Georgia Shepherd, RPA Cyber Lead, talks about how the Department for Education is improving risk management across the school sector by introducing cyber cover into the risk protection arrangement (RPA) product from April 2022.
We are delighted to announce that the RPA will now include cyber related cover for the first time from the start of the new 2022/23 membership year.
The risk protection arrangement (RPA) was first introduced in 2014 to provide an alternative to commercial insurance for schools and academies. To date around 40% of all eligible schools have joined and are now benefiting from the reduced costs and administrative burden that the RPA provides. In a recent member survey 99.5% of respondents said they were satisfied or very satisfied with the service they receive.
We constantly look to improve our support and when our members told us that cybercrime was an issue of concern and something they would like to see covered as part of the RPA, we launched a cyber pilot in collaboration with IASME, the National Cyber Security Centre's Cyber Essentials partner, to test how we could potentially help schools. The 12-month RPA Cyber Risk Pilot began in March 2021 and knowledge and information gathered from the 500 participating networks has been key in shaping the scope of the RPA cyber cover.
For the 22/23 RPA membership year cyber cover will include increased cost of working for up to 90 days. The RPA will also be providing an Incident Response Service with a dedicated 24/7/365 Cyber Incident Breach Response hotline and email, as well as restoration, remediation and ongoing monitoring for cyber incidents.
The RPA Cyber Risk Pilot has helped us shape the operational scope of cyber cover. One of the schools taking part in the pilot was devastated by a ransomware cyber-attack just 3 days before the end of the summer term.
It took the school until September to have everything back up and running and the total costs were in the region of £180k. Without the insurance provided as part of the pilot these costs would have had to be met by the school.
Cyber security should be high on the agenda for any school with a reliance on IT and online systems. Whilst Cyber Essentials isn't currently a condition for the RPA Cyber Cover, we are actively encouraging schools to work towards achieving Cyber Essentials as it is an industry baseline for cyber security.
You can find lots of resources to help improve cyber security, risk management and good governance through an effective and accessible range of certifications on the Get Cyber Essentials for Schools - IASME web page. The NCSC website also has an extensive range of practical resources to help improve cyber security for schools.
The DfE continues to follow NCA and NCSC advice on the refusal to pay ransoms, and the indemnity provided as part of cyber cover will not apply to or include claims or losses in respect of ransom payments or expert fees to investigate threats.
So why should you make the move to RPA if you're not already a member? You will certainly benefit from reduced costs in comparison to commercial insurance. The membership cost for 2022/23 will be £21 per pupil for local authority maintained schools from 1 April 2022 and for academies from 1 September 2022. The cost of the RPA is reviewed annually to ensure breadth of cover and value for money are balanced but the annual membership cost is fixed for all members, regardless of risk and claim history.
You will also benefit from the reduced administrative burden of RPA. Joining RPA is simple and takes less than 5 minutes. There are no forms and RPA operates on a no material fact disclosure basis, so we don't need estate, buildings or contents valuations and we don't review your schools risk rating. There is also no annual renewal process - your membership will just roll over to the next year.
If the worst happens and you need to make a cyber claim, we have a range of support designed to simplify the claims process for you. You can call the 24-hour 365-day emergency helpline to start the process and you'll be provided with a named account manager to help you through the claims process, plus access to a dedicated portal for claims handling. Subject to the conditions being met and consequently a valid claim, we will provide expert loss adjusters and legal advisers and the incident response service may determine that on-site support is appropriate.
Visit GOV.UK for more information about RPA and to sign up.
If you want to find out more before you commit, we run bi-weekly RPA information sessions for any school to join. You can sign up via the Eventbrite link here DfE Schools Commercial RPA Information Session Tickets, Multiple Dates | Eventbrite. If you have any questions on RPA or would like more information, contact: Schools.commercial@education.gov.uk