9 Essential Requirements for Obtaining School Cyber Insurance

At K12itc, we assist school districts with cyber insurance renewals and guide those applying for cybersecurity insurance for the first time. Schools are facing increasing challenges in obtaining cybersecurity insurance, as carriers raise expectations for adequate cyber insurance coverage and premiums continue to rise.

In this article, we will cover key requirements for obtaining or renewing cyber insurance. These steps will help schools enhance cybersecurity protection, meet insurance requirements, and reduce costs.

1. Multi-Factor Authentication (MFA)

Do you implement MFA?

This is typically one of the first questions asked on a cyber insurance questionnaire. This question applies to any externally accessible system or app, not just Google or Office 365, that could access your internal network or sensitive data. These can be things like VPNs, Student Information Systems (SIS), Accounting Systems or even Parent and Student Portals.

MFA adds an extra security layer by requiring a third form of identification, like a phone or token. It tracks devices and locations, triggering verification if an attempt comes from an unknown device or location. Even if an attacker has your username and password, they would still need access to your physical device, making it harder to break in.

2. Advanced Email Filtering Protection

Threat groups continue to run phishing campaigns to steal credentials, with a 29% increase in attacks in 2021. Phishing-as-a-service and attacks through text messages and other channels make it easier for attackers to steal credentials. In total, there were over 35.7 billion phishing attempts and more than 25.6 billion brute-force attempts using stolen passwords.

As Microsoft recently stated, “Attackers don’t break in, they log in.” Advanced email filtering protects users and schools and helps meet cyber insurance requirements.

3. Endpoint Threat Protection (AV/EDR)

Insurance carriers may accept standard antivirus (AV), but upgrading to Endpoint Detection and Response (EDR) can save time and money when handling cyber threats. Modern EDR platforms do more than just rely on signature-based detection.

EDR systems offer more ways to detect threats across your network. When a cyber threat is detected, they fix endpoints, reverse malicious changes, and restore data to its pre-threat state. Some systems can even perform full restore operations for affected data and endpoints. This almost makes written incident response policies a thing of the past.

4. Security Information and Event Monitoring\Intrusion Detection and Response (SIEM/IDR)

Logging on all endpoints, network devices, and user accounts is crucial for monitoring threats. A central logging solution with an IDR platform provides valuable insights for quick action and is essential for investigations.

Insurance companies want to see that you monitor system activities and user actions. Unusual behavior can signal a potential threat, allowing you to respond faster and prevent damage.

5. Proper Network Segmentation and Security

Network segmentation is crucial. Guest networks and web servers should be separate from critical systems like database servers and security equipment.

Segment wireless networks and ensure guest networks don’t connect to corporate networks. Use Next-Gen firewalls to block scans and only expose necessary services. For web applications, employ web application firewalls and proxies.

Avoid using WPA-PSK authentication because attackers can easily compromise it. Instead, use EAP-TLS certificate-based authentication and deploy certificates to employee devices. A Network Access Control (NAC) system can help manage access and block unauthorized devices.

Akamai‘s recent study states that cybercriminals publish at least 13 million malicious domains every month. HTTP and DNS filtering are crucial for protecting end users and systems from malicious domains. This is also something that insurance carriers look for.

6. Account Management and Password Security

It’s essential to prevent users from having local administrative rights and ensure administrators use separate accounts for administrative tasks. Restrict domain admin accounts heavily and use Just-In-Time (JIT) access technologies to limit access. Passwords should be complex and at least 16 characters long, with longer passwords for admin accounts.

Modern password-cracking tools can break 8-12 character passwords quickly, so password length is crucial. It’s also important to mix character types. Using a passphrase, like “IW3nt2McD0n@ldsL@stw33kend!”, is more secure than a shorter password like “KCch!efs2022”.

Insurance applications often ask about user rights and password security to confirm that schools are following best practices.

7. Vulnerability, Patch Management and Application Inventory

These items are all connected. A vulnerability scanning and management program helps identify and fix critical issues in your school.

This leads to patch management, which isn’t just for operating systems but also for third-party applications. Many overlook these but they are just as important. Even if your OS is fully patched, an unpatched third-party service can still lead to a breach.

Insurance companies often ask if you have an application inventory. Good vulnerability management platforms can provide a full list of the applications in use within your school.

8. Backups and Restores

Insurance companies want to know how often you back up data, where you store it, and if you’ve recently restored it or critical systems.

Backups are useless if you can’t restore from them. Not having backups is the top reason schools end up paying ransomware demands and risk exposing or losing data. Effective backups are key to recovering compromised data and avoiding costly losses.

You should be able to restore data from the last 8 hours or one business day, and complete the restore within 24 hours. Backed-up data should be encrypted during transmission, stored in multiple locations, and encrypted at rest to meet most cyber insurance requirements.

9. Cybersecurity Training

Schools often overlook cybersecurity training, but it’s crucial for protection. Lack of knowledge is the biggest threat, and attackers target this weakness—phishing remains the top way they breach systems.

Schools should provide cybersecurity training throughout the year. Administrative staff should receive more advanced training and certification, and budgets should account for this. Cyber insurance companies ask about user training because they recognize its importance in preventing cyberattacks.

Applying for or renewing cybersecurity insurance for school districts can feel overwhelming, especially if it’s outside your area of expertise. This blog hopefully provided a helpful guideline on the minimum steps you should take now.

Once these investments are in place, the process becomes easier and gives the insurance carrier more confidence in your school’s security, leading to lower premiums. K12itc is experienced with the topics covered in this article. If you’d like to learn more about the solutions highlighted above or K12itc, contact sales@k12itc.com, and we’ll be happy to assist you.