Risk protection arrangement (RPA) for academy trusts – what does the cybersecurity section mean for me?

Failure to comply with the terms of the cybersecurity section (14) of the RPA could mean that your RPA cyber insurance cover is invalid. This blog aims to describe the key elements required to help ensure that you stay compliant. These changes include the use of offline backups, undertaking National Cyber Security Centre (NCSC) training, registering with the Police CyberAlarm, as well as having a cyber response plan in place.

Offline Backups

Education providers must take the necessary steps to back up any relevant data offline. When we refer to the term ‘offline’, this is an area that is not accessible to your internal network. For example, a storage drive (or Network Attached Storage drive) that is disconnected from the internal network or using cloud storage. Cloud storage is segregated from the internal network and provides physical separation from the live environment in the event of a physical disaster (i.e. a fire). Offline backups ensure that in the event of a cyber-attack, you still have an unaffected copy of your data. This makes your recovery process easier. It is vital to confirm the backups taken are useable and allow for a full-scale system restore in the event of a disaster.

Organisations should take the following actions:

• Backups are held offline and are separated from the network or in cold storage. The NCSC recommends following the 3-2-1 rule, with at least 3 copies of the data, on 2 devices with 1 being offsite.
• Backing up the correct data is vital. This includes, but not limited to, data relating to exams/coursework, student/staff data and other key elements.
• Backups must be tested. Not only does this include checking that they are being taken regularly but that they are useable in a full-scale system restore.

National Cyber Security Centre (NCSC) training

With over 85% of successful cyber-attacks initiating from human error, it is no surprise that one condition of section 14 is that all employees or governors who have access to the member’s information technology system must now undertake NCSC training (or equivalent cyber awareness training).

A 36-minute training video can be distributed to all staff to watch individually or, more commonly, played in INSET days to groups of staff. A register should be kept to easily evidence which members of staff have undertaken the training in the event of a claim. With 83% of cyber-attacks being due to phishing emails, it is important users are kept up to date

Police CyberAlarm

Police CyberAlarm is both a connection to your local police Cyber Protect team and an award-winning tool used to detect and report suspicious activities within your network. All members must now register with Police CyberAlarm. The Police CyberAlarm tool can be used to provide members with frequent reports detailing vulnerabilities on the network, information regarding latest threats and security best practices as well as detecting any suspicious activities. Whilst the CyberAlarm tool monitors and records network traffic, it has been confirmed that the tool does not capture any data that would put personal data at risk.

Cyber Response Plan

The final condition set out in section 14 states you must now have a cyber response plan in place. A cyber response plan details the process that should be invoked in the event of a cyber-attack or data breach. It ultimately supports an organisation so you know what to do when it happens. A cyber response plan should include, but is not limited to, the individuals responsible for the data management, IT restore / recovery process, physical site security and public relations including key contact details for individuals such as IT managers, headteachers, backup providers and legal representatives. Note, these categories are recommended, but not definitive – each cyber response plan should be tailored to the specific organisation. A school-specific template can be found within the RPA Risk Management portal.

Overall, section 14 of the RPA encourages organisations to take a proactive stance against cyber security. With the introduction of offline backups, NCSC training, the Police CyberAlarm and a cyber response plan, organisations stand a much higher chance of mitigating or recovering in the event of a cyber threat.

For more information regarding section 14 of the RPA or to discuss how the cyber services team at PKF Francis Clark can assist your organisation, feel free to reach out for a free of charge initial call/meeting with our cyber security Director, Phil Osgathorpe.