No requirements for Iowa schools to have cyber insurance as premiums increase
CEDAR RAPIDS, Iowa (KCRG) - The premium for the Cedar Rapids Community School District’s cyber security insurance has increased by 213% in about two years, according to documents from school board meeting packets.
The coverage limits in the policies are similar, although the district’s deductible did double from Fiscal Year 2022 to Fiscal Year 2023. The Cedar Rapids Community School District and the Linn-Mar Community School District are both dealing with cyber security incidents.
Our KCRG-TV9 i9 Investigative Team learned the Linn-Mar Community School District is dealing with a ransomware attack on Wednesday after an employee sent us a photo of a district’s computer screen. Cedar Rapids School Officials haven’t publically released any information, which a letter to staff is calling a security breach.
Ransomware was the main cause for the increase, according to documents when the district renews its policy in 2021, because the price for responding to those issues and payments increased
Thomas R. Berry-Stoelzle, who is an associate professor of finance at the University of Iowa, said insurance companies better understand the expenses related to these attacks than they did about 10 years ago. He said those include regulations, like sending letters to people affected in a breach.
“The industry was still figuring out what could potentially happen, trying to collect some data and get their heads around potential loss numbers,” Berry-Stoelzle said. “Now everybody has an idea how expensive a breach might be, that it is quite expensive.”
He also said there are alternatives to insurance, but this could possibly risk taxpayer budgets if a district is uninsured.
“I would say the biggest advantage is avoiding sudden unexpected big losses and swapping them out for a predictable fixed premium each year,” Berry-Stoelzle said.
Doug Jacobson, who studies and teaches at Iowa State University, said he’s seen some premiums increase by 200% to 300%. He said insurance companies also test an organization’s system before issuing a quote and require certain practices like two-factor identification to stay insured.
“You might not immediately qualify as an organization,” he said. “You might not be able to do everything that they want you do to.”
Heather Doe, who is a spokesperson for the Iowa Department of Education, said in an email the state doesn’t have oversight over a district’s cyber infrastructure.
“School district plans and considerations regarding cyber security are determined locally,” she wrote.
Copyright 2022 KCRG. All rights reserved.