Tag Archives: Almassalha

Protecting Institutions From Cyber Risks

Recently, an email glitch at Florida State University resulted in the accidental emailing of alleged misconduct and housing violations to more than 13,000 current and former students.

The emails may have revealed the personal information of multiple students and may have disclosed confidentially reported information relating to harassment and alleged sexual assaults. The emails were not sent by anyone on campus but were the result of a technical glitch in the university’s database. The glitch left students confused and, in some cases, frightened and concerned for personal safety. University personnel, including FSU’s Title IX Coordinator, moved quickly to address student concerns, but the proverbial cat was already out of the bag. It will likely be some time before the full consequences of the breach will be known or what the final outcomes will be.

In the wake of FSU’s inadvertent disclosure crisis, a review of the privacy procedures in place at an institutional level may be in order to prevent these types of unintended disclosures in the future. It is also important to review the indemnity agreements between the university and third-party service providers such as the database administrator or software provider. Finally, it is important to review how cyber liability insurance may respond in the event of a data breach.

Data Privacy Protocols

When discussing data privacy protocols, there are three primary areas of concerns. They are how to protect:

  1. Information (e.g., personally identifiable data stored on a server)
  2. Mechanisms/systems that make up the physical housing for the information (e.g., the server itself)
  3. Users accessing the information

A breach of confidential information or data loss can occur at any of the three levels in any number of ways. It is impossible to quantify or evaluate every single manner in which a breach may occur—or how data may be lost.

What is important is establishing a protocol that takes into consideration all three areas where a breach may occur. In most cases, it is easy to focus on external threats and user misconduct but overlook the potential for data breach arising from internal system failures or glitches.

See Also: How Colleges Can Work With Insurers

In developing data security protocols, it is important to engage in a comprehensive threat assessment that includes evaluation of user-based or external potential breach areas as well as the possibility of an equipment failure/glitch.

A few areas to consider when reviewing internal data breach/data loss response protocols:

  1. Who is the architect of the protocols? (Are the foxes guarding the hen house?)
  2. Does your protocol comply with statutory requirements and contractual requirements such as PCI compliance, Title IX, HIPAA or other state and federal laws?
  3. Does the protocol specifically address each element of concern identified above? (protection of information, protection of systems, protection of users)
  4. Is there a progressive (tree) notification process? (Do the participants understand where they are in the tree? Does the process include notification to external stakeholders such as legal authorities, insurers, external legal counsel, and crisis management or PR firm?)
  5. Is there strong leadership/executive level buy-in of the protocol?
  6. Is there a training element? (Does it include tabletop or scenario-based practice?)
  7. Is there periodic review of systems and processes to identify and change obsolete protocols and replace key stakeholders in the event of turnover?

Indemnity/Hold Harmless/Limitation of Liability Agreements

Vendor service agreements, user license agreements and even software agreements typically include indemnity terms. In most cases, these terms are one-sided, in favor of the seller or service provider.

Essentially, the purpose of an indemnity agreement is to contractually shift responsibility for loss/damage from one party (seller) to another party (buyer). These types of agreements vary in scope, strength and enforceability but, in most cases, involve a release or limitation of buyer’s claims or potential claims against the seller. In some cases, the buyer may assume full responsibility for any loss, including an affirmative responsibility to protect and defend the seller in the event of third-party claims.

There may also be a limitation on the type and extent of damages a buyer may seek against the seller or service provider—in some cases, the recovery may be limited to the value of contract or agreement. Your institution’s risk management and legal teams should carefully review indemnity terms to fully understand the extent of risk assumed by the institution in executing an agreement with a third party.

As part of a comprehensive risk management process, consider limiting acceptance of comprehensive indemnification terms in a contract. This is especially important where the institution is being asked to waive its legal rights or outright indemnify a vendor for the vendor’s own negligence, misconduct or product/service failure. A few areas to consider in reviewing contract terms:

Indemnity/Hold-Harmless Terms

  1. Who is the indemnitee (recipient of the indemnity) and who is the indemnitor (provider of the indemnity)?
  2. Does the indemnity agreement require one party to indemnify for the other party’s own negligence or misconduct?
  3. Does the indemnity agreement include an obligation to affirmatively defend the indemnitee? Is there is a time limit to accept or reject the defense?
  4. Who is responsible for counsel selection?
  5. Is approval needed to settle claims?

Limitation of Liability

  1. Is there a limitation of liability?
  2. Does the limitation favor the institution or vendor?
  3. Is the limitation reasonable in light of the potential for loss or damage or the nature of the service provided? (Limiting liability to the contract value may not be reasonable if the contract value is low and the risk of loss is high.)
  4. Are there carveouts for negligence or misconduct, or is the limitation of liability intended as the sole remedy?
  5. Does the limitation of liability conflict with the indemnity terms? 

Cyber Liability Insurance

In the past few years, cyber liability insurance has gained significant attention among insurance brokers and clients. Cyber insurance refers to a suite of related insurance products that provide various types and levels of protection to insureds that may suffer from data loss or data breach.

There are three major components of cyber liability insurance:

  1. First-party coverage for loss or damage to or interruption of the institution’s electronic equipment and electronic services
  2. Third-party coverage for the liability imposed upon the institution for loss or exposure of third-party data; coverage for third parties may include costs for notification, credit monitoring and credit restoration services
  3. Coverage for regulatory requirements as well as for fines and penalties assessed against the institution as part of a covered loss

Unlike some property and casualty insurance products such as general liability or auto insurance, cyber liability insurance is not standardized. Instead, each insurance company issues a customized policy. These policies may vary greatly from insurer to insurer and can often include a la carte coverages that may significantly affect the breadth and scope of coverage.

A careful review of institutional and vendor policies is strongly recommended to ensure that the coverage purchased addresses the actual risks of the institution. Some questions to consider when reviewing your cyber liability policy: 

See Also: A Better Way to Assess Cyber Risks?

First-Party Coverage

  1. How does the policy respond to loss or damage to the institution’s own computer equipment, servers or other hardware components?
  2. How does the policy define a physical loss? (does it include loss of Internet-based platforms such as web portals or only loss to physical components)
  3. Is there a waiting period for business or data interruption? 

Third-Party Coverage

  1. How does the policy respond to breach of confidential or personally identifiable information?
  2. Is coverage provided based on a total number of affected persons or provided on a blanket limit basis?
  3. Is there a minimum/maximum affected person limit?
  4. How is a third-party loss defined? Does it include accidental loss, computer glitches or loss of non-electronic information? (e.g., is there coverage if a laptop containing personally identifiable information is lost? Or if physical records are removed or destroyed?)
  5. Is the coverage triggered only when there is a statutory or governmental notification requirement, or does it cover voluntary notification?

Fines/Penalties

  1. Does the policy include coverage for fines/penalties including payment card industry (PCI) data security standards noncompliance?
  2. Is there a sublimit for the coverage?
  3. Are punitive or exemplary damages included? 

Conclusion

It is important to take a thoughtful approach to securing data in all its various forms. An individual protocol alone is not enough to fully secure your institution in the event of a data breach. It is also important to review vendor service agreements, user agreements and software licenses to ensure an understanding of the indemnity/hold-harmless and limitation of liability provisions, which may be present in a current agreement—and which may open up the institution to unintended liability due to the negligence or misconduct of a third party.

Finally, it is important to review and understand the types and scope of the institution’s cyber liability coverage—or to consider purchasing this coverage if the institution does not currently maintain coverage.

How Colleges Can Work With Insurers

If you sit down with just about any college administrators and ask about the vision of their university, you may witness a dramatic change as their voices fill with passion, reserve disappears and the entire tone of the conversation shifts away from being transactional. As an insurance broker specializing in higher education, I have witnessed this transformative moment many times. Unfortunately, the passion for the institution, its vision and its future does not always translate into the insurance submission and renewal process.

Many people, including some insurance brokers, view buying and selling insurance as a passionless transaction. Information about the college—such as financial statements, property values and loss experience—is gathered, tabulated into Excel spreadsheets and forwarded on to the underwriting arm of seemingly interchangeable insurance carriers. Underwriters review volumes of data about the college to decide whether the insurance company can comfortably provide a college with a certain level of insurance coverage in exchange for a fixed annual premium.

See Also: A Practical Tool to Connect Customers

The information provided to an underwriter creates a story about the college. Depending on how the information is received and presented, the story can be positive or negative. To the underwriter, sometimes the insurance submission can be as horror-filled as a Stephen King epic or as romantic as a Nicholas Sparks novel. Of course, the insurance submission is not a work of fiction.

One of the first things that statistics students learn is that the same information (data set) can be used to draw multiple and sometimes competing conclusions. Where one person may see positive potential, another may see an organization in decline. The conclusions drawn from the data set by different insurers and underwriters reviewing the same information may vary significantly.

Why?

Though the information contained in a submission or application may be objective—meaning the information has not been altered or manipulated—the conclusions drawn from the information are less so. The underwriting process involves both subjective and objective analysis. And how the data is interpreted may have a significant impact on the underwriting decision and, ultimately, on the total premium an organization pays.

Using Data

According to a Harvard Business Review article, data can be used as a visual mechanism to direct the narrative surrounding a particular situation. The key is to:

  1. Identify the narrative or the core message the audience should walk away with;
  2. Identify your target audience and figure out what they are interested in—is the presentation to an underwriter, claims adjuster, insurance company executive, etc.?;
  3. Remain objective and offer a balanced viewpoint—your credibility will suffer if what is being said cannot be supported by the facts;
  4. Not censor the data—do not exclude unfavorable information, and this is especially important in an insurance setting as failure to disclose information can constitute insurance fraud; and
  5. Take the time to edit—not the data itself, but how the information is presented.

There are many different methods for presenting the narrative of an institution in the most positive light possible while still providing objective information. The first step to understand both the positive and negative elements. This allows the institution to showcase itself in the best light possible. A failure to fully engage in this process may leave the narrative open to misinterpretation, create questions about unexamined negatives and result in overlooking one or more positive elements.

Communicating the story of an institution involves a deep understanding of the goals and vision of the institution, and there is no one better to communicate that story than a passionate college administrator. However, understanding what drives your institution is not enough—and that is where administrators need to leverage key professional relationships. Selecting the right broker is a key step in driving the narrative forward. A professional partner brings market knowledge and the ability to help transform the narrative from numbers into a story that honors the vision of the administration.

Developing Key Relationships

The majority of colleges and universities work with one or more insurance brokers to engage with the insurance marketplace. At minimum, a broker working with an institutional client assists in (1) identifying insurable exposures, (2) preparing recommendations for coverage types and limits, (3) identifying potential insurers to approach, (4) developing the insurance submission, (5) negotiating pricing and coverage terms and conditions with the markets and (6) presenting the carrier quotes to the institution.

Institutions at every level can rely quite heavily on the services and recommendations of their insurance brokers. The broker can play a critical role between having a well-structured insurance program and having a potential mess of overlapping coverage, gaps in coverage, inconsistent coverage terms, out-of-balance limits and potential claims issues. The broker can also act as a key resource in communicating the organizational narrative to the underwriters.

There are four key elements a broker adds to narrative development:

  1. Market Knowledge: Insurance brokers keep abreast of developments in the marketplace, including insurer appetites: Like any company, insurers have target or preferred customers. Being in an insurer’s target class can provide premium discounts and coverage enhancements. Insurers typically understand the risk exposures associated with their target customers and are comfortable underwriting these risks and adjusting claims. For the insurance client, this means (1) access to expertise from an insurer that understands your institutional risk and (2) comfort in knowing the insurer has an understanding of institutional risk and will be unlikely to cancel or withdraw coverage in the event of a claim. Ultimately, it does not make sense to send an application to an insurer that does not understand or have a comfort level with higher education risks. Insurance brokers also keep abreast of market conditions. For the past few years, insureds have enjoyed relatively stable insurance rates and coverage offerings. It is currently the norm to see flat program renewals and even rate decreases in several key insurance coverage lines. However, it is unlikely that this trend will continue long -term, and it may be significantly affected by: 1) Mergers: The insurance market is changing as insurers look to increase market share and underwriting profit while minimizing exposure to catastrophic losses and unprofitable lines of business. 2) New Market Entrants: There has been an influx of third-party capital into both the insurance and reinsurance markets, resulting in lower insurance prices in the short term. The question is whether these new entrants are here to stay and whether capital levels have peaked.
  2. Underwriting Guidelines/Expectations: Understanding how underwriters use information is a key element of the narrative development. Different insurance carriers use underwriting information differently. Customizing the insurance submission to highlight critical (or essential) information that will be viewed favorably by the underwriters make a big difference.
  3. Risk Analytics: Analytical services provide a more complete picture of organizational risks, claims trends and opportunities for improvement. These services may include claims dashboards, benchmarking analytics, property valuation and catastrophic loss exposure analysis. This is really where brokers can distinguish themselves. Effective use of analytics allows the institution to home in on key risk and loss drivers and develop a risk management plan to address problem areas early. Early identification processes and plans can be communicated to underwriters as part of the application process. This can be critical for institutions with past losses, as it demonstrates steps to control future loss and an awareness of university exposures.
  4. Alternative Program Structures/Alternative Risk Transfer Options: Not every risk can be transferred, and not all risks are adequately covered by buying off-the-shelf insurance products and services. Taking control of the insurance conversation may require a needs-based assessment of academic, administrative and financial processes to determine optimal (1) coverage types/limits and deductibles/retentions, (2) feasibility of self-insured or captive programs, (3) needed coverage enhancements and (4) key contributors to loss/potential losses.

Tips for constructing and delivering your narrative

Start early. Waiting until a couple of months before program renewal does not provide a great deal of time to develop a cohesive narrative or to allow underwriters the time needed to develop a real understanding of the institution. In fact, it can be beneficial to begin the conversation with a prospective insurer years before moving coverage from a current insurer. This is important even if there is a comfort level with the current program structure and insurance providers. Organizational risks are not static, and insurance programs change over time. Engaging in regular dialogue with underwriters at different insurance companies allows multiple carriers to develop an understanding of the college/university’s operations and risks. Developing alternative carrier relationships provides a backup plan.

See Also: Are Customers Like Berliners?

Know and understand your institutional risks and objectives. This includes both the positive and negative aspects. It can be easy to focus on the positives, but, as with an ostrich hiding its head in the sand, that may result in overlooking key dangers to the continuity of the college itself. You should:

  1. Create an internal risk review team made up of a diverse group of institutional stakeholders, such as human resources staff, facilities/housekeeping, faculty, administrative staff, board of trustees, alumni and students.
  2. Engage an objective third party, such as a risk consulting firm, or use the institution’s insurance broker’s analytical team.
  3. Participate in peer-review activities by engaging with administrative and risk management personnel at other institutions. Participating in risk management round-tables and discussions such as those provided by United Educators, URMIA and other educational insurers/associations can assist in planning for common areas of concern.

Use the data as a guide. As much as insurance brokers may wish otherwise, underwriters are pretty savvy people and will usually catch on to most omissions. It is very hard to recover from a situation where the underwriter feels misled about the organization—there is a loss of trust, respect and partnership that is impossible to get back. Be open and objective about the current position of the college/university. But do not allow the negative information to be all the underwriter sees—provide mitigating information such as steps the college is taking to: (1) improve loss experience, (2) attract higher enrollments or (3) renovate aging infrastructures. Underwriters want to write business, and most of them are looking for a reason to say “yes.”

Do not rely solely on the insurance application. The application gathers the minimum amount of information that an insurance company needs to underwrite a risk. If the institution is working with an insurance broker (as most do), it is important to collaborate with the broker rather than just cede the submission development process entirely to the broker. A broker (regardless of how good she is) is never going to be as passionate about your institution as you are. Get to know your underwriters—go to lunch, meet them at conferences, attend a carrier networking event or even schedule periodic conference calls. If all your organization is to an underwriter is a few sheets of paper submitted 90, 60 or even 30 days prior to a renewal, you will not get the underwriter’s full attention or consideration. Engage your underwriters.

Active Shooter Scenarios

Campus safety and security is a topic of increasing concern on both a personal and institutional level. On-campus shootings can no longer be viewed as singular, isolated events. The good news is that the chance of an active shooter incident taking place on campus is pretty small. However, because of the random nature of such events, all institutions need to be prepared. Planning for an active shooter threat has become an unfortunately necessary part of the framework of institutional safety and risk management best practices.

Active Shooter Defined

According to the U.S. Department of Homeland Security, an active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms(s), and there is no pattern or method to their selection of victims. Active shooter situations are unpredictable and evolve quickly. Typically, the immediate deployment of law enforcement is required to stop the shooting and mitigate harm to victims. Because active shooter situations are often over within 10 to 15 minutes, before law enforcement arrives on the scene, individuals must be prepared both mentally and physically to deal with an active shooter situation.

Colleges and universities understand the need for emergency response plans for many different types of disasters and typically already have processes and procedures in place to address multiple types of disasters. Planning for an active shooter threat can and should be integrated into an institution’s overall emergency and disaster preparedness plans. While many of the components are similar for most natural and man-made disasters, the inclusion of an active shooter plan generates an even greater immediacy for response. There are several considerations when it comes to the development and implementation of an emergency response plan to address any threat. These include the three Ps: Prevention, Preparedness and Post-Event Management and Recovery, each of which will be discussed in greater detail below.

See Also: “Boss, Can I Carry While I’m Working?”

  • PREVENTION

Engage in Threat Assessment

Probing how threats develop can mitigate, diffuse or even eliminate a situation before it occurs. Active shooters do not develop in a vacuum. A joint study by the U.S. Department of Education, the Secret Service and the Federal Bureau of Investigation concluded that individual attackers do not simply “snap” before engaging in violence; rather, they often exhibit behaviors that signal an attack is going to occur. The study recommends the use of threat assessment teams to identify and respond to students and employees.

As part of the threat identification and assessment process, an institution may elect to conduct pre-employment background checks to identify past patterns of violent behavior. While the background check process may not be a perfect indicator of future behavior, it does provide a useful mechanism for vetting a prospective employee. If triggering behavior is found, the threat assessment team can be used to evaluate the information and determine whether further action or intervention is needed. 

Encourage Training and Education

An essential component of prevention is training the campus community on how to identify both trigger behaviors and events that may trigger a potential incident.

Supervisor and Faculty Training: Train faculty on how to recognize early warning signs of individuals in distress. Supervisors/faculty should be aware of major personal events in the lives of their employees, as many incidents of violence occur in close proximity to such events.

Student/Community Training: Educate the campus community on how to recognize warning signs of individuals in distress and provide a mechanism for sharing that information.

Develop and Communicate Reporting Procedures

All employees and students should know how and where to report violent acts or threats of violence. Information regarding the function of the threat assessment team or other similar programs should be provided to the entire campus community. The institution should also have an internal tracking system of all threats and incidents of violence.

Continuing Staff and Student Evaluations

When appropriate, obtain psychological evaluations for students or employees exhibiting seriously dysfunctional behaviors.

  • PREPAREDNESS

Leverage Community Relationships

There are many programs and resources in communities that can assist with the development of active shooter response plans.

Include local law enforcement agencies, SWAT teams and fire and emergency responders in early stages of the plan development to promote good relations and to help the agencies become more familiar with the campus environment and facilities. The police can explain what actions they typically take during incidents involving threats and active violence situations that can be included in the institution’s plan. Provide police with floor plans and the ability to access locked and secured areas.

Invite law enforcement agencies, SWAT teams and security experts to educate employees on how to recognize and respond to violence on campus. Such experts can provide crime prevention information, conduct building security inspections and teach individuals how to react and avoid becoming a victim.

Review Resources and Security

Periodic review of security policies and procedures will help minimize the institution’s vulnerability to violence and other forms of crime.

  • Routinely inspect and test appropriate physical security measures such as electronic access control systems, silent alarms and closed-circuit cameras in a manner consistent with applicable state and federal laws.
  • Conduct risk assessments to determine mitigation strategies at points of entry.
  • Develop, maintain and review systems for automatic lockdown. Conduct lockdown training routinely.
  • Place active shooter trauma kits in various locations on the campus. Train employees on how to control hemorrhaging, including the use of tourniquets.
  • Provide panic or silent alarms in high-risk areas such as main reception locations and the human resources department.
  • Implement an emergency reverse 911 system to alert individuals both on and off campus. Periodically test the system to serve as training and verification that the equipment is functioning properly.
  • Equip all doors so that they lock from the inside.
  • Install a telephone or other type of emergency call system in every room.
  • Install an external communication system to alert individuals outside the facility.

Develop and Communicate Lockdown Procedures

Lockdown is a procedure used when there is an immediate threat to the building occupants. Institutions should have at least two levels of lockdown – sometimes called “hard lockdown” and “soft lockdown.”

Hard Lockdown: This is the usual response when there is an intruder inside the building or if there is another serious, immediate threat. In the event of a hard lockdown, students, faculty and staff are instructed to secure themselves in the room they are in and not to leave until the situation has been curtailed. This allows emergency responders to secure the students and staff in place, address the immediate threat and remove any innocent bystanders to an area of safety.

Soft Lockdown: This is used when there is a threat outside the building but there is no immediate threat to individuals inside the building. During a soft lockdown, the building perimeter is secured and staff members are stationed at the doors to be sure no one goes in or out of the facility. Depending on the situation, activities may take place as usual. A soft lockdown might be appropriate if the police are looking for a felon in the area or if there is a toxic spill or other threat where individuals are safer and better managed inside.

Evacuation Procedures Communication/Training

Evacuation of the facility can follow the same routes used for fire evacuation if the incident is confined to a specific location. Otherwise, other exits may need to be considered. Designate a floor or location monitor to assist with the evacuation and inventory of evacuees for accountability to authorities. Establish a meeting point away from the facility.

Develop a Communication System

Perhaps the most crucial component of an active shooter response plan is the network of communication systems. Immediate activation of systems is critical to saving lives because many mass shootings are over and bystanders are injured or dead before police can respond.

Create a Crisis Response Box

A crisis response box has one primary purpose: provide immediate information to designated campus staff for effective management of a major critical incident.

If a crisis is in progress, this is not the time to collect information. It is the time to act upon information.

Knowing what information to collect, how to organize it and how to use it during a crisis can mean faster response time.

Create an Incident Command Center Plan

The National Incident Management System (NIMS) is a nationally recognized emergency operations plan that is adapted for large critical incidents where multi-agency response is required. NIMS facilitates priority-setting, interagency cooperation and the efficient flow of resources and information.

The location of an incident command center should be in a secure area within sight and sound of potential incidents with staging areas located nearby.

See Also: Thought Leader in Action: At U. of C.

  • POST-EVENT MANAGEMENT AND RECOVERY

To ensure a smooth transition from response to recovery, plans that went into effect during the event should be de-escalated and integrated into the plan for moving forward. This will include aspects such as:

  • Media and information management
  • Impact assessment
  • Facility and environmental rebuilding
  • Restoring student, staff and community confidence

Conclusion

Though an active shooter situation is unlikely to occur at most colleges and universities, it is still essential to be prepared. Failure to do so can cause the loss of lives, severe financial repercussions and reputational damage that could take years to reverse.

Additional resources for university risk managers and administrators are available in the complete Encampus Active Shooter Resource Guide, which is available for download here.