- Most of the colleges whose debt S&P Global Ratings evaluates say they haven't had a serious data breach, but institutions should still invest in steps to mitigate risks in the face of increasing and evolving cyberattacks, it said in a recent report.
- Only 13% of institutions with cyber insurance in S&P's portfolio reported a data breach because of a cyberattack.
- Cyber insurance policies are getting more expensive for the higher ed sector. Policy renewals are typically increasing prices by between 40% and 60%, with some premium increases hitting the triple digits, S&P said.
Warnings about cyberattacks targeting colleges come from all sides. Corporate experts suggest ways to stave off breaches. Companies publish research about the sector's lack of readiness. The FBI has flagged university login credentials being for sale online.
If that's not enough to get leaders' attention, additional reminders of the issue come in the form of a steady drip of colleges sharing news that they've been hacked.
S&P's report, issued at the end of September, looks at the issue from the perspective of financial risk. The ratings agency looked at 447 colleges whose debt it evaluates, giving insight into financial and governance considerations that can insulate bondholders from risk — or expose them.
More than half of those institutions have cyber insurance. On average, their coverage limit is $7.8 million, S&P found.
Public universities often said they didn't carry cyber insurance. That may be because they rely upon state defenses or legal protection from sovereign immunity, which shields state actors from lawsuits, S&P said. On the other hand, public and private universities that have been hit by significant data breaches largely told the ratings agency they carry cyber insurance.
Many colleges that experienced significant data breaches found they were due to third-party service providers. For example, a ransomware attack that hit software provider Blackbaud in 2020 exposed information from alumni, donors and parents at colleges contracting with the company. Colleges had to notify those affected and explain what they were doing in response, S&P said.
The ratings agency pointed to several ways colleges are showing they are taking the issue seriously. They are creating new senior management positions like chief information officer, borrowing a position from the corporate world. Many are using frameworks like one from the National Institute of Standards & Technology to help them through steps like identifying risk, protecting assets, limiting damage and recovering when cyberattacks take place.
"We believe college and university management and governance teams are rising to the challenge of thwarting potential cyber intrusion by adopting policies and practices to assure that if cyberattacks occur, there are clear mitigation strategies in place to enable the institutions to continue operating," the S&P report said.
Boards are reviewing cybersecurity, and managers are assigning the threats higher levels of priority, S&P said.
Just 6.9% of the institution's S&P rates said they experienced a serious data breach. But that statistic only applies to data breaches the institutions disclosed. It's not clear how high or low reporting rates are.
The ratings agency also sought to explain why the higher education sector is at risk. It has a large amount of sensitive data — financial information for students, parents, faculty and staff. Colleges' user networks are diverse, and many different user types may not be trained in practices to prevent them from exposing networks to bad actors. And institutions often don't update their technology.
Colleges also take part in sensitive research and share information freely between different parties within and outside of their networks, S&P noted.