Warnings about cyberattacks targeting colleges come from all sides. Corporate experts suggest ways to stave off breaches. Companies publish research about the sector’s lack of readiness. The FBI has flagged university login credentials being for sale online.
If that’s not enough to get leaders’ attention, additional reminders of the issue come in the form of a steady drip of colleges sharing news that they’ve been hacked.
S&P’s report, issued at the end of September, looks at the issue from the perspective of financial risk. The ratings agency looked at 447 colleges whose debt it evaluates, giving insight into financial and governance considerations that can insulate bondholders from risk — or expose them.
More than half of those institutions have cyber insurance. On average, their coverage limit is $7.8 million, S&P found.
Public universities often said they didn’t carry cyber insurance. That may be because they rely upon state defenses or legal protection from sovereign immunity, which shields state actors from lawsuits, S&P said. On the other hand, public and private universities that have been hit by significant data breaches largely told the ratings agency they carry cyber insurance.
Many colleges that experienced significant data breaches found they were due to third-party service providers. For example, a ransomware attack that hit software provider Blackbaud in 2020 exposed information from alumni, donors and parents at colleges contracting with the company. Colleges had to notify those affected and explain what they were doing in response, S&P said.
The ratings agency pointed to several ways colleges are showing they are taking the issue seriously. They are creating new senior management positions like chief information officer, borrowing a position from the corporate world. Many are using frameworks like one from the National Institute of Standards & Technology to help them through steps like identifying risk, protecting assets, limiting damage and recovering when cyberattacks take place.
“We believe college and university management and governance teams are rising to the challenge of thwarting potential cyber intrusion by adopting policies and practices to assure that if cyberattacks occur, there are clear mitigation strategies in place to enable the institutions to continue operating,” the S&P report said.
Boards are reviewing cybersecurity, and managers are assigning the threats higher levels of priority, S&P said.
Just 6.9% of the institution’s S&P rates said they experienced a serious data breach. But that statistic only applies to data breaches the institutions disclosed. It’s not clear how high or low reporting rates are.
The ratings agency also sought to explain why the higher education sector is at risk. It has a large amount of sensitive data — financial information for students, parents, faculty and staff. Colleges’ user networks are diverse, and many different user types may not be trained in practices to prevent them from exposing networks to bad actors. And institutions often don’t update their technology.
Colleges also take part in sensitive research and share information freely between different parties within and outside of their networks, S&P noted.
Get the free daily newsletter read by industry experts
A look at the pandemic's continuing impact on enrollment and how colleges can ensure students stay on course.
Earnings have held steady, but median debt for borrowers with master’s degrees nearly doubled in under two decades, the Urban Institute found.
Subscribe to Higher Ed Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
A look at the pandemic's continuing impact on enrollment and how colleges can ensure students stay on course.
Earnings have held steady, but median debt for borrowers with master’s degrees nearly doubled in under two decades, the Urban Institute found.
The free newsletter covering the top industry headlines
