Recently, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the MultiState Information Sharing and Analysis Center (MS-ISAC) released a joint advisory regarding increased criminal activity directed toward information systems and student data of K-12 Schools. The FBI, CISA, and MS-ISAC anticipate that attacks may increase as the 2022/2023 school year begins. In addition, the advisory attributes criminal ransomware groups’ perceived opportunities for successful attacks and the percentage of reported ransomware incidents against K-12 schools. Last year, a two-fold increase was reported at the beginning of the school year. In preparing for a cyber incident, the advisory recommends implementing a recovery plan, which should be stress tested through cyber tabletop exercises. We have found that insurance providers favorably view this type of training, especially as the market has hardened, and obtaining coverage is not as easy to come by as it once was.
In a recent training exercise with an institution of high education, our team of risk, legal and technical experts, with their insurance broker, led the organization through scenarios addressing organizational vulnerabilities and threats, including cyber extortion and ransomware. In addition, University stakeholders, including representatives from risk management, human resources, information technology, communications, academic affairs, admissions, and the registrar’s office, participated in simulating the inclusive complexity and team approach to mitigate actual cyber events. The exercise enabled the staff to solve problems presented by simulated cyber events to bring to the forefront policy and technology gaps to improve operational resiliency through better business practices to reduce the likely impact of events that cause financial, reputational, and regulatory harm.