Any business officer who was asked the age-old question, “What keeps you up at night, in regards to your job?,” would likely include cybersecurity in their response. And for good reason. As recently as last month, the FBI issued an alert that criminal hackers were targeting K-12 schools, and escalated attacks were likely on the horizon. Risks include theft of student health information and donor financial data as well as malware and ransomware attacks. Accountability for risk management ultimately resides with your school’s board of trustees, but business officers provide daily management and oversight of this area, which traditionally includes insurance, the liaison role with general counsel and facilities management.
Because cyber insurance is relatively new, the landscape is evolving rapidly and requires careful navigation. In short, cybersecurity changes the calculus of risk management. It widens the responsibility and requires additional collaboration with your technology director to ensure a comprehensive approach to protecting your school. As in other areas of risk, the school’s board of trustees must be kept informed, in this case of the IT and security upgrades required to implement the necessary controls — and the board must approve the associated financial investments.
Another expense lever to consider is cyber insurance, premiums for which have increased in recent years, sometimes even doubling, which is markedly different from insurance coverage in other risk areas. To keep pace with cyber threats’ rate of change, the insurance industry has been changing rapidly as well. And because insurance providers know that K12 schools are a prime target for this type of threat, cybersecurity insurance premiums will likely continue to increase, and may become challenging for a school to maintain.
For these reasons, NBOA has recently issued “Guidance on Cyber Insurance for Independent Schools on Cyber Insurance for Independent Schools” in partnership with the Association of Technology Leaders in Independent Schools (ATLIS). This resource has intentionally been developed for you and your technology director to review and implement in partnership. It’s paramount that cyber insurance and cybersecurity management be conducted at the highest administrative level of your school and in close communication with the head of school and Board.
And although our friends at ATLIS issued a version of this guidance previously, the updated guidance includes new actionable information crafted to enhance the business officer and technology director partnership. Special thanks to my friend and colleague, Christina Lewellen, the executive director of ATLIS, for inviting NBOA into the process. This opportunity allowed us to engage your peers and colleagues who serve on NBOA’s Business Officers Council, in addition to trusted business partners, to help ensure the refreshed guidance includes the business partner perspective. Our sincere thanks goes also to Fred C. Church and Bolton and Company, in addition to Ankura and Partlow Insurance for their expertise and insight.
The easy-to-use reference includes considerations for business officers and technology directors, best practices on key controls and third-party vendor contracts, concrete action steps, answers to frequently asked questions, and a technology preparedness checklist.
These days, only the rarest of challenges can be addressed effectively by a single person. Even the most accomplished individual needs partners and a good team to achieve a school’s goals. Cyber risk is certainly no exception. But by working on cyber insurance together with your technology director, you may find that you have fewer sleepless nights. As always, NBOA and ATLIS are here to help you do just that!
Follow NBOA President and CEO Jeff Shields @shieldsNBOA.