Higher education institutions seeking cybersecurity insurance today are not unlike homeowners living on the water in a hurricane-prone coastal community: the riskier the environment, the harder it is to get insured.
For both community colleges and four-year institutions, cyberthreats are now very pronounced, and that reality has led to more institutions facing cyberinsurance premium hikes of as much as 400 percent—or even discovering they are uninsurable.
An estimated 82 colleges and public school districts have been the victims of cyberattacks so far this year, disrupting learning at more than 1,000 individual institutions and schools across the country, according to the cybersecurity company Emsisoft.
Ransomware is a particularly fast-growing threat: a House oversight committee document referred to it as a multibillion-dollar criminal industry and said current trends suggest “ransomware-related transactions in 2021 will be higher than the previous 10 years combined.”
At least three American community colleges have been attacked by cybercriminals using ransomware since Nov. 30, the latest in a wave of such attacks targeting at least 19 higher education institutions this year. Howard University, in Washington, D.C., was among those institutions and was forced to disconnect its network for several days after an attack in September. Yet even as attacks have buffeted colleges, experts say many remain woefully underprepared and underinsured. As a result, they are vulnerable to paralyzing and costly data breaches and system shutdowns, for which they often must pay crippling ransoms.
Kim Milford, executive director of the Research and Education Networks Information and Sharing Analysis Center (REN-ISAC), a nonprofit based at Indiana University that coordinates cybersecurity information swapping among nearly 700 degree-granting institutions, said ransomware is “exploding” at a time when many of the network’s members are alarmed by the fast-rising cost of cybersecurity insurance.
She said insurers typically ask very complex questions about an institution’s information security practices before agreeing to underwrite. Insurers also usually limit coverage for certain claims based on the answers provided. For example, she said, higher education institutions are increasingly being asked if they have two-factor authentication in place or to submit a diagram showing network segmentation.
“It is becoming really problematic,” Milford said. “I have talked to a few universities that have looked into self-insuring or self-funding because they can’t afford the rates anymore. And some institutions have been turned down. They’re being told no, because the risks are too high.”
Milford said only about half of American universities have cyberinsurance, but as ransomware attacks become more prolific and damaging, it is unclear how many colleges will be able to retain insurance in the longer term. And yet the risks are severe: compromised data, campuses ground to a halt, disconnected networks. She said several institutions have had to shut down their internet servers, some for as long as five days, to respond to breaches.
Last year, the University of California, San Francisco, paid a ransomware gang $1.14 million to unlock sensitive information it encrypted after an attack on its medical school. The University of Utah, Michigan State University and Columbia College Chicago also have recently been victims of ransomware.
An FBI alert in March warned of an increase in ransomware targeting education institutions in 12 states. The alert mentioned “malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems,” which is then used as leverage to extract ransomware payments.
“The threats are absolutely rising right now,” Milford said. “The criminals have gotten very savvy and sophisticated in their approaches.”
Ransomware gangs are typically looking for what they regard as easy money to fund other criminal activity, Milford said, and they usually break in to systems through successful phishing attempts and hard-to-detect code. As the threat posed by ransomware gangs is rising, so too are the vulnerabilities caused by an IT workforce shortage, Milford said. She noted that colleges and universities are “bleeding” senior security professionals, who are going to private industry.
“We’re losing a lot of good knowledge,” she said.
Laura Foggan, chair of the insurance/reinsurance group at Crowell & Moring, an international law firm, said although rising cyberinsurance costs are partly due to the increasing frequency and severity of cyberattacks, other factors also play a role, including a spike in the cost of forensic and legal work in incident response as well as replacement costs. Inadequate incident response plans and insufficient accounting for the costs of business interruptions also are driving the surge in costs.
A survey of 499 IT decision makers in the education sector, including K-12, found that 44 percent of organizations reported they were hit by ransomware in the last year, and 58 percent of those attacked said the cybercriminals succeeded in encrypting their data, according to a July report released by the cybersecurity firm Sophos. Education and retail topped a 14-sector list of survey participants in terms of number of attacks, a reality Sophos attributes to “stretched IT teams battling to secure an outdated infrastructure with limited tools and resources.”
The Sophos report noted that risky student behaviors such as downloading pirated software or connecting to the web in public places increased institutions’ vulnerability. Many experts said these risks have grown during the pandemic as more people have connected to college servers from remote locations.
Michael Atkinson, the former chief watchdog of the nation’s 17 intelligence agencies and a partner at Crowell & Moring, said ransomware gangs are targeting colleges in part because they often are underresourced. Community colleges are at particular risk, but even wealthy corporations have struggled to prevent increasingly sophisticated ransomware attacks, he said.
“Over the last year, especially, the threat has just become much more sophisticated with organized crime,” Atkinson said. “It’s not surprising that these ransomware criminals are starting to target these softer targets, if you will, in the form of community colleges, because they won’t normally have the same types of cybersecurity resources to harden their own systems and to be able to counter the threats that are coming from these very sophisticated threat actors.”
Insurance companies are not only declining to underwrite cyberpolicies because of the expense, but also because of increasing legal and ethical questions about paying ransoms.
The Treasury Department issued an advisory last year about potential sanctions institutions can face for making ransom payments.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” the advisory said, referring to the agency’s Office of Foreign Assets Control.
Dan Lohrmann, chief information security officer for the public-sector advisory firm Presidio and former chief security officer for the state of Michigan, said public officials are pressuring insurers not to pay ransoms, and, as a result, more insurance policies now specifically prohibit paying them.
Lohrmann, who is co-author of Cyber Mayday and the Day After, (Wiley, November 2021), said cyberinsurance policies are getting tougher by the day and are increasingly requiring institutions to meet stricter security requirements or risk claims being denied.
“It’s changing rapidly,” Lohrmann said of the cybersecurity insurance market. “And the reasons are pretty obvious: they’re losing money.”