Like any business, educational institutions are increasingly dependent on the internet and technology to conduct daily activities, from online learning and test platforms, to storing sensitive student and employee information. 

A data breach or cyber-attack can compromise this confidential information or even prevent access to vital online services, leading to reputational damage and loss of income, not to mention legal action, regulatory costs and the associated disruption to the institution.

During a recent cyber breach the University of Limpopo’s website was taken down, leaking exam papers and the details of over 18 000 students, in addition to perpetrators publicly posting what was believed to be the login details for the University’s intranet.  From a general perspective, South Africa has been particularly hard hit by an onslaught of cyber-attacks during 2016 with a number of noteworthy targets in the name of Operation Africa ranging from SABC and the SA Government Database, through to the Department of Water Affairs and the EFF.

Loss and harm caused by cyber incidents is not entirely new, but with the increasing reliance on technology, the risks and voracity of attacks are increasingly exponential. According to a recent study conducted by IBM, the 2016 cost of a data breach in South Africa equates to an average cost of R1 548 per lost or stolen record, with 37% of data breaches in South Africa involving malicious or criminal attacks.

“A breach in data puts a whole process in motion that can quickly turn into a very costly exercise,” says Kerry Curtin, Manager for Financial Institutions & Professional Risks at Aon South Africa. “In certain instances an educational institution may need to appoint a forensic analyst to establish the origin of the breach and to prevent further damage.

“Depending on the type of breach, appropriate government or regulatory offices may need to be informed of the breach to anticipate possible legislative or regulatory fines.  In addition, there are many jurisdictional acts and bills that affect the cyber realm in South Africa with the potential for grave financial implications from third party liability claims, stemming from the Consumer Protection Act or even the Protection of Personal Information (POPI) act, to name a few,” Curtin explains.

“The nature of the breach will also need to be communicated to affected parties and the corresponding support will need to be put in place.  This is especially critical in the event of sensitive information such as banking details or qualifications that are leaked, which lends itself to identity theft, fraud and the like.  This is not even accounting for the public relations and crisis management that an educational institution will need to implement to manage its reputation and credibility in the marketplace, which comes at a significant cost,” she adds.

While existing forms of insurance sometimes carry a level of coverage, only specialist cyber insurance policies provide extensive cover. “There is no one size fits all approach to cyber risk insurance.  That’s why consulting with a professional Aon risk advisor is an invaluable exercise in protecting your reputation, data, students, employees and bottom line,” says Curtin.

Cyber insurance is a very complicated field that requires thorough interrogation to ensure that the risk profile of an educational institution is adequately covered.  “Cyber risk products typically indemnify an educational institution from any losses it may suffer from cyber-attacks such as those incurred to investigate and manage a cyber incident.  It also covers the costs incurred in responding to data privacy regulators in the form of fines and penalties, in addition to liability claims made by third parties,” explains Curtin.

“The risk that a cyber breach holds is something that should never be under-estimated.  Our professional and qualified brokers will help you navigate your way to the best insurance products that suit your educational institution’s profile and its pocket,” concludes Curtin.