“Additional federal coordination is needed to enhance K-12 cybersecurity,” says the report from the United States Government Accountability Office (GAO).
But it looks as if many school districts are failing to do their part, from failing to report all cyber attacks to not instituting MFA and training.
Note the reference to one school district being attacked by its own students using purchased DDOS programs.
From the Report — “Difficulty acquiring and maintaining cyber insurance: Officials from four of 18 entities stated that it is becoming more challenging for school districts to acquire cybersecurity insurance. According to officials from one school district and two state-level organizations, the difficulty is due to insurance companies’ requiring school districts to implement specific cybersecurity practices and cybersecurity controls to be eligible for coverage. For example, officials stated that cybersecurity insurance companies are now requiring multi-factor authentication and user awareness training. These officials also said that some small school districts are not capable or equipped to enable such requirements.
In addition, officials from one school district and four IT organizations that provide support to K-12 school districts stated that their schools’ coverage had decreased or ceased due to the insurance companies’ perception that the sector’s risk is too great. Also, officials from a California organization stated that their cybersecurity insurance premium increased 400 percent in 1 year even though they maintained a clean record with no reported incidents.
Officials further said that most large school districts can afford cyber insurance to respond to a cyber incident, whereas smaller school districts cannot afford the insurance. We reported in June 2022 that federal agencies, including the Department of the Treasury’s Federal Insurance Office and CISA, had taken steps to understand the financial implications of growing cybersecurity risks.
However, they had not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warranted a federal insurance response. We recommended that the two agencies jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment. Both agencies agreed with the recommendations.”