In an Oct. 30 session titled "Making Cyber Insurance Happen: A Truly Collaborative Experience," expert panelists advised that colleges and universities should try to forge more collaborative relationships with their insurance brokers and understand how insurance functions within each institution’s existing risk posture.
“You don’t go in and talk on an annual basis with State Farm or Allstate about your car insurance, and [they] say, ‘What are you going to do to improve your driving this year?’" said Stephen Burr, chief information security officer at the University of Kentucky. “We do that with our [cyber] insurance provider.”
ASSESSING RISK
Assessing institutional risk has become more complex as coverage options have evolved, according to Todd Adkins, executive director for risk management and campus accessibility at the University of Kentucky. He said cyber insurance policies now typically include first-party, third-party and breach-response services, but what those mean in practice depends on the organization’s structure.
First-party coverage deals with the institution’s own losses from a cyber event while third-party coverage focuses on claims from those affected, like students or vendors, according to a 2024 explainer on the website for the cybersecurity company CrowdStrike. Breach response services can include notification, legal and credit monitoring costs.
Kathy Hargis, associate vice president of risk management at Lipscomb University, said at a smaller, private university like Lipscomb, the goal is to transfer risk to a third party as much as possible. Adkins said the University of Kentucky takes a hybrid approach of self-insurance up to $2.5 million and additional coverage where needed.
For example, additional coverage comes into play with academic medical centers like Kentucky’s. Policies must account not only for data loss but for potential disruptions to patient care and research, Adkins said.
Hargis said understanding and documenting these differences in institutional risks makes negotiations smoother.
USING SERVICE PROVIDERS
While cyber insurance is a way to shift responsibility in the event of a breach, Hargis said, there are other ways to benefit from the relationship with insurers. Burr said insurers provide questionnaires that are growing increasingly long and complex, asking schools to demonstrate a level of strength in cybersecurity that determines eligibility for coverage.
Lipscomb CIO Brett Hinson said demonstrating that level of sophistication can be especially difficult for colleges with budget deficits or limited resources, but those institutions can use the questionnaires to understand best practices, even when they don’t meet them.
“We got very prescriptive with things we couldn’t say yes to about what our plan was, when we were going to do it, how we were going to do it, what tools we would use,” he said. “That has evolved over the last five years to the point where […] we're able to check ‘yes’ to almost everything we need to.”
The prescriptive approach is important, as it is impossible for schools to be perfectly prepared for evolving threats, Burr said. For example, multifactor authentication (MFA) is changing as attackers are getting better at social engineering to evolve beyond sending a code.
For example, at the University of Kentucky, Burr said an attacker spoke to a help line, added a new MFA device, logged in to the employee portal and changed a direct deposit destination — all in 12 minutes.
“I don't think our own employees can move that fast, even with training,” he said.
Some insurers now offer mitigation strategies alongside coverage, such as advising on privileged access management for MFA controls, Burr said.
BEST PRACTICES
Documentation and simulation emerged as the mainstays of effective cyber insurance use.
Tabletop exercises can also help risk management teams identify weak points and practice for cyber incidents, Burr said.
While some legal teams remain cautious about documenting vulnerabilities, Hargis said as long as there is ownership and planning alongside the risk identification, transparency pays off.
“I’d rather be standing up in court and saying, ‘We identified it, and this is what we were doing about it. Did we have it all taken care of? Maybe not, but we had definitely made progress from when we first identified the risk,’” she said. “I'd rather be there than not have even talked about it to start with.”
Hinson said documentation can also help demonstrate need and secure funding for cybersecurity projects, and part of that process includes notifying insurers early and often.
While some institutions may feel nervous that notifying insurers of minor incidents will lead to rate increases, Adkins said the opposite is true.
“If you went through a whole year and said you never had an incident, they're going to know you’re lying,” he said.
