Picture this: It’s finals week. A student at Princeton is frantically trying to submit a term paper through their online portal. But the site is down. Completely dark. Panic sets in.
Now, imagine you’re the university's risk manager. It’s not just one student panicking; it’s thousands. And it’s not just one paper; it’s exams, grades, and the very core of your educational delivery system.
This isn’t a hypothetical. It happened just this month when hackers targeted Instructure Inc., the company behind the Canvas online learning portal. For a period of time, services were disrupted for a huge number of colleges, including heavy hitters like Harvard and Princeton.
While the tech blogs covered the hack, I want to talk about what this means for the rest of us. Because honestly, this story is less about hackers and more about a type of risk that’s quietly become one of the biggest threats to modern businesses: what happens when a service you completely depend on suddenly vanishes?
It’s Not Just Your Four Walls Anymore
For years, we’ve thought about business risk in terms of what happens to us. A fire in our building. A burst pipe in the server room. A phishing email that one of our employees clicks. We buy insurance to protect the things we can see and control.
But here's the thing: most businesses today are built on services they don't control.
We use cloud software for everything: accounting (QuickBooks), customer relationships (Salesforce), communication (Slack, Microsoft 365), and in the case of these universities, education (Canvas). We’ve outsourced huge chunks of our infrastructure.
Think of it like this: you own a fantastic little boutique, but you rent your space in a giant shopping mall. You can have the best security system and fire sprinklers in your own store, but if the mall has a major power outage or a gas leak, you’re shut down. Your business is interrupted, but the cause was completely outside of your control.
That’s exactly what happened with the Canvas outage. The universities themselves weren’t hacked. Their vendor was. And that’s a crucial distinction when it comes to insurance.
When "Business Interruption" Doesn't Mean What You Think
If that university risk manager pulled out their standard property insurance policy, they’d likely be in for a rude awakening.
Traditional Business Interruption (BI) coverage is fantastic, but it usually has a big string attached: it’s triggered by physical damage to your own property. The fire, the burst pipe, the tornado that takes off your roof—those are the kinds of events it’s designed for.
An outage at a third-party software provider? There’s no physical damage to the university. So, in most cases, that standard policy isn't going to pay a dime for the disruption.
This is where so many businesses get caught off guard. They think "BI" covers any and all interruptions. But the digital world has created a new kind of outage, and it requires a new kind of protection.
Cyber Insurance to the Rescue (But You Need the Right Kind)
This is precisely the scenario that modern cyber insurance policies were built to address. But even here, you have to read the fine print. The key coverage you’re looking for is often called Contingent Business Interruption (CBI) or Dependent Business Interruption.
Let's break that down.
- "Regular" Network Business Interruption: This covers your losses if your own network gets hacked or goes down, causing you to stop operations.
- "Contingent" Business Interruption: This is the golden ticket. It covers your losses when a key vendor or supplier (one your business is "contingent" upon) has a network failure that shuts you down.
In the case of the Canvas hack, a university with a solid cyber policy that included CBI coverage could potentially file a claim for the financial fallout.
What Does That "Fallout" Actually Look Like?
The costs go way beyond just a few hours of a website being down. Let’s think about the real, tangible losses a university could face here:
- Lost Revenue/Extra Expenses: If classes or exams have to be rescheduled, that means paying professors and staff for extra time. If the outage is prolonged, you might even have to issue partial tuition refunds.
- Crisis Management Costs: You’d need to hire a PR firm to manage communications with angry students, parents, and the media. You’d be paying your IT team overtime to find workarounds.
- Reputational Harm: This one is harder to put a number on, but it’s huge. Trust is everything. If students and faculty can’t rely on your core systems, your reputation takes a serious hit.
- Investigation Costs: Even though it was their vendor, the university would still need to conduct its own investigation to ensure none of its data was compromised.
A good CBI policy can help cover these expenses, turning a potential catastrophe into a manageable (though still stressful) event.
What Should You Be Doing Right Now?
Look, you don't have to be a multi-billion dollar university for this to matter. If your business relies on any critical software or cloud service provider, you are exposed to this exact same risk.
So, what’s the next step?
-
Map Your Dependencies: Seriously, sit down and make a list. Who hosts your website? Where is your customer data stored? What software do you use for billing? For each one, ask yourself: "If this service went down for a day, or a week, what would happen to my business?"
-
Talk to Your Insurance Broker: This is not a "figure it out yourself" situation. Call your broker and use these magic words: "I want to talk about my exposure to third-party tech failures. Do I have Contingent Business Interruption coverage in my cyber policy?"
-
Ask the Tough Questions: Don't just ask if you have the coverage. Ask about the details. What's the waiting period (how long do you have to be down before coverage kicks in)? What's the sub-limit (is the coverage amount lower than your main policy limit)? Who is considered a "dependent" business?
The Canvas hack is a wake-up call. It's a perfect, real-world example of how interconnected and vulnerable we’ve all become. Our businesses are no longer self-contained units; they’re part of a complex digital supply chain. And making sure your insurance coverage reflects that new reality isn't just smart—it's essential for survival.
