyber insurance include credit monitoring, ID recovery protection, or coverage for damage caused by a computer virus or other malignant software that prevents an organization from accessing critical data.
If your college is weighing the costs and benefits of cyber insurance, the four questions below could help.
1. Is our data an easy target?
For most colleges, the answer is yes. The nature of higher ed is that it operates more openly than private industry does. A positive outcome of that is collaboration and the free flow of information that helps foster innovation. The down side is that hackers generally find more opportunity to infiltrate college information systems.
Any system that allows users to “bring their own device” is subject to vulnerabilities. With students relying on laptops, tablets and mobile phones, IT has to be prepared for all the software, viruses and Wi-Fi points of entry that go with having a diverse body of students.
On top of that, each student’s personal contact information, health records and credit card numbers are a hot commodity on the black market. The reason for this is that a hacker can easily combine a student’s data with other data sourced from the government, private companies or health care systems. Once the hacker has crossed that step, they begin to steal identities or create fraudulent identities with the aim of gaining access to credit, health care or government benefits.
2. What would be the cost of a data security breach?
There are a number of figures in circulation that claim to be the average cost per record lost in higher ed. In our research, we’ve seen a range of $166–$245 per record. Colleges would be wise to multiply that number by their enrollment for the year to get a general idea of whether or not they could survive the financial impact of a data security breach.
According to a 2018 study by IBM Security Services and the Ponemon Institute, the average total cost of a data breach is $3.86 million.
The study goes on to relay that some of the variables influencing cost are:
- Loss of customers
- The scale and scope of the breach
- The time it takes to discover, then contain, a data breach
- Forensic or investigative activities
- Communications, public relations and crisis management
If your college would struggle to cover such costs, cyber insurance may be a good investment.
3. Are there enough cyber security workers to go around?
The Bureau of Labor Statistics reported in July 2018 that the unemployment rate for professional, scientific and technical services was 1.8 percent. Within the cyber security industry, however, it’s not uncommon to see zero percent unemployment used when referring specifically to cyber security workers.
Regardless of the exact unemployment rate, the field is growing and it would be wise to factor in the challenge of being able to identify and hire the types of workers you would need should your college require emergency cyber security assistance. Since cyber insurance providers can keep their IT workers busy year-round, having cyber insurance could give your college immediate access to needed services that it may struggle to find elsewhere.
4. What are some ways to reduce cyber insurance premiums?
As with most types of insurance, if there is evidence of being proactive to prevent accidents or mitigate damage, the cost of insurance usually goes down.
Colleges that secure attestations in cybersecurity have demonstrated that they are informed and proactive. Such certifications might include those provided by the following organizations: Service Organization Controls (SOC), General Data Protection Regulation (GDPR), or International Organization for Standardization (ISO).
Additionally, colleges should have candid conversations with their IT teams to find out if there is clarity and a united front working toward cyber security.
“It’s not uncommon for an IT team to know that they have security policies, yet remain doubtful that they are in compliance. They may not fully understand how to achieve compliance with their own policies given the complex, resource-stretched environment in which they work,” said Mark Relf, information security manager with Collegis Education.
Through the pursuit of third-party attestations, colleges can help their IT teams prioritize concerns. Another benefit is that going through the process of pursuing industry attestations creates a common language for all IT team members.
Ongoing training of students and faculty regarding cyber security risks and protections can also go a long way toward preventing a breach and demonstrating to an insurer that a college is being proactive.
Does your college have a cyber-risk management plan?
As a relatively new type of risk management tool, many organizations are wondering whether cyber insurance is necessary or worth the cost. Premiums can vary and so can the amounts and types of coverage. But, with data breaches on the rise, and with costs quickly adding up to millions in damages, it may be time to review your organization’s risk management plan – and to consider all of your options.