Home / Explore our latest insights / How can Higher Education Institutions make cyber insurance work for them?

Published: 7th June 2022 | In: Insights

This blog is not intended to be a cyber insurance buying guide, but instead highlights some of the points that should be considered when thinking about buying cyber insurance. It also touches upon other actions you can take to improve your security. It does not take into account the possibility that cyber insurance is already covered in any existing policies. The first step is to check if your organisation already has cyber insurance.


In the last few years we’ve witnessed a growing number of cyber-attacks on all parts of the economy. Government departments and security companies agree that this has only become worse since the start of the year and the Russian invasion of Ukraine.

Such is the seriousness of the situation that in his talk at CYBERUK 2022 in Wales in May, the Minister for the Cabinet Office Steve Barclay said it is “now deemed severe enough to pose a national security threat”. He is encouraging all organisations in the country to report cyber-attacks and to help in the fight against “the greatest cyber threat to the UK”.

Ransomware attacks are on the rise and they are arguably more indiscriminate than ever before, with cybercriminals looking to make quick and easy money from organisations of any kind. So the time has long gone for educational institutions to be complacent about cyber security. Now’s the time not just to improve security, but to consider investing in cyber insurance too. That’s not to say it’s an easy process. There are pros and cons to cyber insurance and, if an organisation chooses to invest in it, there’s a lot of work to do to prepare for it.

What you should know about cyber insurance

As the number of cyber incidents have increased, so has the cost of cyber insurance. We’re now seeing double-digit price rises per year. But it’s not a matter of simply finding the best deal on the market. Cyber insurers are increasingly asking their customers to share the expense and the risk. Nobody now has the luxury of signing up for insurance and then sitting back without a worry in the world.

Today, insurers want to know that you have strong cyber controls in place, that you are protecting your assets and data as best you can and that you have an incident response plan in case you’re breached. They may want to see the evidence; they may even perform vulnerability scans or demand you improve your plans.

Cyber insurance isn’t about covering lost smartphones or broken laptops. Insurance covers for the eventuality of a data breach or a ransomware attack and can be very helpful when dealing with any legal or regulatory aspects afterwards. So, you need to meet your end of the bargain. The better prepared you are against such attacks and the more secure you are then the better the insurance deal you’ll get and the more cover you’ll have in the worst case scenario.

Driving better cyber security posture

Insurers aren’t trying to make life difficult for colleges and universities. In contrast they are helping to drive better cyber security posture and better risk management throughout the economy. So the best approach is to treat an insurer as a cyber ally and valuable member of your ‘cyber security squad’. And they should understand that the higher education sector has very different capabilities and needs than the private sector, and therefore offer relevant advice and support for you. By working with them and meeting their requirements you’ll be much better protected – and in the long run you’ll help protect everyone else as well.

Yes, you’ll still have to pay for the insurance whether you’re breached or not, but you’ll have the peace of mind of being covered for any legal battles that might otherwise rage in the extreme case of data loss and reputational damage. And, of course, the more secure every institution is, the fewer claims are made and the less money insurers will need to pay out, helping to keep premiums lower later.

However, as with all insurance policies, it’s important to understand exactly what it gives you. This is where your IT team and – if you have one – your cyber security team can add value.

Having covered the positive aspects of cyber insurance, it’s important to know that getting it is no longer guaranteed. Because their risk has risen too, some insurers are now limiting coverage or even denying coverage to organisations, or shying away from certain sectors. They will only sell policies to lower-risk customers who can prove they have a decent security posture.

Furthermore, even good cyber insurance isn’t a silver bullet. It helps cover the cost of an attack but the hard fact remains that the attack has already happened. According to the UK government’s Cyber Security Breaches Survey 2022 Education Annex, two-thirds of further education colleges and higher education institutions are insured against cyber risks. But they shouldn’t be complacent because cyber security insurance does not protect them from ransomware attacks.

Why it’s imperative to test your cyber security systems

So it’s always prudent to follow the basic principles of good cyber hygiene, as advised by the UK’s National Cyber Security Centre (NCSC). Start by applying zero trust. Focus on prevention, containment and recovery – stop the attack from happening in the first place, limit the damage as soon as possible in the event of a breach and aim to recover your systems to return to normal as safely as possible.

If every organisation does the fundamentals well then they are helping in the fight against “the greatest cyber threat to the UK”.

Like any organisation in any industry, education bodies shouldn’t worry that they need to attempt all this alone. Help is available from qualified, experienced professionals who specialise in different areas of cyber security and stay up to date with the latest threats from anywhere in the world.

Regular testing of your systems is a key part of prevention. This includes penetration testing to check for security weaknesses, and phishing simulations to test and train your employees, researchers and students. Having an Incident Response Readiness Assessment in place will help with containment and also speed up your time to recover.

A great place to get started is with the NCSC’s Cyber Essentials and Cyber Essentials Plus. which gives excellent advice. Quorum Cyber offers assistance with both Cyber Essentials and Cyber Essentials Plus to help you certify your organisation against the NCSC’s standards and significantly reduce your cyber security risk exposure in an efficient, cost-effective way.

Staff and student welfare

It’s easy to forget the human element in the heat of a cyber-attack, but how would your students and staff feel if they lost research work or personal data? Losing this kind of digital information can be extremely upsetting, especially at critical times in the academic year. Cybercriminals who hold organisations to ransom know this and sometimes target their victims accordingly. And as good as cyber insurance can be, it can’t guarantee that a year’s worth of stolen work will be returned before it’s sold on the dark web.

The NCSC also provides excellent guidance on how to take care of the welfare of employees who have been on the incident response frontline.

What else can you do to prepare for the worst?

As with any incident, the speed that responders arrive on the scene to minimise impact is crucial. The zero-trust principle of ‘assume breach’ that Microsoft, the NCSC and other national cyber agencies preach means that an incident could occur at any time. So you need to plan to act rather than wait for the breach to manifest into something far worse.

This is the purpose of an Incident Response Retainer (IRR). You’ll have rapid access to a team that knows all about your IT ecosystem and has the necessary skills to quickly contain the incident from spreading and amplifying. They will work to an agreed service level agreement (SLA) so can hit the ground running.

In effect the IRR is a hotline to your very own cyber emergency service, a safety net that removes the stress, worry and indecision that invariably affects higher education IT teams when they suddenly experience a cyber-attack.

Cyber Security Incident Response for Higher Education

If you would like to discuss this subject further, please contact us to talk to a cyber security expert today.

In the event your school, college, or university suffers a cyber-attack or breach, contact the Quorum Cyber Incident Response Team for immediate assistance on +44 333 444 0041. Our dedicated team operates 24×7 to keep your organisation moving.

You might also be interested in two related articles: Will your cyber insurance cover you if a cyber-attack is an act of war? and Why Higher Education Institutions are a prime target for cyber-attacks?