Schools and universities face significant challenges obtaining insurance for nearly every line of coverage, with many carriers pulling away from the education industry altogether. The employment practices liability (EPL) and cyber lines are particularly restrictive due to a steady increase in claims and vulnerabilities in recent years. Educational institutions have to be diligent in their approaches to risk management to enhance their insurability and avoid potentially damaging lawsuits in the future.
In addition to rising claims, the market for EPL insurance remains uncertain due to a confluence of external factors, including COVID-19 and a heightened awareness of workplace rights brought about by social justice movements such as #MeToo and Black Lives Matter. According to Alera Group’s “Property and Casualty 2022 Market Outlook,” businesses can expect EPL rate increases of 7%-15% for the year, depending on the business size, industry, and sector. The cyber market is facing rate hikes of greater than 100%, as hackers become more sophisticated in their attacks and increase their financial demands.
EPL markets will continue to offer capacity, but coverage will cost more and will frequently be coupled with the imposition of tougher terms, including adherence to formalized risk management programs. Alera Group projects that coverage limits will remain relatively low—between $100,000 and $500,000—with deductibles between $2,500 and $25,000, again, depending on the business size, industry sector, loss history, and region.
There are, however, notable exceptions. In some locations, for example, a well-run school district can get $1 million of coverage and add an umbrella policy on top of that. In many instances, however, a school or district needing higher coverage limits may need to turn to the excess and surplus market. Determining what coverage is needed and in what amount is best achieved through a consultation between the school administrator and the insurance broker.
The cyber market also has capacity, but insurers will continue to reserve it for what they view as the best risks. For example, some insurers are requiring use of multi-factor authentication as a prerequisite for reviewing a business’s application.
Given the increasingly small list of carriers willing to provide EPL and cyber coverage to educational institutions, the education industry can expect higher policy retentions, significant premium increases, and new exclusions for at least the near future.
Challenges for Schools
From daycare centers to colleges and universities, obtaining EPL coverage will be more challenging than ever due to heightened risk exposures. “Reviver” laws, which have opened the statute of limitations on sexual abuse and molestation claims, and COVID-19-related lawsuits are key risk concerns for insurers that remain in the education market. Educational institutions must exercise due diligence to maintain coverage and ensure proper protection against employment-related claims. Failure to do so can result in costly litigation and judgments that can cripple an institution’s balance sheet and cause significant damage to its reputation and brand.
One reason that access to EPL insurance for educational institutions has become more restrictive is the ongoing rise in nuclear verdicts in sexual abuse and molestation cases. Last year, the University of Southern California agreed to pay more than $850 million to hundreds of women abused by a former campus gynecologist. That is in addition to a separate, but related, settlement for $215 million in 2018 with more than 18,000 women treated by the same gynecologist. This past January, the University of Michigan reached a $490 million settlement with more than 1,000 students who were sexually abused by a former campus physician. A quick internet search reveals countless other claims and judgments against schools and universities across the country, indicating the extent and seriousness of this problem.
Sexual abuse and molestation claims are just one area of risk that educational institutions face. While it is still too early to determine the full scope and impact of COVID-19-related claims, schools and school districts across the country are being sued by staff and students who claim they caught COVID-19 on campus. Still others have been sued for implementing mask mandates or not instituting mask mandates, for failure to implement sufficient safety protocols, and for instituting or failing to institute vaccine mandates.
Although the majority of states have passed laws protecting schools from COVID-19-related lawsuits, most have clauses that remove exemption if the school is shown to have engaged in willful misconduct. While it is impossible to shield against all potential COVID-19-related lawsuits, by following public health guidelines and local and state laws and ordinances, educational institutions can demonstrate that they have taken the steps necessary to ensure the health and safety of students, staff, and others on campus.
Educational institutions, particularly colleges and universities, tend to be major employers within their communities, making them primary targets for EPL claims such as wrongful termination, harassment, retaliation, and discrimination. Administrators at all levels of education know how difficult it can be to fire a bad employee, and that reality is another factor making it very difficult for schools to obtain EPL insurance. Too often, administrators are hesitant to fire transgressive employees because of the success other employees have had in litigation. This has contributed to the rise in lawsuits both by current or former faculty and students claiming that they were victimized by an instructor who should have been fired, and by fired instructors claiming wrongful termination.
EPL Risk Mitigation
To protect against EPL litigation and increase the likelihood of obtaining EPL coverage, educational institutions must adopt comprehensive risk mitigation practices. The scope of risk can be overwhelming; failure to address it at all can result in significant financial losses and ruin the reputation of the school, staff, and administrators who are often named in the suits. By staying on top of EPL market trends, educational institutions will have the information they need to adjust internal policies and procedures to protect against litigation, as well as make any necessary coverage adjustments.
For starters, when discussing comprehensive risk mitigation practices, consider the following:
• It is important to hire the right people. Conducting background checks and checking references can eliminate bad hires and EPL claims. As employers, educational institutions must be strict and consistent with the employer-employee work relationship.
• An employee handbook that outlines policies and procedures is a must, and should be followed consistently. The handbook should reflect regulatory compliance with municipal, state, and federal workplace laws. The handbook also serves as a foundational document that shapes the institution’s culture and delivers on its mission, vision, and values.
• In the age of #MeToo and Black Lives Matter, it is essential for all educational institutions to carry out a zero-tolerance policy for discrimination and/or harassment of any kind.
• Embracing diversity, equity, and inclusion not only enhances the workplace culture and employee satisfaction, it also fosters a workforce that is less susceptible to EPL claims, including allegations of discrimination.
A comprehensive risk management plan must also include an explicit performance evaluation process that records the evaluations of all employees and clearly defines each employee’s job description and responsibilities. This will serve as an important reference in wrongful-termination and other EPL complaints.
It is important that employers be transparent and approachable. All employees must feel safe working with their manager or human resources department to discuss any issues that need to be addressed. Creating a culture of psychological safety that supports a work environment where individuals can speak freely and share ideas or concerns without fear of punishment or humiliation supports a workforce that is more engaged in its work and one that is ultimately less litigious.
Heightened Cyber Risks
Cyber coverage can be even more challenging for schools to obtain than EPL insurance because educational institutions maintain significant levels of valuable and private data, from proprietary research findings to student medical records and personally identifiable information for both employees and students. This makes schools prime targets for hackers and vulnerable to data-breach lawsuits.
Information security is a critical business asset and must be a top priority for educational institutions both large and small. Yet, many schools and school districts—as well as colleges and universities—have underestimated the threat, and many still lack the resources necessary to sufficiently protect their systems. Failure to invest in information security can result in steep financial losses from which some educational institutions or school districts may be unable to recover.
The scope of cyberattacks on schools and universities is unknown, since most are not required to publicly report an attack. A 2022 report by Emsisoft, a security management company, found that more than 1,000 schools in the U.S. were hit with ransomware attacks in 2021. Several school systems, including Albuquerque Public Schools, have been forced to cancel classes for multiple days due to an inability to operate following a cyberattack. A 2020 ransomware attack on Baltimore County Public Schools resulted in nearly $10 million in costs to recover from the initial attack and invest in cybersecurity to prevent future incidents.
Cyber Risk Mitigation
Educational institutions need to shift their focus from a reactive position of relying on insurance to address cyber threats to a proactive approach of preventing incidents and recovering quickly after an event. To increase their insurability, schools must practice good data governance. This includes understanding where data originates, where it is housed, and how it is used. From there, educational institutions should conduct a thorough risk assessment to determine vulnerabilities and implement comprehensive risk mitigation strategies. Cyber criminals are relentlessly evolving their tactics and elevating their threats, so vulnerability management programs must be adaptive to respond to emerging risks.
Equally important to assessing internal vulnerabilities is assessing vulnerabilities brought forth from third-party vendors and suppliers. It is essential to vet each third-party entity for cyber preparedness; a zero-trust model can protect schools from potential outside threats.
Education is a front line of defense against cyberattacks. All employees and students should understand cyber vulnerabilities and their role in cybersecurity. Communication and testing throughout the year heightens awareness and keeps all stakeholders up to date on new and emerging threats.
Finally, similar to developing an employee handbook to help mitigate EPL claims, developing a cybersecurity risk management plan can help in obtaining cyber coverage. At minimum, the plan must explicitly outline which security programs have been implemented and how data will be backed up; roles and responsibilities for plan maintenance and enforcement; and education for employees and students.
Educational institutions play a critical role in our society. It is in the best interest of all of us to ensure schools remain protected from costly EPL and cyber claims. Having sound risk mitigation practices in place can limit risk exposure and enhance insurability. While there is no one-size-fits-all approach to risk mitigation for either EPL or cyber, there are best practices that can be adapted to protect against unwanted claims.
It is essential to work closely with all employees to build an open and supportive culture and strictly comply with a no-tolerance policy for discrimination or harassment. This will build a workplace that is less litigious and more engaged.
For cyber, schools and universities must accelerate their security practices and adopt security measures to protect systems and prevent cyber breaches. All employees and students must understand the importance of cyber hygiene and their role in cybersecurity. Practicing these steps will ensure business continuity and improve the outlook for both insurers and policyholders.