Insurance & Liability Readiness Checklist

The cyber insurance market for K-12 education has undergone a dramatic transformation since 2020. Premiums for school districts have increased between 50 and 300 percent depending on the district's risk profile and claims history, with some carriers exiting the education market entirely. The shift reflects the reality that school districts have become high-value targets for ransomware operators and data thieves, while historically maintaining lower security maturity than comparably sized organizations in other sectors.

Coverage structures for education have become more restrictive. Typical policy limits for mid-sized school districts range from one million to five million dollars, with deductibles between 25,000 and 250,000 dollars depending on the district's security controls and prior claims. Many policies now include sublimits for specific event types, particularly ransomware, meaning the coverage for a ransomware event may be significantly less than the overall policy limit. Coverage gaps are common in areas such as social engineering fraud, voluntary regulatory fines, and costs associated with rebuilding systems rather than paying ransom.

Underwriter scrutiny of security controls has intensified dramatically. Where applications once consisted of a brief questionnaire, carriers now require detailed technical documentation, evidence of control implementation, and in some cases third-party security assessments. Districts that cannot demonstrate specific controls, particularly multi-factor authentication and endpoint detection, face declination rather than higher premiums. This shift makes insurance readiness functionally equivalent to security baseline compliance, and districts should approach their insurance application as a security audit rather than a paperwork exercise.

Cyber insurance underwriters have converged on a core set of security controls that they consider prerequisites for coverage. Multi-factor authentication is universally required for email access, remote access, and privileged accounts, with many carriers extending the requirement to all user authentication. Endpoint protection must go beyond traditional antivirus to include endpoint detection and response capabilities with automated threat containment. Email security controls must include anti-phishing, anti-spoofing, and attachment sandboxing capabilities.

Backup and recovery requirements have become highly specific. Underwriters expect offline or immutable backups of critical systems, documented and tested recovery procedures, and recovery time objectives of 72 hours or less for essential operations. The backup infrastructure itself must be protected from ransomware through network segmentation and separate authentication. Incident response plans must be documented, tested within the past twelve months through a tabletop exercise, and include provisions for engaging legal counsel and forensic investigators.

Employee security awareness training must be conducted at least annually with phishing simulation testing. Network segmentation is required to limit lateral movement, with particular emphasis on separating administrative systems from instructional networks and isolating operational technology. Vulnerability management programs must demonstrate regular scanning and timely patching, with critical vulnerabilities remediated within 30 days. Encrypted data, both at rest and in transit, is now a standard requirement, and underwriters ask specifically about the ability to inspect encrypted traffic for threats.

• Multi-factor authentication for email, remote access, and privileged accounts
• Endpoint detection and response on all managed devices
• Email security with anti-phishing, anti-spoofing, and sandboxing
• Offline or immutable backups with tested recovery procedures
• Documented and tested incident response plan
• Annual employee security awareness training with phishing simulation
• Network segmentation between administrative, instructional, and guest networks
• Vulnerability management with defined SLA for critical patch remediation
• Encryption of data at rest and in transit

The iboss SASE platform addresses a significant portion of underwriter requirements through its integrated architecture. For multi-factor authentication, iboss Zero Trust Network Access enforces identity verification at every access request, integrating with the district's identity provider to require MFA before granting access to any protected application or resource. This satisfies the underwriter requirement for MFA on remote access and can extend to all application access through ZTNA policies.

Web threat protection through the iboss Secure Web Gateway directly addresses underwriter expectations for network-layer security controls. The SWG inspects all web traffic including SSL-encrypted sessions, blocks known malicious domains and URLs, prevents command-and-control communication, and enforces acceptable use policies. The SSL decryption capability is particularly relevant to insurance applications because underwriters increasingly ask whether the district can inspect encrypted traffic, recognizing that the majority of threats now use HTTPS. iboss performs this inspection in the cloud without the performance degradation associated with on-premises SSL inspection appliances.

iboss data loss prevention capabilities address the encryption and data protection requirements by monitoring data in motion for sensitive content patterns such as student Social Security numbers, educational records, and financial data. The Zero Trust architecture inherently satisfies network segmentation requirements by enforcing micro-segmentation at the application level rather than relying solely on network-layer VLANs. Each user and device is granted access only to specifically authorized resources based on identity, device posture, and context, which constitutes the most granular form of segmentation available. When completing insurance applications, the district can reference iboss ZTNA as the primary mechanism for both access control and network segmentation.

Insurance applications and audits require documented evidence that controls are not merely deployed but actively functioning. For each underwriter requirement, the district should maintain a standardized evidence package. Multi-factor authentication evidence should include the iboss ZTNA configuration showing MFA enforcement, the identity provider MFA policy configuration, and a report showing the percentage of users with MFA enabled. Export these from the iboss admin console under the ZTNA policy section and from your identity provider's reporting dashboard. Retain evidence for a minimum of three years to cover policy renewal cycles and potential claims investigation.

Web threat protection evidence includes iboss dashboard exports showing threat detection and blocking statistics, policy configuration screenshots demonstrating that SSL inspection is enabled for all user traffic, and malware blocking reports with category-level detail. The iboss reporting module provides exportable PDF and CSV formats suitable for submission to underwriters. Generate these reports monthly and archive them, as underwriters may request trailing twelve-month data during the application process.

For network segmentation evidence, export iboss ZTNA access policies showing which user groups can access which applications and resources. This demonstrates that the district enforces least-privilege access rather than granting broad network access. Supplement with network diagrams showing VLAN segmentation and firewall rules separating administrative, instructional, and guest network segments. Data protection evidence includes iboss DLP policy configurations and reports showing detection and blocking of sensitive data in transit. For backup and recovery, maintain documentation of backup configuration, the most recent backup test results, and recovery time achievement from the last test. Organize all evidence in a structured folder system indexed to the insurance application question numbers for efficient retrieval during renewal.

• MFA: iboss ZTNA configuration export, identity provider MFA policy, user enrollment report
• Web Protection: iboss threat dashboard exports (PDF/CSV), SSL inspection policy screenshots, monthly malware reports
• Network Segmentation: ZTNA access policy export, network diagrams with VLAN documentation, firewall rule summaries
• Data Protection: iboss DLP policy configuration, DLP detection/blocking reports, encryption status documentation
• Backup & Recovery: Configuration documentation, most recent test results, recovery time achievement records
• Incident Response: Current IR plan with revision date, tabletop exercise after-action report, contact lists
• Training: Completion reports by role, phishing simulation results with trend data, training content outline

Begin insurance application preparation at least 60 days before the renewal date. The pre-application audit should verify that every control claimed on the application is currently operational and producing the expected results. This means actively testing MFA by attempting to log in without a second factor and confirming the attempt is blocked, verifying that iboss SSL inspection is processing traffic by checking decryption statistics, confirming that backups completed successfully within the past 48 hours, and validating that the incident response plan reflects current contact information and procedures.

For each control area on the application, prepare a written narrative of no more than two paragraphs describing the control, how it is implemented, and how it is monitored. Underwriters increasingly conduct phone interviews as part of the application process, and having prepared narratives ensures consistent, confident responses. Identify any gaps between current controls and application requirements before beginning the application. For each gap, document a compensating control that partially mitigates the risk and a remediation plan with timeline. Underwriters are more likely to provide coverage with a documented remediation plan than to accept a gap with no plan.

Assemble the evidence package described in the Evidence Collection Guide and organize it for submission. Many carriers now use online portals that accept document uploads. Prepare a summary index that maps each uploaded document to the specific application question it supports. Have the IT Director, a governance committee member, and legal counsel review the completed application before submission to ensure accuracy and consistency. Misrepresentation on an insurance application, even if unintentional, can void coverage at claim time.

• Begin preparation 60 days before renewal date
• Verify all claimed controls are operational through active testing
• Prepare two-paragraph control narratives for each application section
• Identify gaps and document compensating controls with remediation timelines
• Assemble and index evidence package mapped to application questions
• Conduct IT Director, governance committee, and legal review before submission
• Confirm insurance broker has current district security documentation
• Schedule underwriter phone interview preparation meeting with key technical staff

Preparing for a potential insurance claim before an incident occurs dramatically improves the likelihood of successful coverage. Claims readiness means having the documentation infrastructure, preservation procedures, and contact information in place so that the first hours of an incident are spent on containment rather than scrambling to understand the policy requirements. The single most common reason cyber insurance claims are disputed is insufficient documentation of the incident timeline and response actions.

When an incident occurs, the claims process requires a detailed timeline beginning from the earliest indicator of compromise through complete recovery. Every action taken by district staff, the iboss platform, and third-party responders must be documented with timestamps. iboss logs are critical evidence and must be preserved immediately upon incident detection. Configure iboss log retention for a minimum of 90 days for standard logs and implement a legal hold procedure that extends retention indefinitely for logs related to an active incident. The iboss cloud platform retains logs according to the subscription tier, but the district should export and archive incident-relevant logs to district-controlled storage as a backup.

Maintain a current contact list that includes the insurance carrier's claims hotline and policy number, the assigned broker contact, pre-approved forensic investigation firms from the carrier's panel, breach counsel from the carrier's panel, and law enforcement contacts at the local FBI field office and state fusion center. Many cyber insurance policies require that the district use the carrier's approved vendors for forensic investigation and legal counsel. Using non-approved vendors without prior authorization can result in those costs being excluded from coverage. Test the claims notification process annually by conducting a dry run with the carrier, confirming that the district knows exactly how to file a claim, what documentation is required in the first 24 hours, and what actions require carrier approval before proceeding.

• Maintain incident timeline documentation from first indicator through full recovery
• Preserve iboss logs immediately upon detection; implement legal hold procedures
• Export incident-relevant logs to district-controlled storage within 24 hours
• Keep current contact list: carrier claims hotline, broker, approved forensic firms, breach counsel
• Use only carrier-approved vendors for forensics and legal to preserve coverage
• Retain all notification records: who was notified, when, and through what channel
• Conduct annual claims process dry run with insurance carrier
• Maintain offline copy of insurance policy with coverage limits and exclusions for reference during incident