Higher education institutions seeking cybersecurity insurance today are no different from homeowners living on the water in a hurricane-prone coastal community: the more risky the environment, the harder it is to stay. to assure.

For community colleges and four-year institutions, cyberthreats are now very pronounced, and this reality has led more and more institutions to face cyber insurance premium increases of up to 400%, or even to be discovered. that they are not insurable.

A valued 82 public colleges and school districts have been the victims of cyber attacks so far this year, disrupting learning in more than 1,000 institutions and schools across the country, according to cybersecurity firm Emsisoft.

Ransomware is a particularly fast-growing threat: A House Oversight Committee document called it a multibillion-dollar criminal industry and said current trends suggest that “ransomware-related transactions in 2021 will be higher than the previous 10 years combined ”.

At least three U.S. community colleges have been attacked by cybercriminals using ransomware since November 30, the latest in a wave of such attacks targeting at least 19 higher education institutions this year. Howard University in Washington, DC, was one such institution and was forced to disconnect its network for several days after an attack in September. Yet even though the attacks have rocked colleges, experts say many remain woefully under-prepared and under-insured. As a result, they are vulnerable to crippling and costly data breaches and system shutdowns, for which they often have to pay crippling ransoms.

Kim Milford, executive director of the Research and Education Networks Information and Sharing Analysis Center (REN-ISAC), a nonprofit organization based at Indiana University that coordinates the exchange of cybersecurity information between nearly 700 degree-granting institutions said ransomware “explodes” at once. while many network members are alarmed by the rapidly rising cost of cybersecurity insurance.

She said insurers typically ask very complex questions about an institution’s information security practices before agreeing to underwrite. Insurers also generally limit coverage for certain claims based on the answers provided. For example, she said, higher education institutions are being asked more and more if they have implemented two-factor authentication or submit a diagram showing network segmentation.

“It’s getting really problematic,” Milford said. “I’ve spoken to a few universities that have considered self-insuring or self-financing because they can no longer afford the rates. And some institutions have been refused. We tell them no, because the risks are too high.

Milford said only about half of U.S. universities have cyber insurance, but as ransomware attacks become more prolific and damaging, it’s unclear how many universities will be able to maintain long-term insurance. And yet, the risks are serious: compromised data, campus shutdown, disconnected networks. She said several institutions had to shut down their internet servers, some for five days, to respond to violations.

Last year, the University of California, San Francisco paid a ransomware gang $ 1.14 million to unlock sensitive information it encrypted after an attack on its medical school. The University of Utah, Michigan State University, and Columbia College in Chicago were also recently victims of ransomware.

An FBI alert in March warned of an increase in ransomware targeting educational institutions in 12 states. The alert mentioned “malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems,” which is then used as leverage to extract ransomware payments.

“The threats are absolutely increasing right now,” Milford said. “Criminals have become very savvy and sophisticated in their approaches. “

Ransomware gangs typically hunt for what they see as easy money to fund other criminal activity, Milford said, and they typically break into systems with successful phishing attempts and hard-to-detect code. . As the threat posed by ransomware gangs grows, so do vulnerabilities caused by an IT workforce shortage, Milford said. She noted that colleges and universities are “bleeding” seasoned security professionals, who are turning to the private sector.

“We are losing a lot of good knowledge,” she said.

Laura Foggan, president of the insurance / reinsurance group at Crowell & Moring, an international law firm, said that while the rising costs of cyberinsurance is in part due to the increasing frequency and severity of cyber attacks, other factors also play a role, including increased costs. forensic and legal work in response to incidents as well as replacement costs. Inadequate incident response plans and insufficient accounting for business interruption costs are also driving the cost escalation.

A survey of 499 education IT decision makers, including Kindergarten to Grade 12, found that 44% of organizations said they had been affected by ransomware in the past year, and 58% of Attacked people said the cybercriminals had successfully encrypted their data, according to a July report from cybersecurity firm Sophos. Education and retail topped a list of 14 survey respondents in terms of number of attacks, a reality Sophos attributes to “large IT teams struggling to secure outdated infrastructure with limited tools and resources ”.

The Sophos report noted that risky student behaviors, such as downloading pirated software or connecting to the Internet in public places, increase the vulnerability of institutions. Many experts said these risks increased during the pandemic as more people connected to college servers from remote locations.

Michael Atkinson, the former chief watchdog for the country’s 17 intelligence agencies and partner of Crowell & Moring, said ransomware gangs target colleges in part because they are often under-resourced. Community colleges are particularly at risk, but even wealthy businesses are struggling to prevent increasingly sophisticated ransomware attacks, he said.

“Over the past year, in particular, the threat has become much more sophisticated with organized crime,” Atkinson said. “It’s no surprise that these ransomware criminals are starting to target these softer targets, if you will, in the form of community colleges, as they normally won’t have the same kinds of cybersecurity resources to harden their own systems and be able to counter threats from these very sophisticated players.

Insurance companies are not only refusing to underwrite cyber policies because of the expense, but also because of the growing legal and ethical issues surrounding the payment of ransoms.

The Treasury Department issued an advisory last year on potential penalties institutions could face for paying ransoms.

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance companies, and businesses involved in digital forensics and incident response, not only encourage future ransomware payment claims. , but may also risk violating OFAC regulations, ”the notice said, referring to the agency’s Foreign Assets Control Office.

Dan Lohrmann, chief information security officer for public sector consulting firm Presidio and former Michigan state security official, said public officials were pressuring insurers to pay no ransoms and therefore more and more insurance policies now specifically prohibit paying them.

Lohrmann, co-author of Cyber ​​Mayday and the day after, (Wiley, November 2021), said cyber insurance policies are becoming increasingly stringent and increasingly require institutions to meet more stringent security requirements or that claims risk being denied.

“It is changing rapidly,” Lohrmann said of the cybersecurity insurance market. “And the reasons are pretty obvious: they’re losing money.