Bloomington School District 87 in Illinois has published its cyber-insurance renewal details, and the cost has jumped from $6,661 in 2021 to $22,229 this year.
This dramatic 334% rise in premiums is attributed to the sudden spike in the number of threats, their severity, and the potential for costly disruptions.
“In light of events that have negatively impacted the Cyber Insurance market, SSCIP was unable to initially find the required coverage for the group,” mentions the memo.
“After a small delay, the Cooperative was ultimately able to secure an insurer willing to accept the risks of the pool.”
Suburban School Cooperative Insurance Program (SSCIP) is an insurance pool allowing school districts to join together to negotiate better insurance rates and lower management fees.
The most significant problem which leads to this sudden cost increase is ransomware and the lengthy disruption that encrypting attacks and the theft of data can have to compromised school networks, employees, and students.
Ransomware actors, particularly the less skilled affiliates, target smaller school districts because they are seldom well-protected against attacks and usually can’t afford a large dedicated IT and security team.
However, as schools usually have an active insurance policy, they are attractive targets to threat actors who are hoping for a quick payment from insurance companies.
Emsisoft has published a report to sum up 2021 ransomware attacks against the U.S. public sector, where they count 77 government, 1,043 schools, and 1,203 healthcare victims.
MFA now required
As the District 87 memo mentioned, the insurer has also required that the district fully implement multi-factor authentication protection on all its accounts.
The school estimates that they can conclude this change by March 30, 2022. However, until that happens, the coverage limits will remain decreased, well below the consented amount.
This reflects the importance that insurers and security experts ascribe to using MFA to protect network logins.
MFA is a method of validating the user’s identity through a combination of things beyond just passwords. For example, they can come in the form of one-time passwords, key cards, or biometrics.
Ransomware actors typically deploy their encrypting tools by using compromised user credentials to access the target systems. As such, having MFA in place is often enough to stop the attack before attacks can start.
Also, backup service logins should be protected using MFA, making it so ransomware actors cant access and delete backups. With reliable backups in hand, it significantly weakens a ransomware gang’s negotiating position and speeds up recovery.
A large-scale issue
District 87 is just one of the many American public educational institutes that will face this substantial added burden on its annual budget, and this doesn’t apply only to schools.
Hospitals, non-profit organizations, and local governments will all have to cover substantially greater cyber-insurance costs in 2022 due to an increase in cyberattacks in 2021.
The healthcare sector was also bombarded by ransomware actors in 2021, mainly for the same reasons that make school districts ideal targets for cybercriminals.
Universities are also on the ransomware actors’ crosshairs, and they too have to strike a delicate balance between budget allocation and cyber-protection since they have limited resources.
Lori Sussman, Assistant Professor of Cybersecurity at the University of Southern Maine, has told Bleeping Computer that the increase in cyber insurance premiums will continue to outstrip other insurance instruments until organizations can stem the rising attacks.
These crooks also attack targets that they perceive as “soft” which include small municipalities, schools, universities, and other organizations that may not have big budgets for IT staff let alone cybersecurity experts.
No doubt that is why cyber insurance premiums grew more than a quarter (25.5%) in 2021 (According to the Council of Insurance Agents & Brokers,) which is well above other insurance instruments.
The University of Maine system CIO has prioritized security for the state higher education system. However, there will need to be more awareness training of all stakeholders – students, faculty, staff – to defeat these predators.