| |
| |
Risk Protection Arrangement and Cyber security | |
Risk Protection Arrangement (RPA) was introduced in 2014 to provide an alternative to commercial insurance for academies. The product has proved popular, with almost of 50% of academies now having joined. Key factors that are attractive to academies when joining RPA include a fixed annual cost for all schools, regardless of their risk profile or claim history, and the absence of a requirement to provide detailed buildings and contents valuations.
In March 2021 the Department for Education (DfE) launched a pilot in collaboration with IASME, the National Cyber Security Centre’s Cyber Essentials partner with a view to adding cyber security into the scope of RPA cover. Approximately 500 schools participated in the pilot. One unnamed school was the victim of a successful ransomware attack whilst participating in the pilot programme: the costs incurred in dealing with the aftermath of the attack were assessed as just under £200,000 – costs which were met by the cover included as part of the pilot, but which otherwise would have come from the school’s own funds.
Following the pilot, cyber security cover has been included within the RPA for the 2022/23 period, subject to a limit of liability of £250,000 per annum for an individual RPA member, or £750,000 for a group member. There is an ‘excess’ of £1,000 for a primary academy, rising to £2,000 for other academies.
Conditions of cover
There are a number of key conditions that an academy must comply with for the cover to be applied.
| |
Backup procedures
Backup procedures should be in place for all key systems. This is not just systems holding financial data, but also includes staff & student data, and systems relating to exams and coursework. Backups should be stored offline in an area that is outside the internal network and which may include cloud storage.
| | | |
The RPA rules repeat (but do not mandate) the National Cyber Security Centre’s recommendation of a “3-2-1” system, with 3 backups being taken, across at least 2 different devices, with at least one being stored at a different physical location. Backups should be tested on a regular basis. The aim of this is to confirm that the backups being taken can genuinely be used should a total system restoration be necessary. | |
Training
The RPA conditions require that all employees or Governors who have access to the academy’s IT system (which is probably almost every adult working in a school) undertake a bespoke training programme provided for schools by the National Cyber Security Centre (“NCCS”). In the event of any claim, the school will be required to demonstrate that any employee or Governor involved has completed the training, so this will need to be included on the CPD plan for ALL employees and Governors.
| | | |
An IBM report estimated that perhaps as many of 95% of successful cyber attacks required an element of human error, so it is no surprise to see this element being stressed so highly. | |
Cyber response plan
The RPA requires that all schools have a Cyber response plan in place. We expect that all academies will already have cyber attacks included within their risk register and their disaster recovery arrangements, specifying in detail what should be done in response to any suspected or actual cyber attack. | | | |
The RPA portal includes a template document for schools to gather all of the required information and to make sure that all key aspects of the plan (including areas such as physical security and external communications) are included within its scope. | |
Police CyberAlarm
All RPA members are required to resister with Police CyberAlarm: an award-winning tool, provided froo of charge by the police and funded by the Home Office, to help organisations monitor and report the suspicious cyber activity. Since its launch, the product has identified over one billion suspicious events resulting in reports and advice being given to members, enabling them to take action to prevent a successful attack. CyberAlarm detects and reports on suspicious cyber activity and vulnerabilities helping organisations to identify and mitigate their cyber risks. | | | |
Summary
A 2022 report showed that 81% of UK respondents had experienced at least one cyber attack in the previous years, with 73% experiencing ransomware attacks. The same report suggested that 11% or organisational IT budgets were now spent on security. Against that background, inclusion of cyber cover represents a sensible step forward for the RPA. As well as financial data, and access to financial assets, schools’ IT systems contain important personal data including that of students, which could easily result in fines and possible safeguarding risks in the event of a successful hack. For these reasons, cyber security needs to be high on every academy’s risk register. | |
| |
Take part in our survey: Kreston Academy - Year End 2022 | |
Thank you to those who have already completed our survey but for anyone who has not, we would value your feedback.
The survey closes on 16th December 2022, so there is still time to complete it. | | | |
We are in the process of collating data for the Year End 2022 to build our Academies Benchmark Report 2023. Kreston is gathering the opinions of Academies and Trusts across the country to understand their experiences of life as a SAT/MAT. We would like to incorporate the views of your Trust in our next benchmark report, so we would be grateful if you could take a few moments to complete the following short survey. We will send you a copy of the finalised report early next year. | |
| |
| |
| |
If you would like to arrange a virtual meeting to discuss your specific circumstances in relation to any of the above, please get in touch with your usual contact within James Cowper Kreston or contact me using the details below.
Mike Bath Partner
Tel: +44 (0) 7557 340691 | E: MBath@jamescowper.co.uk | |
| |
The information in this newsletter must not be relied on as giving sufficient advice in any specific case. | | | |
| |
| |
| |
| |
| |
| |
.jpeg)
