Canvas hack shows growing cyber risk in higher ed

A recent cyberattack that took offline a learning management system used by colleges and universities nationwide exposes the growing cyber risk in the higher education sector.

Hacking group ShinyHunters took credit for the recent data breach that affected the Instructure-owned Canvas learning management system, used by around 41% of colleges and universities in North America. The shutdown happened as colleges and universities were in the middle of finals.

Canvas came back online a day or two later, and in the end, Instructure paid the hackers an undisclosed amount for the return of the compromised data, which included information like usernames, email addresses, course names, enrollment information and messages.

"When you have something like Canvas and the way in which it has been deployed, both for everything from student data to payments [and] the core functioning of utilization, from an educational standpoint, there's a real risk," said Alex Niejelow, executive director of Hilco Global Cyber Advisors.

Cyber risk is something the industry has been willing to absorb over the last 10 years and probably will continue to, said Matt Fabian, president of Municipal Market Analytics.

"The investors [are] willing to take that risk, but regardless of what bondholders and rating agencies do or don't do, issuers have to manage this, and it's only becoming more expensive for them to do that," he noted.

These costs include prepping systems for rapidly worsening cyber threats, cyber insurance and reduced federal support, which puts growing pressure on borrowers, Fabian said.

The risks to schools have largely been confined to exposure of personal data, and this cyberattack is likely to have medium to low impact on colleges and universities because of cybersecurity measures in place, said Ken Rodgers, director at S&P Global Ratings.

"It's still very early. This just happened ? but most of the damage has just been limited," he said.

"Absent sustained operational or financial effects, events of this nature do not typically result in standalone rating action," said Geshawn L. Williams, associate director of U.S. Public Finance at Fitch Ratings.

Furthermore, "the severity and duration of the disruption, the institution's capacity to maintain academic continuity, and the effectiveness of its response ? including vendor oversight and communication protocols ? are of greater import than the incident itself," he noted.

The cyberattack shows the need for stricter protocols around third-party vendors, Rodgers said.

"There's nothing wrong with a third-party provider. It's great," Niejelow said. "There are efficiencies and benefits. However, in terms of functionality and resourcing, you need to think about what the core functions that you, as an institution, need to operate. What does it mean, and what is needed when a bad thing will happen."

Some colleges have experienced a third-party breach before. Nearly 900 colleges were affected by the 2023 MOVEit cyber breach, which impacted third-party vendors, like the National Student Clearinghouse, TIAA and Corebridge.

Because of prior hacks, many colleges and universities ramped up their security considerations for third-party contractual arrangements, Rodgers said.

"So that's why we anticipate that this particular breach will probably not have that significant impact on the colleges and universities, other than the widely reported disruption in operations," he said.

Along with vulnerabilities through third-party platforms, the hack also "underscores systemic gaps in access governance and vendor oversight ? the risk of granting broad permissions and relying on decentralized IT models that make consistent security enforcement difficult," said Bhanu Patil, managing partner at SunBright Advisory Partners, a strategic consulting firm.

Systemic "concentration risk" exists in shared SaaS providers for K-12 schools and universities, reinforcing "the need for stronger third-party risk management, tighter identity and MFA controls, and robust governance for vendors around data access and bulk exports," she said.

These types of cyberattacks require institutions to do more homework on where their core needs and dependencies lie, market participants said.

But even with these efforts, cyber risk is large and growing and cyberattacks will continue. "So knowing your dependencies, being thoughtful about how you build in that institutional capability ? It has become a foundational element of how you need to operate," Niejelow said.