Product Family


XL Catlin

Cyber attack, espionage, and ransomware aren’t part of the curriculum; they are the threats that colleges and universities face as more sophisticated cyber criminals target higher education. It was something no one saw coming.

In 2002, Yale University’s computer system was hacked. What the hackers accessed: applicant data and acceptance/rejection status information. The confessed hacker: the director of admissions at Princeton University.

While the hack was not traditional in nature (the director used Social Security numbers and birth dates of Princeton applicants who had also applied to Yale to access the system), it was an embarrassing incident for both colleges. It was also the first reported case of cyber espionage.

In a way, the hack proved to be a useful event that helped Yale’s cyber security team tighten their internet security. Unfortunately, not all colleges and universities are that fortunate.

In 2004, three breaches at California universities accounted for 2,000,000 stolen records. And neither time nor increased IT sophistication have staunched the number of attacks; in 2015, 539 breaches involving almost 13 million records were reported in the higher education sector. In fact, by the first half of 2017, data breaches had risen 103 percent over the previous year, with 77 percent of all US universities being unprepared for cyber risk.

Education is expected to remain on the list of the top 10 industries targeted by cyber attack until at least 2022.

Today’s cyber criminals are not only looking for data; they are looking for ransom. New York City-based Monroe College had its computer systems hacked in July 2019, shutting down the college’s website, the email system, and online course access as well as potentially compromising the records of over 8,000 enrolled students. Hackers demanded $2 million in Bitcoin decryption key from Monroe College. In March 2018, well over 300 universities worldwide were victims of an organized cyber attack that compromised 31 terabytes of data.

By March 2019, things had not improved. That month, Oberlin College (Ohio), Grinnell College (Iowa), and Hamilton College (New York) fell victim to cyber attacks that compromised student application data. However, instead of demanding ransom from the colleges, hackers instead demanded one Bitcoin from each student whose records were stolen. They later reduced the ransom demand to $60 per student.

The changing cyber security landscape for colleges

Higher education is no stranger to hacking and intrusion. In fact, what is believed to be the first cyber attack happened at a university back in the 80s. In 1988, Cornell University graduate student Robert Morris launched a computer worm while at MIT to gauge the size of the internet. That attack, known as the Morris Worm, replicated and spread rapidly, causing an estimated $100,000 to 10,000,000 in damages.

Unfortunately, things have not improved. By all accounts, cyber crime targeting higher education is becoming much more sophisticated. However, colleges and universities are not always prepared for such evolution.

Why are colleges and universities easy targets for cyber attacks?

By their very nature, schools operate under an open-access IT environment. Thus, they are challenged with maintaining that environment for students, faculty and staff, thus making them frequent targets for cyber attack. As higher education changes how it operates, using more technology for education, student services, and administration, the cyber risks multiply.

That leaves plenty of data at risk. And the data hackers can access is myriad: employee personal and financial information, student information, parents’ financial information, research data, grades, application data, medical information, and more.

Cyber criminals are changing how they operate, as well. No longer interested in merely compromising records and going through the motions of selling them on the dark web, hackers are now more direct in their approach. The number of ransom demands on colleges have increased significantly in just the last few years, and cyber criminals are rarely single entities, they are now organized groups of hackers using an orchestrated approach to infiltrate as many systems as possible.

... data hackers can access is myriad: employee personal and financial information, student information, parents’ financial information, research data, grades, application data, medical information, and more.

How are colleges and universities staying ahead of cyber thieves?

Fortunately, colleges and universities can improve cyber security. We recommend a multi-layered approach that includes:

  • Risk assessment
  • Prevention and response plans
  • Regular system updates/offline system backups
  • Creating a culture of IT security
  • Cyber insurance

Risk assessment

At the outset, colleges and universities must understand their risks and prioritize them in order of impact. What information is at highest risk? What systems are most critical? Those are risks that should be monitored regularly.

Also, schools should be grading their data sensitivity – from low to severe – and putting protections around each level according to the severity of the risk. For example, publicly available information would not need protection, whereas personally identifiable information would require encryption and managed, secure storage.

Who has access to such data should also be controlled. By limiting the number of people able to access highly sensitive information, colleges and universities can therefore limit breach potential. Likewise, for unsecured devices, limit what users can access and for how long the devices can access those systems and data.

Prevention and response

Once your institution understands what it is protecting, it should then create or revamp its prevention and response plans. Also, schools should work testing into the prevention plans. A recent test by Clemson University involved sending 100 emails to faculty and staff. While one-fourth of the emails were blocked by the school’s system, over a dozen recipients responded to the phishing scam, and six of the school’s computers were then loaded with malware.

Tests like this allow your institution to see where the vulnerabilities lie and help IT professionals establish better protocols to avoid system breach. Some of those protocols should include:

  • Employee/staff education
  • Stronger passwords that are changed regularly
  • Multi-factor authentication

Once a breach occurs, your institution should have a plan in place for what to do first, whom to call, and which regulatory requirements are triggered by the breach. Having a response plan in place allows your school to respond and recover faster, thus limiting the damage.

System updates and offline backups

Many vulnerabilities can be traced to systems that have not had regular updates and patches applied. Update systems at the first opportunity and stay on top of all subsequent patches and updates.Backup data is also vulnerable. Today’s hacker compromises not only the systems, but the backups, as well. You can limit the financial impact of a breach by storing all backups offline.

The IT security culture

Probably the largest threat to a college or university’s cyber security is human error. Students click on links. Staff give out passwords. A strong prevention plan needs to include ongoing education about hacking methods and what students and staff should do with potential phishing attempts. Work with your IT department to develop a phishing response policy and an easy way for students, faculty, and staff to report any questionable emails or phone calls.

Cyber insurance

For any organization that handles sensitive data, cyber insurance is a must. Not only will insurance cover the costs of recovery, but the right insurance policy gives institutions access to computer forensics experts, data breach notification/call center services, expert legal counsel, public relations specialist, and credit and ID monitoring services.

Also, cyber insurance should include the following coverage:

  • Privacy & Security Liability
  • Data Breach Response and Crisis Management
  • Privacy Regulatory Defense Costs and coverage for any fines and penalties assessed. 
  • Business Interruption and Extra Expense
  • Data Recovery
  • Cyber Extortion and Ransomware

An insurance carrier that specializes in cyber liability can help you put together an insurance policy that addresses your school’s most critical vulnerabilities. A specialty carrier can also help your institution uncover potential areas of risk and put protections in place that can reduce your exposures.

As cyber criminals target colleges and universities, organizations should be addressing the gaps in security as well as educating students, faculty, and staff in how to identify and handle breach attempts.

Schools are far too easy marks for cyber criminals, but they don’t have to be. Putting the effort into education, security strategies, and prevention and response planning can help your institution reduce a number of cyber risks it faces. Working with an insurance carrier that specializes in cyber security is a cost-effective way to improve security and keep information safe.


About the Author

Elissa Doroff is Product Manager for AXA XL’s Cyber & Technology insurance business in North America. She can be reached at

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.