The San Diego County Civil Grand Jury exists to “represent the citizens of San Diego County by investigating, evaluating, and reporting on the actions of local government and special districts.” Its new report gauges efforts by the San Diego County Office of Education (SDCOE) and local school districts to handle cyber security and how they can improve. One key recommendation: Evaluate and obtain cyber insurance for schools.
This concern seems more than warranted; Verizon’s 2024 Data Breach Investigations Report reveals that the educational services sector faced 1,780 incidents in 2023, with 1,537 resulting in confirmed data breaches. This marks a 258% rise in incidents compared to the previous year and an astonishing 545% surge in data disclosures.
The San Diego County report and its recommendations come amid a growing number of serious cyber attacks against American schools. According to the U.S. Department of Education report “K-12 Digital Infrastructure Brief: Defensible & Resilient,” between 2016 and 2022 there were over 1,600 documented cybersecurity incidents targeting school systems, with additional attacks that were not publicly revealed. We’ve covered this trend and challenges school districts have getting cyber insurance in reports such as this one.
While SDCOE does not oversee or direct cyber security at local schools, notes the Grand Jury, the organization “exert(s) influence by providing a broad set of products and services to help them improve their cybersecurity readiness.” These services “include vulnerability assessments and remediation, setup and configuration guidance for critical security controls, cybersecurity best-practices, and post-incident review,” plus providing Red Herring phishing awareness training software at no cost.
Also offered through the SDCOE’s Risk Management Joint Powers Authority (JPA) are insurance products from a commercial underwriter. 76% of districts have cyber insurance through the JPA, according to the Grand Jury.
The SDCOE is doing well in the face of cyber incidents increasing in number and complexity, says the report, but a spot check of local school districts — several of which have faced costly and disruptive attacks over recent years — reveals they have room for improvement. Each district is responsible for its own cyber security and while some districts have implemented comprehensive cybersecurity measures, others lag, exposing themselves to increased risk.
Key Findings:
Human Error as a Key Vulnerability: Human behavior, particularly through phishing attacks, remains the weakest link in cybersecurity. The Grand Jury recommends mandatory annual cybersecurity training for all staff and students.
Technical Measures: Although many districts have implemented robust technical solutions, the absence of Multi-Factor Authentication (MFA) for all staff was identified as a significant concern.
Leadership Engagement: District leadership’s engagement with cybersecurity varied widely, with some superintendents and boards showing strong support for cybersecurity measures, while others resisted the implementation of critical protections like MFA.
Cyber Insurance as a Critical Tool: The Grand Jury highlighted the importance of cyber insurance as part of a district’s overall risk management strategy, emphasizing that it not only helps districts recover from attacks but also serves as an incentive to adopt better cybersecurity practices such as MFA.
Specific findings by the Ground Jury involving cybersecurity insurance include:
- “The Grand Jury recommends that all interviewed school districts implement at least a basic set of preparedness measures, including annual training, multi-factor authentication, and maintaining cyber insurance.”
- “A final element of organizational readiness is cyber insurance. Cyber insurance is part of an overall approach to risk management for a school district; it helps a school district recover from a successful cyberattack. Cyber insurance also will help a district prepare against a possible attack; the underwriting criteria require a school district to have a minimum set of readiness standards (such as MFA) in place to qualify for insurance.”
- “Obtaining cyber insurance helps a school district to both prepare defenses against and recover from cyber-attacks.”
- The Grand Jury recommends “School districts evaluate the feasibility of obtaining cyber insurance coverage by the beginning of the 2025-2026 school year.”
We at Cyber Insurance News think more jurisdictions would benefit from this sort of citizen review (and probably not just concerning cyber security.)
Other News: K-12 Schools Having Trouble Getting & Maintaining Cyber Liability Insurance: GAO(Opens in a new browser tab)