Georgia Shepherd, RPA Cyber Lead, talks about how the Department for Education is improving risk management across the school sector by introducing cyber cover into the risk protection arrangement (RPA) product from April 2022.
We are delighted to announce that the RPA will now include cyber related cover for the first time from the start of the new 2022/23 membership year.
The risk protection arrangement (RPA) was first introduced in 2014 to provide an alternative to commercial insurance for schools and academies. To date around 40% of all eligible schools have joined and are now benefiting from the reduced costs and administrative burden that the RPA provides. In a recent member survey 99.5% of respondents said they were satisfied or very satisfied with the service they receive.
We constantly look to improve our support and when our members told us that cybercrime was an issue of concern and something they would like to see covered as part of the RPA, we launched a cyber pilot in collaboration with IASME, the National Cyber Security Centre’s Cyber Essentials partner, to test how we could potentially help schools. The 12-month RPA Cyber Risk Pilot began in March 2021 and knowledge and information gathered from the 500 participating networks has been key in shaping the scope of the RPA cyber cover.
For the 22/23 RPA membership year cyber cover will include increased cost of working for up to 90 days. The RPA will also be providing an Incident Response Service with a dedicated 24/7/365 Cyber Incident Breach Response hotline and email, as well as restoration, remediation and ongoing monitoring for cyber incidents.
The RPA Cyber Risk Pilot has helped us shape the operational scope of cyber cover. One of the schools taking part in the pilot was devastated by a ransomware cyber-attack just 3 days before the end of the summer term.
It took the school until September to have everything back up and running and the total costs were in the region of £180k. Without the insurance provided as part of the pilot these costs would have had to be met by the school.
Cyber security should be high on the agenda for any school with a reliance on IT and online systems. Whilst Cyber Essentials isn’t currently a condition for the RPA Cyber Cover, we are actively encouraging schools to work towards achieving Cyber Essentials as it is an industry baseline for cyber security.
You can find lots of resources to help improve cyber security, risk management and good governance through an effective and accessible range of certifications on the Get Cyber Essentials for Schools - IASME web page. The NCSC website also has an extensive range of practical resources to help improve cyber security for schools.
The DfE continues to follow NCA and NCSC advice on the refusal to pay ransoms, and the indemnity provided as part of cyber cover will not apply to or include claims or losses in respect of ransom payments or expert fees to investigate threats.
So why should you make the move to RPA if you’re not already a member? You will certainly benefit from reduced costs in comparison to commercial insurance. The membership cost for 2022/23 will be £21 per pupil for local authority maintained schools from 1 April 2022 and for academies from 1 September 2022. The cost of the RPA is reviewed annually to ensure breadth of cover and value for money are balanced but the annual membership cost is fixed for all members, regardless of risk and claim history.
You will also benefit from the reduced administrative burden of RPA. Joining RPA is simple and takes less than 5 minutes. There are no forms and RPA operates on a no material fact disclosure basis, so we don’t need estate, buildings or contents valuations and we don’t review your schools risk rating. There is also no annual renewal process – your membership will just roll over to the next year.
If the worst happens and you need to make a cyber claim, we have a range of support designed to simplify the claims process for you. You can call the 24-hour 365-day emergency helpline to start the process and you’ll be provided with a named account manager to help you through the claims process, plus access to a dedicated portal for claims handling. Subject to the conditions being met and consequently a valid claim, we will provide expert loss adjusters and legal advisers and the incident response service may determine that on-site support is appropriate.
Visit GOV.UK for more information about RPA and to sign up.
If you want to find out more before you commit, we run bi-weekly RPA information sessions for any school to join. You can sign up via the Eventbrite link here DfE Schools Commercial RPA Information Session Tickets, Multiple Dates | Eventbrite. If you have any questions on RPA or would like more information, contact: Schools.commercial@education.gov.uk
7 comments
Comment by Yurt Fiyatları posted on
can we deduct the fees paid for risk structuring from the tax
Comment by Marie Lewis - Engagement and Information Lead, Department for Education posted on
Hi there - I'm not quite sure what you mean I'm afraid. If you drop us a line at schools.commercial@education.gov.uk with some more details I can get a response for you.
Comment by david white posted on
Will there be any additional premium for the inclusion of Cyber Cover within the RPA or will the cost of RPA inclusive of Cyber Cover remain at £21 per pupil for 2022/23
Comment by Emily Wignall posted on
Hi David,
Cyber incident cover is included in your RPA at no additional premium if all the following four conditions have been met:
Must have offline backups
All employees or Governors who have access to the Member’s information technology system must undertake NCSC Cyber Security Training
Must register with Police CyberAlarm
Must have a Cyber Response Plan in place
For more information, please see the Cyber Guidance Note here: https://sway.office.com/Pa1LsAUfaMGCB31W?ref=email
Comment by Paul Lopez posted on
We would also encourage all schools to join their regional Cyber Resilience Centres - police run companies set up by the government to support small and medium sized businesses, including schools and third sectors with improving their cyber resilience. Set up as part of the Home Office Cyber Strategy 2022, we all offer free membership and provide free guidance to all organizations around getting through their Cyber Essentials accreditation, and provide links to free NCSC tools, Police Cyber Alarm etc.
Comment by Gary Bragg posted on
There are a number of Cyber training modules available through the National College - are any of these acceptable alternatives to the NCSC training mentioned above?
Comment by louisegreened posted on
Hello Gary
Thank you for your question.
It does have to be the NCSC training and it will need to be evidenced in the event of a claim. After completing the training, a certificate can be downloaded or can be recorded centrally by the school. We do encourage school staff to undertake Cyber Security courses, but the NCSC training is the key one required to obtain the RPA Cyber Cover.