Academy trusts hold considerable amounts of public money as well as highly sensitive information and data on pupils, staff and suppliers. The way that controls are implemented to protect and manage funds and data is vital, says Hillier Hopkins.
Cyber security threats pose real dangers to academy trusts. The nature of those threats continues to change as we embrace new ways of working and new technology, and with cyber criminals becoming ever-more sophisticated.
The risk to trusts is very real, with senior leadership teams and trustees responsible for recognising and taking steps to mitigate threats, as well as reporting any data breaches or cyber security activity.
The nature of cyber threats
All academy trusts will need to take time to review and identify potential cyber threats and update their risk registers.
Many of these threats are not new but the way criminals operate constantly changes meaning staff need to remain hyper-vigilant.
The Covid-19 pandemic has changed the way trusts work, with remote working increasing the lack of oversight, and greater use of personal devices, all of which opens a wider landscape for cyber criminals. Disgruntled members of staff can deliberately or inadvertently leave trusts open to attack.
I do not intend to outline the various types of cyber threats facing trusts in this article, but phishing, malware and ransom attacks remain high. The Department for Education has been so concerned that in April last year it wrote to all schools to alert them to the increased risk and to remind them of best practice.
John Gilbert, the Chief Information Officer that the Department for Education said: “It is important that as heads of multi-academy trusts you understand the nature of the threat and the potential for ransomware to cause considerable damage to your institutions in terms of lost data and access to critical services. Part of this is identifying your ‘crown jewels’ and ensuring you have an incident action plan, along with your defences. Having the ability to restore the systems and recover data from backups is vital in the event of an incident.”
The Academy Trust Handbook
The Academy Trust Handbook is very clear on the steps trusts must take to identify and minimise risk.
Paragraph 6.11 says that trusts “must be aware of the risk of fraud, theft and irregularity and address it by putting in place proportionate controls,” adding that trusts “must take appropriate action where fraud, theft or irregularity is suspected or identified.”
Paragraph 6.16 goes further saying that trusts “must be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred.”
The Handbooks also states in paragraph 6.12 that the board of trustees must notify the ESFA on all incidents of fraud, theft or irregularity exceeding £5,000 individually or £5,000 cumulatively in any financial year. Unusual or systemic fraud must also be reported, irrespective of value.
Whilst the Handbook does not forbid trusts to pay ransom demands, it does agree with the National Crime Agency’s position not to encourage, condone, or endorse the payment of demands. The Handbook says “payment of ransoms has no guarantee of restoring access or services and is likely to result in repeat incidents”.
Trusts must obtain permission from the ESFA before paying any ransom demand.
In practice
Trustees, governors and senior leadership teams need to be aware of these potential risks and make sure they are recorded in the risk register. Risks need to be detailed and be listed alongside the controls in place to mitigate those risks.
There is also an obligation on trusts to report any attempted and successful cyber attack. A failure to report is considered a breach of the Handbook and will at the time of the annual audit be included in the Independent Reporting Accountant’s Assurance Report On Regularity.
The report on regularity is included in the year end financial statements, alongside the audit report and accounts, and becomes a public document, being both listed on the trust’s website and filed at Companies House.
Repeated incidents flagged in the regularity report can leave trusts open to investigation by the EFSA, who could potentially issue a ‘Notice to Improve’. The ESFA will publish reports about its investigations and about financial management and governance reviews, so whilst trusts will not be fined, they will be named and shamed.
A robust programme of internal audit can help to provide independent and objective scrutiny of internal controls, which can help to highlight potential areas of weakness. Trusts should be communicating with their internal auditors to create a robust programme of works, and one area that could be incorporated is the risk register and cyber threats.
How Hillier Hopkins can help
Hillier Hopkins offers a 30-strong highly experienced education team that works with 32 academy trusts alongside many independent schools.
Our team can provide a full range of support including an internal audit for academy trusts as well as audit, accounts preparation, VAT and tax advice.
In a complex and evolving landscape, training and development of the audit team is vital. Hillier Hopkins has a continuous training programme delivered via regular internal and external experts.
That ethos of continued training and development is extended to our clients with a regular seminar programme supported by newsletters and technical updates.
Hillier Hopkins also offers a telephone helpline for its academy trust clients where routine questions can be addressed free of charge.