Cyber attacks: The price of collaborative environment at universities

By Chad Hemenway on March 14, 2014

Corporations strive to prevent outsiders from accessing information but an institute of higher learning looks to be accessible and collaborative—making the variety of information stored on servers susceptible to cyber attack.

In recent weeks there have been many examples.

  • Officials at the University of Maryland said a data breach last month affected 288,000 student records—some dating back to 1998. The database hacked included Social Security numbers and dates of birth for students, faculty and staff-issued university IDs.
  • Social Security numbers and addresses of more than 145,000 students and recent graduates of Indiana University were exposed during a late February breach of an unsecured database. The data has since been moved to a secure location.
  • In what is being described as an alleged extortion attempt by a hacker claiming to be from the group Anonymous, Johns Hopkins University officials said the names, email addresses and phone numbers of more than 1,300 current and former students in the Department of Biomedical Engineering’s Design Team were stolen from a web server and posted online. The hackers tried to get the university to give them server passwords. Johns Hopkins did not comply.
  • The University of Northern Iowa recently began investigating a possible data breach after some employees reported being the victims of tax fraud.
  • A North Dakota University computer server that stores personal information of students, staff and faculty was hacked. University officials said it looked like nothing was compromised. A breach was discovered early February and the server was locked down.

Institutions of higher education rank near the top when it comes to data-security incidents—second only to healthcare organizations, according to Advisen data.

“Cyber is definitely one of the biggest risks a university has,” said Michael Liebowitz, director of insurance and risk management at New York University. “It is a huge deal, and probably underestimated.”

A large amount of personal identifiable information is collected at universities due to the variety of services provided: retail, healthcare, housing, food, and counseling. In addition, many universities possess intellectual property and research.

“To have a breach you need two things,” explained Kevin Kalinich, global cyber practice leader at AON. “The information stolen needs to be valuable so it can be resold. And it needs to be accessible.

“Universities satisfy both criteria.”

Machine behind the scenes

“Our students are looking to get published, lead and conquer the problems of outside world,” said Walter Pizzano, director of risk strategy and insurance for Harvard University. “They don’t think about the machine behind the scenes.”

Pizzano doesn’t handle cyber risk at Harvard. The school’s chief information security officer—a relatively new position—is tasked with making sure the university’s networks are secure. Harvard is currently undergoing an extensive analysis of its complex cyber networks.

As an insurance buyer, Pizzano said the exhaustive investigation will lead to a more informed choice of coverage.

“There are plenty of products out there but whether they are good for the buyer is for the buyer to figure out,” Pizzano said. “I see insurance purchased based on what was sold rather than what was needed. It does no good to have a $10 million policy while you’re sitting on a $50 million problem.”

In the meantime, he said he purchased insurance to have while the investigation is going on.

NYU’s Liebowitz said consultants perform breach exercises to see if they can get access information. Enterprise risk management includes accessing the security at third-party vendors. Passwords are changing habitually.

“Ten years ago data was stored in a large main-frame sitting in data service centers,” he said. “Now there is cloud computing. More and more, the things we do are electronic and we already take these things for granted.”

Liebowitz said NYU “continues to but more limits as the exposure grows.”

“This is not a stagnant exposure,” he added.

But in underwriting the risk, insurers are dealing with open networks and limited budgets, according to Mark Camillo, head of AIG’s network security and privacy products in the Americas.

“There are graduate students in the tech department,” he said. “They are getting the baseline security in place—doing the blocking and tackling.”

Rethinking data storage

David Shannon, head of the Technology, Media and Intellectual Property practice at law firm Marshall Dennehey said higher-learning institutions needs to determine whether all information should be centralized.

“A lot of the data stolen recently was old data,” Shannon said. “Old data is bad data. Universities need to begin to also look at whether they need to store all information together. Can you break up students from faculty, for instance?”

Universities are playing catch-up, much like healthcare organizations, Shannon said.

The manner in which data is stored is an “evolving issue,” said Kalinich.

“I think universities are thinking about the basic structure of their computer networks,” he said. “How do you go about this without building a fortress? Do you house sensitive data in smaller vaults?”

Kalinich said a new cybersecurity framework for critical infrastructure set forth by the National Institute of Standards and Technology could provide institution of higher learning with a “good checklist—a good source to set basic policies and procedures.”

Plaintiffs’ attorneys might also lean on NIST as proof a school did not do enough to protect personal data from cyber criminals.

Sources said monetary losses to universities from a data breach have yet to be catastrophic. Class-actions have fizzled on the burden of proving damages. But the cost of forensics, remediation and notifications following a breach can easily run millions of dollars.

Broad market, solutions

Joe DePaul, managing director of cyber risk services at Arthur J. Gallagher, said the insurance market remains fairly broad.

“A number of carriers are very interested [in the risk] because there has been so much activity of late,” he said.

DePaul said insurers are “asking more questions about cybersecurity.” The voluntary NIST standards could surface as insurers assess risk, said DePaul and Kalinich.

Camillo said AIG will look at institutions in depth, setting up a conference call with school officials “to make sure there is a good culture of information security.”

Institutions of higher learning are most interested in coverage for crisis management, DePaul reported.

“They want a map—how to get from point A to point B after a breach,” DePaul said. “They seek this type of assistance.”

Like other cyber policies, insurers provide coverage for forensics, regulatory costs, notifications, public relations, extortion, business interruption, credit monitoring and remediation.

Third-party costs can also be obtained but DePaul says universities aren’t buying because they have yet to feel the pain of a large loss.

“One thing is for sure, they aren’t taking off-the-shelf products,” he continued. “These schools are looking for manuscripted amendments to provide broad coverage.”

Camillo of AIG said coverage is offered “a la carte.” As part of the insurer’s solutions, training is obtainable for students, employees and vendors since a large risk remains simple: lost laptops and phishing scams.

AIG’s cyber product also offers loss-prevention services such as vulnerability scans and “auto shun,” which keeps track of malicious IP addresses and blocks attacks. The insurer also provides customers with a breach calculator to get a ballpark estimate of losses from an event based on the information entered in the system.

Additionally, AIG can connect universities with a “breach coach” following an incident.

“It’s important to get the carrier involved early in the process,” Camillo said. “This benefits everyone and mitigates losses.”

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or chemenway@advisen.com.