Tony Dotts said he was surprised when he found out the cost for cybersecurity insurance did not increase this year at Community High School District 99 in Downers Grove, Illinois. 

In a time when the threat of cyberattacks — particularly those involving ransomware — looms large for K-12, it is commonplace for school districts to face rising premiums and deductibles for cyber insurance. In 2024, for instance, a Consortium for School Networking survey of district ed tech leaders found that 59% of districts paid higher premium costs and 24% saw a rise in their deductibles.

Dotts, an information security manager at the Downers Grove district, said his system's cyber insurance costs have held relatively steady after premium costs rose a few years ago. But he said he foresees premium and deductible costs rising along with expected increases in the frequency and sophistication of cyberattacks targeting K-12. 

Cyber insurance companies’ requirements for schools have grown stricter since this type of insurance first emerged over a decade ago, according to district technology leaders and K-12 cybersecurity experts.

Cyber insurance often covers costs related to data breach response, said Marcus Henthorn, managing director of public sector and K-12 education practice at Gallagher, a global brokerage, risk management and consulting firm. Response services may also include costs tied to public relations and credit monitoring for victims.

---

There’s a lot more checks and balances involved with even getting insured in the first place, far more still than there used to be.

Tony Dotts

Information security manager at Community High School District 99

---

Cyber insurance generally offers 24-hour breach response coaches who negotiate with hackers demanding an extortion payment, Henthorn said. Schools may also gain access to legal experts who can advise on what to do in the event of a breach. In the case of a ransomware attack, cyber insurance companies sometimes provide ransom payment coverage for schools, he said, but that’s not a given.

When Dotts’ district first began applying for cyber insurance over a decade ago, the district only had to answer a few questions. Now companies ask schools to fill out pages of questions and will often push back or have follow-up queries, he said. 

“There’s a lot more checks and balances involved with even getting insured in the first place, far more still than there used to be,” Dotts said.

As executive director of the Connecticut Commission for Educational Technology, Doug Casey said he’s noticed districts having to put far more effort into their cybersecurity incident prevention just to get insured. 

For example, companies now typically expect schools to use multifactor authentication, train staff on cybersecurity best practices, and complete cyber safety audits, according to both Casey and Dotts. 

Chicken-and-egg problem

Casey and Dotts each said some of these new cyber insurance requirements are healthy and provide needed accountability.

But a challenge remains for schools trying to balance the costs of cyber insurance with accommodating its prerequisites. On top of that, some districts struggle just to find the expertise and financial resources needed to cover basic cybersecurity protections. 

This quagmire has actually led some districts to avoid purchasing cyber insurance altogether, said Amy McLaughlin, project director of Cybersecurity and Network and Systems Design Initiatives at CoSN. If a cyber insurance company is asking districts to pay for protections like multifactor authentication and backup systems, then they may not have enough money left over to afford the cyber insurance itself, she said.

“There’s only so much money in your budget, so you kind of have to pick and choose,” McLaughlin said. “The challenge here is that there’s a chicken and an egg. Do I get the chicken? Do I get the egg? That’s the actual component here that is problematic.”

Instead of paying for costly insurance, some districts are putting cybersecurity services on retainer, Casey said. So if an incident takes place, they'll have consultants on standby to step in with subject matter expertise and help.   

From a district perspective, however, Dotts encourages getting cyber insurance “just because we’re such a target” for cyberattacks.

---

There’s only so much money in your budget, so you kind of have to pick and choose.

Amy McLaughlin

Project director of Cybersecurity and Network and Systems Design Initiatives at CoSN

---

As a broker for K-12 cyber insurance, Henthorn said he’s noticed decreases in premiums in the past 18 months. But he expects that to change eventually. “While I think cyber [insurance] is plateauing out,” he said, “over time, the trend will be an upward continuation of premiums.”

That’s because the quickly developing capabilities of generative artificial intelligence pose a real threat to current cyber protections, Henthorn said. Now there’s potential for hackers to even circumnavigate multifactor authentication that “keeps people up at night.” Deepfakes, or AI-generated audio and video clips altered to appear to be someone else, are newer ways hackers could exploit schools, too. 

To help school districts navigate rising cyber insurance costs amid the increasing threat of ransomware attacks, K-12 cybersecurity experts suggest three strategies to consider when reviewing options.

Read the fine print

Should a district fall victim to a ransomware attack, Casey said, leaders will need to prove to their insurance company that they did everything possible to prevent the incident from happening in the first place. That means the burden of proof falls on schools — because insurance carriers would go out of business if they continually covered the costs of multimillion-dollar ransomware events. 

“Read the fine print, because what you think is a policy that’s going to cover you in the host of incidents, may actually be very difficult to execute if you have an event,” Casey said. “That onus may still be on you, and you still may not be covered.”

At the same time, Casey said he understands the carriers’ perspectives. Schools just need to keep in mind that they will have to actively work with insurance companies to prove that the district isn't to blame for a cyberattack, he added. 

Tap into free resources

Before paying for additional cybersecurity protections, experts suggest districts use the free resources available at federal and state levels.

Community High School District 99 has particularly benefited from the federal Cybersecurity and Infrastructure Security Agency’s free Cyber Hygiene Services over the past five years, Dotts said. The CISA resource will scan public-facing network and web applications for vulnerabilities, and weekly reports suggest ways to address any issues found, he said.

At one point, Dotts said, a CISA report discovered a potential exposed site involving a third-party vendor, allowing the district to ask the vendor to fix the issue. The CISA service is “definitely one of those things that I would suggest any school district takes advantage of,” he said.

CoSN also offers a free vendor assessment tool for districts. With this, ed tech leaders ask prospective vendors to fill out a questionnaire aimed at ensuring their product would protect the district's sensitive data.

Additionally, Dotts and McLaughlin suggested districts apply for funds under the Federal Communications Commission’s $200 million, three-year Schools and Libraries Cybersecurity Pilot Program. The program offers funding of $15,000 to $1.5 million — depending on student enrollment — to help purchase cybersecurity services and equipment. The pilot’s application window opened Sept. 17 and is to close Nov. 1. 

Collaborate with others

Dotts also suggests joining state and national organizations that focus on cybersecurity. In his case, his district belongs to the Illinois chapter of CoSN. Collaborating with members is helpful for discussing ideas on software and hardware purchases and other issues.

“It’s not a pricey thing to do — to keep tabs on one another and let your neighboring districts know, ‘Hey we’ve seen this, here’s how we’ve combated that and so on,’” Dotts said.

It’s also possible for neighboring districts to partner up in consortiums to share cyber insurance policies, he said.

At Gallagher, Henthorn said it’s common for public entities, including schools, to join together as a cooperative to buy cyber insurance.

“Ultimately, what they're trying to do is buy the most coverage for the most affordable price that protects them or indemnifies them in the event of a loss,” Henthorn said.