Schools collect some of the most sensitive personal data in existence. Federal privacy law tells them to protect it. Commercial cyber insurance often will not pay when they fail to. Here is what the gap looks like and what a captive can do.

What FERPA Requires — and What It Does Not

The Family Educational Rights and Privacy Act, enacted in 1974, gives parents and eligible students the right to access, review, and control the disclosure of education records. Any institution that receives federal funding must comply, which effectively covers every public school district in the country and the large majority of private schools and universities.

FERPA requires that education records be kept confidential and that institutions maintain policies governing their access and release. What FERPA does not require is any specific technical security control. It does not mandate encryption of data at rest or in transit. It does not require multi-factor authentication. It does not specify endpoint detection standards, network segmentation requirements, or incident response protocols. FERPA is a privacy framework. It defines what must be protected. It does not define how.

That distinction matters because commercial cyber underwriters have spent the past five years adding technical control requirements to their policies as conditions of coverage. An insurer asking whether a school district uses multi-factor authentication on all remote access, maintains offline backup systems, and has a documented incident response plan is asking questions that FERPA compliance does not answer. A school can be FERPA-compliant and still fail basic cyber underwriting requirements. A school can pass those underwriting requirements and still suffer a FERPA violation. They are different standards measuring different things.

FERPA compliance is not cyber coverage. The two are related in subject matter and largely unconnected in practice.

Why Student Data Is a High-Value Target

Education records are among the most sensitive personal data files in existence. A K-12 student record can contain a Social Security number, date of birth, home address, family income information from free and reduced lunch applications, health and immunization records, special education evaluations, behavioral incident reports, and disciplinary history. Higher education records add financial aid files, including detailed household income and asset data from federal aid applications.

Student data is particularly attractive to criminal actors for one structural reason: children have clean credit histories. A stolen adult identity may yield limited value if the target has existing debt, credit monitoring, or fraud alerts. A stolen student identity can sit unused for years, building clean credit history under the victim's Social Security number, until the student reaches adulthood and discovers the theft when applying for a loan or opening a bank account. That multi-year window of undetected usability makes student records worth substantially more per record than most adult consumer data on criminal markets.

Education institutions also present a favorable attack surface. School districts typically operate with constrained information technology budgets and large exposure: thousands of user accounts, legacy systems that cannot easily be updated or replaced, open wireless networks shared by students and staff, and dozens of third-party educational technology vendors with varying security practices. A single district can hold records on tens of thousands of students behind a relatively thin technical perimeter.

• K-12 districts: High record volumes, constrained IT budgets, open network environments, and legacy systems that complicate patching and endpoint management.
• Higher education: Large open networks, research systems with external access, decentralized technology purchasing, and financial aid data representing detailed household financial profiles.
• ‍Private K-12 schools: Often smaller IT infrastructure than public districts, similar data obligations, and commercial cyber policies that may exclude or sublimit the education-specific exposures that represent their primary risk.

The Commercial Cyber Coverage Gap

Commercial cyber insurance policies have three gaps that consistently affect educational institutions.

Ransomware sublimits. Many commercial cyber policies include ransomware coverage but cap it at a sublimit well below the policy's aggregate limit. A district carrying $5 million in cyber coverage may find that ransomware-specific losses are subject to a $500,000 sublimit. Ransomware demands targeting school districts have exceeded that figure in documented incidents, and the costs of recovery, forensic investigation, and system restoration frequently compound the direct demand amount.

Business interruption trigger language. Cyber business interruption coverage in commercial policies typically requires a covered network security failure as the triggering event. But the definition of a qualifying failure has been narrowed in many policy forms to exclude social engineering attacks, misconfigured cloud storage that results in data exposure, and third-party vendor breaches. A breach caused by a compromised educational technology vendor may not trigger the school's own cyber policy, even if student records are the data exposed.

Regulatory defense and FERPA notification costs. When a breach involves student records, the institution faces FERPA notification obligations, potential Department of Education inquiry, and in many states, student privacy laws that impose requirements beyond what FERPA mandates. Legal defense of a regulatory inquiry and the cost of breach notification to thousands of families are frequently sublimited, excluded, or subject to separate retention requirements in standard commercial cyber forms.

Property and casualty (P&C) insurers denied 50 percent of claims across all lines in 2023. [1] The complexity of cyber policy trigger language, and the speed with which underwriters have added exclusions and sublimits to the cyber line as claims have grown, means that the denial rate for education-sector cyber claims is not likely to be lower than that average. A school that suffers a significant breach may spend as much on coverage disputes as on the breach itself.

The Captive Insurance Opportunity

An educational institution captive insurance company can be structured to cover what commercial cyber policies consistently underprovide.

Ransomware at full policy limits. The captive policy is written by the institution, not by a commercial carrier managing its own portfolio exposure. Ransomware coverage can be written at the full policy limit without a sublimit that caps recovery at a fraction of actual loss.

FERPA regulatory defense and breach notification costs. A captive can be explicitly structured to cover Department of Education inquiry defense costs, state regulatory response, and the full cost of FERPA-required breach notification to affected families, without the sublimits and retentions that commercial policies impose on these line items.

Business interruption without the physical loss trigger. A captive can define the triggering event as any network outage, ransomware attack, or third-party vendor breach that halts school operations or compromises student records. That definition covers the attacks that most commonly affect educational institutions, rather than the narrow triggers that commercial policies are increasingly written to require.

Third-party vendor breach liability. Schools rely on dozens of educational technology platforms, each of which holds student records. When a vendor is breached, the school bears the notification and regulatory obligations. A captive can be written to respond to vendor-caused breaches that the school's commercial cyber policy may exclude.

Under IRC Section 831(b), premiums paid to a qualifying captive are deductible by the parent institution, and captive underwriting income accumulates tax-deferred. [2] For private schools and universities operating as taxable entities, or for the taxable affiliates of nonprofit educational organizations, that structure can contribute meaningfully to the overall economics of the captive.

The trigger language that allows commercial carriers to decline cyber claims on technical grounds does not have to exist in a captive policy. The institution writes the terms because the institution owns the insurer.

Who Qualifies

Educational institutions spending $300,000 or more on combined cyber, property, general liability, and workers' compensation coverage are in the range where a captive feasibility study generally demonstrates real economic value. In high-tax states, that threshold can be lower: the tax benefit of the 831(b) structure adds to the economic case at premium levels where the loss-ratio arithmetic alone might not yet fully justify formation costs. That is a guideline, not a hard rule. Institutions with significant student data exposure or documented gaps in commercial cyber coverage may qualify at lower premium levels.

Larger school districts, university systems, and private K-12 networks with multi-campus operations are frequently well above that level when all coverage lines are combined.

Contact 3F Captive Services for a no-cost policy analysis. We identify the gaps in your current cyber and liability program and model what a captive structure could cover for your specific institution.

⚠  This post is for informational purposes only and does not constitute insurance, legal, or tax advice. Coverage terms, policy forms, and regulatory requirements vary by carrier, jurisdiction, and institution type. Consult qualified insurance, legal, and tax advisors regarding your specific situation.

Sources

  [1]  Shearer, Brian. "Regulating Insurance as a Public Utility." Forthcoming, Columbia Business Law Review (April 2026). P&C claim denial rate: Section II.B, pp. 49-50. NAIC 2024 Market Share Reports.

  [2]  Internal Revenue Code Section 831(b). Captive insurance company tax treatment for qualifying small insurance companies.

  [3]  Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99.

‍