Public Risk Sept/Oct 2021 by Moire Marketing Partners

PUBLISHED BY THE PUBLIC RISK MANAGEMENT ASSOCIATION SEPTEMBER/OCTOBER 2021

BACK TO SCHOOL BEST PRACTICES PAGE 7

ALSO IN THIS ISSUE

SCHOOL PROPERTY REPLACEMENT COSTS ARE RISING PAGE 12

CYBERSECURITY FOR K-12 SCHOOLS:

Key Risks and Recommendations

PAGE 17

NATIONAL CYBER SECURITY AWARENESS MONTH

Do Your Part. #BeCyberSmart. PRIMA’s 2021 Cyber Security Toolkit offers weekly education: WEEK 1

Making Cyber Smart Choices

WEEK 2

Phishing

WEEK 3

Emerging Trends in Cyber Risk Management

WEEK 4

Putting Cybersecurity First

LEARN WITH: Podcasts

Infographics

Videos

Be on the lookout for additional resources courtesy of Travelers

White Papers

SEPTEMBER/OCTOBER 2021 | Volume 37, No. 5 | www.primacentral.org

CONTENTS

The Public Risk Management Association promotes effective risk management in the public interest as an essential component of public administration.

PRESIDENT Melissa R. Steger, MPA, CRM Asst. Dir., WCI & Unemployment Ins. University of Texas System Austin, TX PAST PRESIDENT Sheri D. Swain Director, Enterprise Risk Management Maricopa Community Colleges Tempe, AZ PRESIDENT-ELECT JamiAnn N. Hannah, RMPE Risk Manager City of Gallatin Gallatin, TN DIRECTORS Dana S. Henderson, CWCP Risk Manager Town of Mount Pleasant Mount of Pleasant, SC Steve M. LePock, II Risk Manager Virginia Beach City Public Schools Virginia Beach, VA

Health and Safety Programs for the New School Year By Cherri Lindquist, BSN, RN, CCM

Ann-Marie A. Sharpe, ARM, RMPE Director, Risk Management City of Miami Miami, FL Laurie T. Olson Sr. Risk Management Consultant City/County Insurance Services Salem, OR Adam F. Maxwell, CLRP Director, Administrative Services City of Westerville Westerville, OH Michael S. Payne, ARM, HEM Risk Manager City of Reno Reno, NV NON-VOTING DIRECTOR Jennifer Ackerman, CAE Chief Executive Officer Public Risk Management Association Alexandria, VA EDITOR Claire Howard Manager of Marketing & Communications 703. 253.1262 | choward@primacentral.org ADVERTISING Claire Howard Manager of Marketing & Communications 703. 253.1262 | choward@primacentral.org

12 School Property Replacement Costs Are Rising By Jonathan Hirt, CPCU

IN EVERY ISSUE

Cybersecurity for K-12 Schools: Key Risks and Recommendations

By Joey Sylvester

| 4 NEWS BRIEFS | 20 ADVERTISER INDEX

Public Risk is published 6 times per year by the Public Risk Management Association, 700 S. Washington St., #218, Alexandria, VA 22314 tel: 703.528.7701 • fax: 703.739.0200 email: info@primacentral.org • Web site: www.primacentral.org Opinions and ideas expressed are not necessarily representative of the policies of PRIMA. Subscription rate: $140 per year. Back issue copies for members available for $7 each ($13 each for non-PRIMA members). All back issues are subject to availability. Apply to the editor for permission to reprint any part of the magazine. POSTMASTER: Send address changes to PRIMA, 700 S. Washington St., #218, Alexandria, VA 22314. Copyright 2021 Public Risk Management Association

SEPTEMBER /OCTOBER 2021 | PUBLIC RISK

Every community has a story. We can help protect yours. Travelers has solutions designed specifically for public entities. Our public entity experts work with local communities to design insurance programs tailored to their unique challenges – from public safety to catastrophic weather to online breaches of sensitive data. We are dedicated to helping communities protect themselves from the unexpected, so that they can continue to tell their stories. To learn more, contact your independent agent or broker.

travelers.com © 2020 The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of The Travelers Indemnity Company in the U.S. and other countries. CP-9453 Rev. 3-20

MESSAGE FROM PRIMA PRESIDENT MELISSA STEGER

Ensuring the safety of your school and work in the midst of the Delta COVID Variant

s we experienced a sneak peek at post pandemic life before resurrection of the delta variant, cybersecurity and the semantics of returning to in-person classes have emerged as hot topics. The public sector is a treasure trove of data for hackers with the abundance of sensitive information and the varied systems to which the information is shared. The pandemic added the increased demand for services during a time of extremely limited resources causing cybercriminals to drool with opportunity. Chief Information Security Officers and Chief Information Officers in public sectors continue to be heavily involved operationally in combatting potentially impactful cyber threats to organizations. The need for enhanced security and cybersecurity training is heightened as employers contemplate the business decision of whether employees will permanently work remote or return to the office for all or a portion of their work week. With a new school year looming amid a subsequent COVID surge, administrators are grappling with a slurry of contentions challenging the consideration of returning students and teachers to an in-person setting. How do schools reopen, what should the plan include, and how do they return to in-person classes safely? There are so many concerns and uncertainty placing obstacles in the way of hitting what’s currently a quickly moving target. To mask or not to mask? To vaccinate or not vaccinate? To social distance or not? To screen or not screen? The questions are plentiful and navigating where to get and how to deliver accurate and relevant information can be overwhelming. In the absence of noise from the pandemic, honest answers reside in the focus of safety and education for students.

Many entities learned that shifting

a simple process in one section of the

organization has a butterfly effect on others

making communication a must for successful resiliency. The ERM strategy will help public entities identify and plan for threats in an organizational-wide manner.

Post-pandemic public risk management will hold a strong focus on business continuity and emergency preparedness. Public entities who have not yet shifted to enterprise risk management (ERM), may now consider the model. The pandemic elevated the importance of cross-organizational communication. Many entities learned that shifting a simple process in one section of the organization has a butterfly effect on others making communication a must for successful resiliency. The ERM strategy will help public entities identify and plan for threats in an organizational-wide manner. PRIMA offers ERM training that teaches an integrated and organizational-wide approach to risk management. The course focuses risk as an uncertainty that embraces opportunities through risk-taking and structured decisionmaking. The skills taught are certainly beneficial as we momentarily gleaned on a post-pandemic

moment. Although historically in-person, the ERM classes shifted to virtual in response to COVID-19. PRIMA hosted 100 attendees through two virtual ERM trainings so far in 2021, and in response to high demand, PRIMA staff is currently planning a third class slated for late November or early December 2021. We would love to host you if you’re interested in mastering the model. Continue watching the PRIMA website for updates on the next session Sincerely,

Melissa R. Steger, MPA, CRM PRIMA President 2021–2022 University of Texas System Austin, TX

SEPTEMBER /OCTOBER 2021 | PUBLIC RISK

NEWS BRIEFS

NEWS Briefs

WHY ACADEMIC INSTITUTIONS ARE AT RISK OF CYBER ATTACKS, AND THE LIBRARY’S ROLE IN CYBER SECURITY AND RISK ASSESSMENT August 13, 2021 | Springer Nation, Research Information We live in an increasingly interconnected world. While this gives us the advantages to access information and resources from any device in almost any location, it also makes our networks vulnerable to cyberattacks. And the pace of cyberattacks is increasing. Statistically, a ransomware attack occurs every eight minutes. Not only companies in the field of telecommunication or financial services are the target of criminals. In the past years a number of academic institutions worldwide have been confronted with ransomware attacks, stealing personal information from university students and employees, such as addresses, phone numbers, social security numbers, academic progress reports and financial documents. In some cases, this data then gets posted on the dark web where it can be used for criminal activities. Thirty years ago, libraries were not as connected to the rest of the university as they are now, explains Alan Brill, senior managing director in the Cyber Risk practice of Kroll, and a fellow of the Kroll Institute. Libraries used to be semi-autonomous, they used systems that just worked in the library setting. Now everything is interconnected and students can reach the library through the university network. At the same time the library can reach out to students, faculty, staff and other libraries, all through a network. This interconnectedness between the library and the institutions is being exploited by cyber criminals. According to the Scholarly Networks Security Initiative the higher education sector in particularly is facing cyberattacks due to the large amount of personal and research data that universities and library systems store routinely. A report published by the National Cyber Security Centre shows that the university sector was the third most vulnerable to cyberattack.

So how can academic institutions protect themselves from these attacks? Read more: https://www.researchinformation.info/viewpoint/why-academic-institutionsare-risk-cyber-attacks-and-library-s-role-cyber-security-and

PUBLIC RISK | SEPTEMBER /OCTOBER 2021

VIDEO SURVEILLANCE RECOMMENDATIONS FOR HIGHER EDUCATION CAMPUSES August 13, 2021 | Frank Pisciotta. Security Infowatch.com Does adding more video cameras to a campus security system make it more effective? The number of cameras on higher education campuses can range from hundreds to more than a thousand. The camera feeds are then piped into elaborate video walls where security/dispatch personnel sort through it. While it looks impressive, how effective is this set up? Not very effective. This article is intended to offer guidance on how to avoid the common mistakes in video surveillance use on campus and get the maximum value from the investment. To borrow a concept from the U.S. Marine Corps, consider a timeline representing an event, “Bang,” where “Left of Bang” is the proactive side of the event and where you want to operate. Too often campuses are operating in the reactive “Right of Bang” mode with video surveillance. The following strategies are presented to shift campus security administrators to a proactive posture: • Classify all campus cameras by their function (s) at the earliest point when a camera is being considered. Ideally, this would be done as part of a campus security risk assessment. The function of the camera drives many other engineering factors, so it is an essential first step in determining whether it will fit the purpose in a criminal attack or not. • Increase the intelligence of the cameras on both sides of “Bang”. • Improve the way in which campus dispatch or security personnel interface with the video management system for enhanced incident prevention, response and investigation. • Rightsizing the data flow, storage and dispatch interaction with the video images consistent with specific campus needs and risk mitigation strategies. Read more: https://www.securityinfowatch.com/video-surveillance/article/21230256/videosurveillance-recommendations-for-higher-education-campuses

IF YOU HAVE UNVACCINATED KIDS, ACT LIKE ‘NOBODY IN HOUSEHOLD’ IS VACCINATED, EXPERTS URGE — AND MORE BACK-TOSCHOOL ADVICE

PREVENTION: GET OFF TO A HEALTHY START WITH ANNUAL BACK-TO-SCHOOL CHECKUP

August 23, 2021 | Hannah Furfaro, Seattle Times

Families are counting down the days until school starts. Yet, whether our children’s education will be in-person or remote or a combination of the two, our resiliency is being tested again.

Coronavirus cases in Washington are nearing peaks not seen in six months — and for parents readying for a new school year, navigating the path back to classrooms is suddenly fraught with tough questions. Will safety measures like masking and ventilation be enough to curb classroom outbreaks? How might the delta variant confound plans for in-person learning? And since masks are mandatory again, which ones are best for kids? We turned to experts to weigh in on all the ways the delta variant is fueling uncertainty, how parents can talk with kids about this stage of the pandemic and what safety measures to expect when school doors open in a few weeks. What do parents need to know about the delta variant? Researchers now have good evidence that the delta variant is significantly more transmissible than prior variants. And even though vaccinated people seem to be protected from severe illness and death, research suggests they can still transmit the virus. Kids have largely fared better than adults during the pandemic. They are far less likely to get sick, and it’s uncommon for them to be hospitalized or die from COVID-19; in Washington, children up to age 19 make up about 2% of all COVID-19-related hospitalizations, for instance. But an Aug. 12 report from the American Academy of Pediatrics suggests the share of COVID-19 cases cropping up in children and teens is increasing nationwide. Over the course of the pandemic, kids made up about 14.4% of cases; in the week ending Aug. 12, they made up 18%. Because delta is more virulent, and overall cases are skyrocketing, the total number of infected kids — and the number winding up in the hospital — is increasing, too. When parents of unvaccinated children are making decisions about going out into the community, they “need to behave as if nobody in the household is vaccinated,” said Elizabeth Meade, immediate past president of the Washington Chapter of the American Academy of Pediatrics. Meade said her family behaves as they did a year ago: They avoid crowds and everyone wears masks in public indoor spaces. Read more: https://www.seattletimes.com/education-lab/if-you-have-unvaccinated-kidsact-like-nobody-in-household-is-vaccinated-experts-urge-and-more-back-toschool-advice/

August 23, 2021 | Dr. Jessica Lohff-Phillips, Registered Guard

Recently, Oregon announced that masks will be mandatory for all children in public schools. While parents prepare their children for in-person learning, it is helpful to be flexible and vocalize to them that the plan may change. Our children mirror our behavior, doubling the importance of adults demonstrating thoughtful behavior and adaptability. Saying ”This is hard, but we’ll figure it out” may help your child cope. Whatever the format for learning ends up being, this is the right time to take care of your child’s health needs. Back-to-school health visits typically include an exam and discussions about immunizations, sleep routines, screen time and safety issues, such as bullying. However, your child’s doctor visit is based on your specific concerns. I often talk to families about reestablishing bedtime routines two weeks before school starts because children will get into the swing of classroom activities more easily if they are not feeling jet-lagged. We’ll also talk about limiting recreational screen time – on any screen – to two hours a day. As a bonus, your children may sleep better because they aren’t getting as much blue light from their devices. Of course, educational screen time is in addition to the recommended two hours. I can team with parents to talk to their children about their mental health. For example, if children are more grumpy, resistant or tearful than usual, the visit could include recommendations and referrals to keep those feelings from becoming a barrier to learning and socializing. Teenagers are already coping with peer pressure, sexuality, smoking and vaping, but now the pandemic has caused some to cope with isolation by taking risks. Others have become depressed or anxious. Chronic depression could be exacerbated by the pandemic. Read more: https://www.registerguard.com/story/news/2021/08/23/prevention-get-offhealthy-start-annual-back-school-checkup-kaiser-permanente/8221024002/

SEPTEMBER /OCTOBER 2021 | PUBLIC RISK

Create an ORGANIZATIONAL CULTURE that proactively MANAGES RISK

VIRTUAL SCHEDULE

ENTERPRISE RISK MANAGEMENT TRAINING DAY 1: NOV 30 DAY 3: DEC 6 12 – 2 PM EST 12 – 2 PM EST DAY 2: DEC 2 DAY 4: DEC 8 12 – 1:30 PM EST 12 – 2 PM EST

VISIT PRIMACENTRAL.ORG/ERMTRAINING

HEALTH AND SAFETY PROGRAMS

FOR THE NEW SCHOOL YEAR

BY CHERRI LINDQUIST, BSN, RN, CCM

s schools continue to open their doors for in-person learning, it’s vital that they are ready with programs to protect the health of their students and staff.

SEPTEMBER /OCTOBER 2021 | PUBLIC RISK

HEALTH AND SAFET Y PROGRAMS FOR THE NEW SCHOOL YEAR

Schools need to put plans in place to protect students and staff from diseases such as COVID-19 — especially with the rise of infections fueled by the highly contagious Delta variant. While the vaccines are effective, they do not guarantee immunity against COVID-19. Furthermore, children under 12 are not currently eligible for vaccination and there are low levels of vaccination among ages 12-17 — ages that encompass most students. Additionally, after over a year of remote learning, both students and staff are now becoming ill with everyday viruses such as the common cold and respiratory syncytial virus (RSV), which is currently surging in children, as reported by NPR. Dr. Pia Pannaraj, an infectious diseases specialist at Children’s Hospital in Los Angeles explained to NPR, “Last year, during all of the COVID-19 outbreaks and all of our social restriction measures, we did not see RSV the way we normally see it.”

That’s why it’s important to apply a variety of strategies to help better protect your school from COVID-19; Strategies that can also protect students and staff from other communicable diseases and illnesses. Here’s how.

A MULTI-LAYERED APPROACH

The CDC suggests that schools take a multi-layer approach to protect staff, students, and their families from the pandemic. This approach includes several preventative measures including sanitization practices, physical and distance barriers, screening testing, vaccination strategies, and more. By following multiple techniques, including those recommended by the CDC, you can help your school decrease the risk of COVID-19 exposures for staff and student communities.

SANITIZATION AND PHYSICAL BARRIER PRACTICES Your school most likely already applies several sanitization and physical barrier practices, like

social distancing, disinfecting, and ventilation. However, make sure you stay up-to-date with the CDC’s recommendations to ensure you are applying these practices properly. The CDC continues to recommend mask usage for those who are not fully vaccinated and for other circumstances, especially when people are unable to maintain physical distancing. Another strategy is to improve ventilation. Examples include opening windows/doors, using special fans, and/or updating your air filtration. When it comes to hygiene, encourage students and staff to properly wash and sanitize their hands often. They must also be courteous of others by practicing respiratory etiquette, covering coughs and sneezes. Cleaning and disinfecting are important parts of reducing exposure to infection. The CDC provides a guide of when and how to clean and disinfect surfaces.

An important measure in lessening spread is to screen students, staff, vendors — anyone who enters your school — for symptoms of and exposure to COVID-19. This method can help minimize the spread of not only COVID-19 and other common illnesses in your school and your community.

PUBLIC RISK | SEPTEMBER /OCTOBER 2021

As always, ensure that these practices are aligned with your local health department guidelines.

SCREENING FOR EVERYONE

An important measure in lessening spread is to screen students, staff, vendors – anyone who enters your school – for symptoms of and exposure to COVID-19. This method can help minimize the spread of not only COVID-19 and other common illnesses in your school and your community. Daily health screenings allow users to indicate whether or not they are experiencing symptoms of COVID-19. Users that are experiencing symptoms or have been exposed to COVID can then self-isolate. Screening users before they enter the school helps to prevent symptomatic or exposed persons from exposing others. Your organization will want to utilize a screening solution that can be done virtually, at-home. Early detection will help minimize any disruption in both the students’ education and the staff’s attendance.

TESTING AND VACCINATION MANAGEMENT

The CDC recommends testing for COVID-19 for varied reasons including known exposures to COVID-19 as well as if someone is experiencing COVID-19 symptoms. According to the CDC, “Screen testing identifies infected people, including those with or without symptoms (or before development of symptoms) who may be contagious, so that measures can be taken to prevent further transmission.” The CDC recently expanded guidance for individuals to be tested, including even if fully vaccinated. With a testing and vaccination report management process, you can decide who and how often someone needs to take part in screening testing. In addition, testing and vaccination management will help you to keep track of testing results. The CDC states “screening testing should be done in a way that ensures the ability to maintain confidentiality of results and protect student, teacher, and staff privacy.” A secure, third-party tool will allow users to confidently submit their test results.

REPORT ABSENCES

Consider a digital tool that houses all your employee benefits. That way, employees can find everything they need to get the care they need in one place. From finding providers to having access to their virtual insurance card, employees can complete their provider visits with ease.

The pandemic has impacted the education of students everywhere. If a teacher or other staff member calls out sick last-minute, have an easy and efficient absence reporting system. This allows the school to quickly find a substitute and to avoid the disruption of learning.

ALERT NOTIFICATION SYSTEM

Screening and testing management can help schools and organizations to keep those with confirmed and suspected cases of COVID-19 home.

ACCESS TO BENEFITS

If an employee is positive for COVID-19 or other diseases, or suspects they may have been infected, help them get the care they need so they can return to work healthy. Make sure they have quick, easy access to their health benefits. The last thing a sick employee needs is confusion about where and how to get care.

Having a robust alert system allows schools to notify students and staff quickly with important information. For example, if your school has a COVID-19 outbreak, you’ll want to make sure that you can alert all your students and staff immediately and in a format that they can easily access. Notifying everyone who might enter your school of the outbreak will allow them to stay home to avoid infection or, if they have already been infected, further transmission.

SEPTEMBER /OCTOBER 2021 | PUBLIC RISK

HEALTH AND SAFET Y PROGRAMS FOR THE NEW SCHOOL YEAR

Look for a system that allows for a variety of channels, such as text, email, voice, so that you can send communications in a way that works best for your school. With the right system, you can help keep your school safe and informed.

COMMUNICATE SAFETY PLANS AND PROCEDURES

Once you decide on which programs to implement, it’s important to properly communicate them. The CDC provides resources and editable content to communicate safety plans and procedures. With consistent, open communication, you can help everyone adhere to safety

PUBLIC RISK | SEPTEMBER /OCTOBER 2021

rules to help protect your school and everyone who enters.

RECORD KEEPING

Consider how your employees will enter screening, testing, and vaccination information, as well as how your organization will protect this PII (Personally Identifiable Information) and PHI (Protected Health Information) when receiving and storing. An excel sheet stored on your HR manager’s desktop can’t fully protect this information. Look for a screening, testing, and vaccination management program that allows your organization’s users to input their information safely,

with user verification. You should also ensure this program stores this information securely, in a password-protected admin portal. Managing this information also allows your organization to prove it is adhering to COVID-19-related guidelines and regulations. Your organization can show that it is asking the right questions and providing employees with the right processes for screening, testing, and vaccination. Cherri Lindquist, BSN, RN, CCM, is a Clinical Nurse Manager at Company Nurse LLC.

RESOURCE Mentorship Program

ENROLL AS A MENTEE OR MENTOR TODAY! CREATING THE NEXT GENERATION OF RISK PROFESSIONALS primacentral.org/membership/nextgen

SCHOOL PROPERTY REPLACEMENT COSTS ARE RISING Updating the Ratio of ‘Insurance to Building Value’ Adds Protection Against Losses

PUBLIC RISK | SEPTEMBER /OCTOBER 2021

BY JONATHAN HIRT, CPCU

ne of the more challenging aspects of school facilities management is calculating building replacement costs. With school buildings today valued in the tens of millions of dollars, not having enough insurance to cover a loss could be financially devastating for your school or college.

SEPTEMBER /OCTOBER 2021 | PUBLIC RISK

SCHOOL PROPERT Y REPL ACEMENT COSTS ARE RISING

A volatile market for building materials, a shortage of skilled construction labor and increasingly complex building specifications for schools is making it harder for administrators to accurately value their property. Luckily, there are some things you can do to ensure that your insurance policy will cover a big claim. Let’s begin by reviewing how your property insurance works. Your policy covers certain perils — such as fire, vandalism, theft, burst pipes, windstorms and other weather-related catastrophes — subject to the limits and deductibles in your policy. For schools and colleges with multiple buildings, there usually is an individual limit on each building and a blanket limit that includes all of the buildings being insured. For example, if your school has ten buildings, each valued at $10 million, your blanket limit would be $100 million.

THE ADVANTAGE OF BLANKET COVERAGE

Suppose one of those buildings burns down, and you have to replace it at a cost of $15 million. Despite it being significantly undervalued, your policy may very well pick up the full cost since you have a blanket of $100 million. Bear in mind that your claims during the year cannot exceed your blanket amount. While having blanket limits seems like a no-brainer, it’s important to realize that not all buildings may qualify as part of the blanket. An older building that’s not in very good condition or is currently vacant may be insured outside of the blanket. Insurers will also put special conditions on some buildings. They may not insure them at full replacement cost. Instead, they may offer actual cash value, which could be substantially less than the cost of replacement. Or a building may be subject to higher deductibles. Some policies have a margin clause that limits the amount the insurer will pay. Let’s say a policy has a 120 percent margin. Using the same example as above, this means the most the policy will pay out for a building is $12 million (120 percent of $10 million). This protects the insurance company when buildings are

PUBLIC RISK | SEPTEMBER /OCTOBER 2021

underinsured, so be aware of these clauses when you purchase or renew a policy.

COINSURANCE PENALTIES FOR UNDERVALUED BUILDINGS

While blankets give you leeway if you’ve undervalued a single building, they are not without their conditions. Most insurers will only write full coverage based on agreed values, meaning the value of your property must be considered reasonable from an underwriting standpoint. Absent agreed values, the insurer may impose a coinsurance penalty of 80 percent, 90 percent or 100 percent of the building’s value. For example, 80 percent coinsurance means if your building is valued at less than 80 percent of its replacement value at the time of a loss, there will be a penalty. The penalty is calculated by dividing the insured’s limit by what the limit should have been, and multiplying that result by the amount of the loss. To illustrate, let’s say a $10 million building is only insured for $5 million, and there is an 80 percent coinsurance penalty. The building suffers a $4 million loss. In this example, the building should have been insured for $8 million (80 percent of $10 million). To calculate the payout amount, the insurance company would divide $5 million by $8 million, then multiply by $4 million. That is, 5/8 (.625 percent) X $4 million equals a $2.5 million payout (less the applicable policy deductible). The school would have to pay a coinsurance penalty of $1.5 million. As you can see, it’s important to accurately calculate the value of your buildings. Otherwise, you may find yourself paying for millions of dollars of uninsured losses.

SCHOOLS SHOULD REVIEW VALUES ANNUALLY

You can stay on top of values by reviewing your policy limits annually. Most insurers will suggest that you trend up the values each year by a certain percentage. Over the last few years, these upward valuations have averaged 3–4 percent. This year, they could be substantially higher because of recent increases in construction costs.

Underwriters don’t like to see accounts that haven’t trended up their values in a while. In those cases, the insurer may need to increase values 20–30 percent or more, just to catch up to where the policy should have been. That could represent a fairly hefty increase in your premiums. In addition to trend adjustments, it’s important to get an appraisal every five years. A replacement-cost appraisal provides the most accurate picture of a building’s condition and value, whether it meets code requirements and if its systems are up to date. If the building has been trended properly, there shouldn’t be any surprises when the appraisal comes in. The appraisal then becomes the new insurance-tovalue benchmark for the building. There are other replacement-cost estimating tools available, but they won’t be as accurate as an appraisal. These cost estimators will allow you to benchmark your buildings between appraisals. In addition, your insurance broker should have data available on building replacement costs.

NOT ALL SCHOOLS ARE THE SAME

Valuations can vary, depending on the location, type of structure, the age and the condition of the building. A 100-year-old brick and stone building will be valued higher than one constructed of decorative concrete block since it will be more expensive to replace the historic building. Smart boards, high-definition projectors and computers can also add to the cost. On the outside of the school, electronic scoreboards, turf fields and a press box can increase replacement values, too. Other expensive areas, which most schools have, include the gymnasium, library, an auditorium, and art, science and distributive education classrooms. Keep in mind that your insurance policy will generally cover property within 1,000 feet of the premises. That includes fencing, signs, tracks, ball fields and out buildings.

INSURANCE COVERAGE TIPS

Your agent or broker can help you understand how buildings are valued and determine the

most advantageous way of insuring them. Here are a few points to consider: • Make sure your policy has ordinance loss coverage. This covers the costs associated with meeting any new building code requirements or laws such as the Americans with Disabilities Act. • Check to see if your policy includes business income and extra expense, a coverage that replaces income and pays for extra expenses if your school is shut down due to a covered loss. For example, if you had to bus students to another location while your school was being rebuilt, business income and extra expense would pick up the cost of transportation and renting temporary space. • You may need to raise the limits on your personal property-of-others coverage, which protects personal items that are on your premises. This could include equipment

and supplies, mobile devices, artwork and musical instruments. • Don’t neglect to include the value of structures on your grounds that aren’t part of the building, such as a brick wall, landscaping features, lights and signs. • Make sure your occupancy is correctly noted on the policy schedule. If a building is vacant for a certain number of days, your policy may not cover perils such as vandalism. Some carriers will allow you to maintain your coverage through a vacancy permit endorsement. • While most policies cover sewer and drain backups, they don’t cover flooding. Talk to your agent or broker about coverage for surface water runoff and flooding if your building is in a low-lying area or near a body of water. You can check to see if a building is in a flood zone on the FEMA website.

• Keeping your buildings up to date and installing safety features such as temperature sensors can reduce your risk exposure and may lower your premiums. Raising your deductibles can also save money. Recent price hikes in building materials such as lumber, steel and PVC pipe have made determining accurate building valuations even more critical for schools and colleges. Don’t put off updating your property insurance coverage. Make sure your insurance to value is where it needs to be. Jonathan D. Hirt, MBA, CPCU, is vice president of underwriting for Wright Specialty Insurance in Garden City, New York.

SEPTEMBER /OCTOBER 2021 | PUBLIC RISK

NOMINATE A COLLE AGUE OR YOURSELF FOR PRIMA’S NEWES T AWARD PRIMA wants to recognize our long-term members who have made outstanding contributions to PRIMA and the public risk management industry. QUALIFIC ATIONS FOR AWARD: 1. Member of PRIMA for 15 years or more 2. Advancement of PRIMA membership goals 3. Knowledge of public entity risk management skills, industry goals, and trends THE AWARD WINNER WILL RECEIVE: • A framed and personalized Certiﬁcate of Excellence • A one-page spotlight in the Public Risk magazine • Celebratory announcements on PRIMA’s social media, including a photo and quotes

FIND THE NOMINATION FORM AT primacentral.org > Community > Awards & Recognition

Submit your nominations by

OCTOBER 14, 2021

CYBERSECURITY for K-12 Schools:

Key Risks and Recommendations

BY JOEY SYLVESTER

T IS SAD BUT TRUE. Threat actors from across the globe are

targeting U.S.-based organizations, critical infrastructure and, yes, our public education sector. These malware threats are intended

to cause chaotic disruption, invade privacy, and create significant financial consequences for public school districts.

Ransomware attacks have proliferated at an alarming pace over the last few years. In Coveware’s 2021 Q2 report identifying ransomware trends across all industry sectors, public sector ranked as the top industry targeted by Ransomware, at 16.2 percent among all industries. Out of all the known ransomware events in Q2 of this year, one in six targeted the public sector. It may be because public entities and schools have fewer staff and less money dedicated to cybersecurity, and aging cyber infrastructure.

Many cyber insurers have seen losses escalate within the public sector. As a result, carrier appetite has tightened considerably and underwriting requirements have become increasingly stringent. Sub-limits and coinsurance provisions have become commonplace, especially with regard to ransomware losses.

The simple fact is that K-12 schools must operate and must continue to educate; education is an essential public service. Threat actors know this and believe that ransoms will be paid because there can be no downtime.

Nearly all carriers are asking more pertinent questions related to ransomware, most often through the use of ransomware supplemental applications. Answers to these questions can take center stage during renewals depending on the controls that are in place.

The widespread vulnerabilities and hacks that have affected numerous districts around the country related to the Microsoft Exchange hack and Solarwinds have only compounded the problem, not to mention the many changes brought on by the onset of the Covid-19 pandemic.

Perhaps the most prominent control, and a key requirement for coverage these days, is MultiFactor Authentication (MFA). MFA requires a second factor, like a one-time use code or a push notification to a smartphone, in addition to a password, in order to gain access to the

CYBERSECURIT Y FOR K-12 SCHOOLS: KEY RISKS AND RECOMMENDATIONS

system to which MFA has been applied. For an employee working from home or accessing email remotely, the steps are simple: 1. Employees log in with their normal password 2. MFA is triggered and employees must then authenticate their account once more via a separate means, such as an app-specific notification on the employee’s smartphone 3. The MFA threshold is satisfied and access is granted. Were this to occur with a stolen password, here’s how that same scenario would play out: 1. Hacker uses stolen password to access the school systems remotely. 2. MFA is triggered and a notification is sent to the app on the school employee’s smartphone 3. Employee receives notification, declines the request, and the hacker is denied entry. 4. Employee alerts IT and passwords are reset, etc. Even if the original employee password has been stolen, it will be useless to an attacker that lacks possession of the required second factor. Research shows the vast majority of account-compromise attacks can be prevented by the presence of MFA. It is small wonder that insurance carriers view this with such importance and are now requiring the presence of MFA at multiple levels for policy renewals. There are a number of MFA solutions in the market today which can accommodate school districts of all sizes and budgets. We highly recommend contacting these vendors about setting up MFA for your school district sooner rather than later. It is important to note that underwriters are increasingly looking for MFA to be applied at multiple levels, and MFA is just ONE of many top underwriting concerns.

Examples of other requests from underwriters include: • MFA for administrator and privilegeduser access • MFA for access to critical backups • MFA for web access to email • Offline/offsite backups for critical data • Encryption on portable and employee devices • Employee training • Patch management • Endpoint Detection and Response (EDR) • Privileged Account Management (PAM) solutions In addition to implementing the above controls, it is highly recommended that school districts follow best practices such as: 9 Conducting cyber risk assessments, including: internal and external vulnerability scans, penetration testing, threat intelligence monitoring, investing in physical security around critical IT assets, and assessing insider threats. 9 Implementing robust IT security policies for data governance, data security, cyber risk management, physical and environmental security, compliance and maintenance. 9 Having a tailored and practiced Incident Response Plan that has an interdisciplinary approach across all departments and vendors that may be involved in the management of a cyber event. The IRP should be broad enough to encompass all types of cyber incidents which may occur, from data breaches to system-wide ransomware attacks and everything in between. More so, studies show that many such plans go untested and are not updated. Those that are tested often reveal major flaws. It is highly recommended that your response plan be reviewed and updated at least annually and tested to stay current with today’s threat landscape and your internal staff and structure. 9 Conducting a Table Top Exercise. This is a good way to put that incident response plan to the test. Carriers will want to see this as part of the renewal process and it is a

PUBLIC RISK | SEPTEMBER /OCTOBER 2021

good practice to incorporate. The best table top exercises will have an interdisciplinary approach just like the incident response plan. 9 Taking advantage of free resources. Many cyber carriers offer free or discounted resources to their policyholders. This can range from external scanning on an on-going basis, to free training for employees, and much more. 9 Conducting a thorough review of the cybersecurity posture of your Vendors and Subcontractors. This should include a review of contracts to gauge exposure following a cyber incident that may impact you as a result of their negligence. 9 Lastly, transfer the risk by purchasing a cyber insurance policy. In terms of keeping your school district data safe and limiting downtime from a potential cyber-attack, a cyber insurance policy not only provides the financial safeguards afforded by a typical insurance policy, it also provides access to world-class vendors — from breach coaches to IT forensic investigators — to address the aftermath of an incident. These vendors are specifically there to help you manage the fallout of a data breach or other cyber-attack, including providing legal guidance to remain in compliance with State laws and regulations, public relations assistance when needed, and rebuilding your systems to the level at which they existed prior to the attack. Some even allow for “betterment” expenses to improve the overall stability and security of the network. Implementing these controls can help keep data and staff/student information safe, limit downtime in the event of an attack, and help turn the tide against the ongoing cyber-attacks that we face day in and day out. I encourage you to discuss these controls with your insurance broker now. An early start can make all the difference in your insurance renewal, with the added bonus of significantly improving your ability to manage cyber risk. Joey Sylvester is the Area Senior Vice President Director, Cyber Risk Solutions – Mid-South, Gallagher.

FREE TO MEMBERS

Starting an Enterprise Risk Management Program from Scratch: A Case Study OCTOBER 20 | 12:00 PM – 1:00 PM EST SPEAKERS: Scott Wightman, ARM-E, Area Executive Vice President, Arthur J. Gallagher Alan Hansen, District Director, Risk Management & Chief Risk Officer, Broward College Beginning an enterprise risk management (ERM) program from the ground up is a reasonably straight-forward process, but as with any human endeavor can create lessons learned along the way. This session will walk participants through various methods and strategies for implementation, and then tell the story of how Broward College was able to launch their successful program. We will consider the limited resources in any public entity today and how they pulled together multiple disciplines into one cohesive effort, making it a truly enterprise-wide venture to support the institution’s resilience, resource allocation decisions, strengthen stakeholder confidence and embolden innovation. ATTENDEE TAKEAWAYS: 1. Description of various ERM implementation models and strategies 2. Show participants how ERM fits within an organization’s governance and how to sell it internally 3. Offer a real-world example of how an entity implemented ERM using multi-department collaboration

ADVERTISER INDEX

ADVERTISER INDEX Travelers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 2 HAS YOUR ENTITY LAUNCHED A SUCCESSFUL PROGRAM? An innovative solution to a common problem? A money-saving idea that kept a program under-budget? Each

CALENDAR OF EVENTS PRIMA’s calendar of events is current at time of publication. For the most up-to-date schedule, visit www. primacentral.org.

month, Public Risk features articles from practitioners like you. Share your successes with your colleagues by writing for Public Risk magazine! For more information, or to submit an article,

contact Jennifer Ackerman at jackerman@primacentral.org or 703.253.1267.

FIND US ON FACEBOOK!

PRIMA ANNUAL CONFERENCES June 5–8, 2022 PRIMA 2022 ANNUAL CONFERENCE San Antonio, Texas Henry B. Gonzalez Convention Center June 4–7, 2023 PRIMA 2023 ANNUAL CONFERENCE Long Beach, California Long Beach Convention Center June 16–19, 2024 PRIMA 2024 ANNUAL CONFERENCE Nashville, Tennessee Gaylord Opryland Hotel

PRIMA WEBINARS September 15 Law Enforcement Liability Issues October 20 Starting an Enterprise Risk Management Program from Scratch November 17 Exploring the Unique Challenges Faced by Injured Workers December 15 Leadership and Motivation

Keep up with what’s happening at PRIMA and connect with your risk management peers! Visit us at www.facebook.com/primacentral.

PUBLIC RISK | SEPTEMBER /OCTOBER 2021

ON-DEMAND Learning Sessions PRIMA's Emerging Risks Virtual Training is designed to provide risk managers with the insight necessary to address issues that may currently affect their entity or that are upon the horizon. The training is now available on-demand for your viewing pleasure. Access to the entire training is free for PRIMA members and $200 for non-members. Take advantage of this timely educational resource!

primacentral.org/education/center

BIG IDEAS. SMALL SETTING.

PRIMA INSTITUTE 2021 The Industry’s Premier Risk Management Educational Program October 25–29 // Nashville, Tennessee PRIMA Institute 2021 (PI21) is an innovative educational symposium comprised of fundamental risk management curriculum, outstanding faculty, and excellent networking opportunities. PI21 is aimed at new and seasoned risk management professionals who want to learn more about emerging trends and best practices.