The proliferation of cyber-attacks on SMEs and large companies has brought the need to protect against this type of risk, which can wipe out an entity’s productive and economic activity overnight, to the forefront of daily debate. It also entails serious damage to third parties, as sensitive customer and supplier information may be compromised, and in the case of an educational center, information on children and their families.
It is therefore necessary to adopt a responsible position and strict compliance with IT security recommendations from experts and especially from our IT departments. But what happens when the damage is done? How should we act when we are already victims of a computer security incident? What are the steps to be taken when we have lost control of our equipment, networks and servers and the personal data that we safeguard as a result of our activity has been compromised?
In cybersecurity, as in sports, the best defense is a good offense. It is essential for any entity, however, to have high and constantly updated cybersecurity standards. Situations such as a recurrent change of passwords, double authentication factors and verification of senders when sending computer files are here to stay and we will have to dedicate more and more time, resources and efforts to their care. Even so, it is necessary to have an emergency solution, a “hotline” to call when the damage is done, because it is no longer a question of whether or not we will be victims of an attack, but what steps to take when it happens. Can cyber attack claims be insured and covered? The answer is yes and our recommendation is that institutions or schools should be protected against this new threat.
Are schools a target audience for hackers and cybercriminals?
Evidently, they areThe insurance market has begun to address the issue of the use of these products, especially because they hold banking information of users (parents and suppliers) as well as the personal data of minors. The insurance market has begun to deal with a personalized way the educational activity with a medium-high level of risk in terms of cyber-risks, taking special care to evaluate the school’s IT security systems when proposing an insurance policy.
Experts in the field believe that it is necessary for a school to have this coverage. In recent months, we have been witnessing a significant increase in the increase in cyber incident situations in many of our customers. The method, time and, above all, the cost of resolution and its consequences differ greatly depending on whether or not the client has had a cyber-risk insurance policy to manage the situation. It is time, therefore, for schools to seriously consider contracting this coverage, which will offer, among others, the solutions described below.
The coverage of a cyber-risk insurance policy is adapted to the needs of each school.
A school, as in any other business, will experience great confusion and concern when it discovers it has been the victim of a cyber incident. Whether it’s data theft, hijacking of servers, systems, etc., you need to act immediately. In this case, the school’s IT managers will almost certainly be unable to provide a solution, as the sophistication of cyber-attacks is increasing and far exceeds the knowledge and capabilities of a small technical team working with home systems and networks.
With cyber-risk insurance, the school will be able to rely on a solution available 24/7, carried out by a multidisciplinary team of forensic computer scientists, legal advisors or communication offices. In addition, the insurance companyIn the appropriate moment, it will provide the school with the first and essential steps to be taken in such a situation, how to trace the security breach and address it immediately, review the scope of the incident as well as the destination of the possible illegitimately stolen information, inform the possible victims (parents, suppliers, etc.) that their data may have been compromised and offer them the pertinent recommendations. In addition, it will prepare the necessary report for the mandatory communication to the Spanish Data Protection Agency, (AEPD) in the event of an incident involving personal data of third parties.
If we stop to think about it, it is practically impossible for the school to deal with all these situations, which are certainly more numerous than those indicated, immediately and with trained professionals who resolve the different situations in their different areas instead of aggravating them. In the absence of insurance, outsourcing all these steps will be expensive and very difficult if immediacy is required. The insurance facilitates the possibility of having this panel with just one call and without the center having to pay any amount in the event of a cyber incident.
On the other hand, cyber-risk policies also have another series of coverages that are also necessary and useful, and which would represent a high amount that the school would have to pay if it did not have this insurance, such as the economic losses that the school may incur as a result of the incident due to the total or partial paralysis of the activity, the need to replace equipment (hardware) that may have been damaged as a result of the incident, as well as fines and penalties. All of this would be covered in different ways by the cyber-risk insurance. In addition, this insurance has coverage for Computer Liabilitywhich covers property claims that may arise from the incident, situations which, due to their specificity, would not be fully covered by the school’s General Liability Insurance.
It is important (and urgent) that schools consider taking out cyber-risk insurance, as the alternative is infinitely more expensive in the event of a cyber incident, to which they are unfortunately increasingly exposed. At Alkora we are at the service of CICAE schools to inform and advise them without obligation of all the options to be more protected.
Rafael Gisbert
Executive
