DfE Risk Protection Arrangement (RPA)
Is your school covered against cyber threats under the DfE’s Risk Protection Arrangement?
Many schools currently utilise the DfE’s RPA to protect them from unforeseen and unexpected events, including cyber attacks. But is your school following all the steps to ensure you can claim if necessary?
What is the RPA?
The risk protection arrangement (RPA) was introduced in 2014 to provide an alternative to commercial insurance for schools and academies, over 8,500 schools are currently members of the RPA.
The RPA aims to protect schools against losses due to any unforeseen and unexpected event. Under RPA, where losses occur, they are covered by the UK government. Schools classified as public sector schools can join the RPA.
RPA’s Protection against Cyber Incidents
With schools dependency on technology and online services, cover for cyber security incidents was added to the threats covered by the RPA. In order to comply with the RPA’s conditions of cover for cyber incidents, members are required to evidence their compliance with the following conditions:
- Have offline backups that are tested appropriately and back-up all your key data.
- All employees or governors who have access to the RPA Member’s information technology system must undertake National Cyber Security Centre (NCSC) Cyber Security Training.
- Register with Police CyberAlarm – a tool that monitors and reports suspicious cyber activity on your Internet connection.
- Have a Cyber Response Plan in place.
A high percentage of schools currently take out the DfE’s RPA, however if your school isn’t complying to the conditions or able to show evidence of compliance, your cover won’t apply. This article aims to describe the key elements required to help ensure that you stay compliant.
1. Offline Backups
Education providers must take the necessary steps to back up any relevant data offline. Having compliant, offline backups involves having some form of backup which is kept separate from your live environment and only connected while backups are being run. Offline backups ensure that in the event of a cyber-attack, you still have an unaffected copy of your data.
Education providers should ask their IT teams or external IT providers to ensure the following:
- Backup the correct data. A suggested list of critical data is included in the Cyber Response Plan template.
- Backups should be held fully offline and not connected to systems or in cold storage.
- Tested regularly using 3-2-1 rule: at least 3 copies of the data, on 2 devices with 1 being offsite.
2. NCSC Training
One of the four conditions that must be met for cyber threat cover to be included in the DfE’s risk protection arrangement (RPA) is that relevant people in school must be appropriately trained in cyber security. The training course is free from the NCSC website.
- Employees with access to school IT systems require training.
- Governors with access to school IT systems require training.
- Completion of training by start of membership year.
- Evidence of training is needed.
3. Police CyberAlarm
A Police CyberAlarm monitors inbound traffic aimed at your network. It records and reports any suspected malicious activity on your firewall, enabling you to minimise any identified vulnerabilities and risks. The RPA condition of cover is to register with Police CyberAlarm. By registering it will connect your school to the local Police Cyber Protect team who will ensure you are notified of any known threats.
- Connect with local police team.
- Cyber Alarm software tool.
- Monitor cyber activity.
- Record network traffic.
4. Cyber Response Plan
A cyber response plan details the process that should be invoked in the event of a cyber-attack or data breach. When a cyber security event strikes, a well-considered plan will help you react appropriately under the pressure of an actual incident.
- Response plan must in place.
- Clear evidence of this.
- Created to DfE standards.
- Template available from DfE.
It is vital education providers regularly review their defenses and take the necessary steps to protect their networks. By doing this, your school will stand a much higher chance of mitigating or recovering in the event of a cyber threat.
If you fail to comply, your RPA cyber insurance may be void and you will not be paid out. Having a robust backup and recovery plan in place is essential for protecting your school and ensuring your RPA cyber cover is not at risk.
Tel Group are here to support you in ensuring your school complies with the DfE’s RPA conditions, please get in touch for more information.