Nowell Seaman, manager of risk management and insurance servicesfor the University of Saskatchewan, says the school's focus on ITsecurity is different today than just a few years ago.

“We used to be concerned about system failure and the need forelectronic data-processing coverage, but cyber liability has becomethe top concern,” Seaman says.

The university's general-liability coverage, under a reciprocalowned by Canadian universities, initially covered cyber liabilityunder the general limit. But, with a sublimit for cyber liabilityplaced on the policy within the last few years, the university isnow considering going to market for additional cyber coverage.

The challenge for the university is to balance access withprotection of private information. “We have a number of groups thatuse our system—students, faculty, alumni. So we need to provideadequate protection when all those people are using our system,” hesays.

Like most universities today, the school's approach to cyberrisk includes secure processes, firewalls, virus scanning anddetection, user training, IT policies, active investigation ofthreats and data backups. The elevated risks around cyber securityhave led to what Seaman characterizes as “considerable” newinvestments in the past few years, including a director of ITsecurity reporting to the CIO; increased vulnerability scanning ofsystems and web pages; and increased availability of securedservers for internal users.