Duty of Care: Digital Oversight, Cyber Risk and Insurance in Schools

SSS Learning 4 min read
Duty of Care: Digital Oversight, Cyber Risk and Insurance in Schools feature image

In our previous article which focused on the duty of care of governors Duty of Care for Governors, we explored the broad responsibilities boards hold in relation to safeguarding, risk, and culture. That same responsibility now extends into the digital world.

Today, governors are expected to have oversight of matters that, until recently, were often left to the remit of IT staff, such as internet filtering, online monitoring, cybercrime prevention, and the insurance cover to protect schools should things go wrong.

For many governors, this is unfamiliar territory. However, with cyber threats increasing, new guidance from the DfE, and public expectation that children are kept safe online as well as in the classroom, boards cannot afford to sit back. Governors need to be confident that the right protections are in place and that they know what questions to ask to audit provision.

Filtering & Monitoring: Statutory expectations

All schools and colleges must have systems to filter harmful content and monitor online use to keep pupils safe. The DfE’s updated standards raise the bar. They require governing bodies to:

  • Check that appropriate filtering and monitoring are in place
  • Ensure these systems are reviewed at least once a year and that the review is documented
  • Confirm that blocklists of illegal content (e.g. from the Internet Watch Foundation) cannot be bypassed
  • Understand the limits of filtering – for example, whether harmful material created by AI can be detected
  • Make sure monitoring is meaningful: that it generates alerts, triggers the right safeguarding responses, and feeds into the work of the DSL

Keeping children safe in education (KCSIE) 2025 also highlights that staff must be trained in how filtering and monitoring work, with the DSL taking responsibility for linking it directly into the safeguarding remit.

Cybersecurity and the risk of attack

Filtering and monitoring are only part of the picture. Schools also face risks from hacking, phishing, and ransomware. The DfE’s Cyber Security Standards for Schools and Colleges (Meeting digital and technology standards in schools and colleges - Cyber security standards for schools and colleges - Guidance - GOV.UK) set out what good practice looks like.

  • Schools should carry out a cyber risk assessment every year and update it regularly.
  • A senior leader should take on the role of digital lead, working with the Data Protection Officer, IT support, and finance staff to ensure risks are managed.
  • Technical basics matter: up-to-date security patches, firewalls, antivirus software, secure staff accounts, and multi-factor authentication for sensitive access.
  • Backup is essential. The ‘3-2-1 rule’ (three copies of data, on two types of storage, with one offsite) helps make sure data can be restored quickly.
  • Schools should rehearse their response to a cyber incident, just as they would for a fire drill. This includes having a clear business continuity plan and reporting serious breaches properly.

Although not mandatory for most schools, Cyber Essentials certification is a recognised way of showing that minimum standards are met. It also reassures insurers and parents that the school takes the issue seriously.

Insurance: protecting the school when things go wrong

Cyber risk is not just about technology. It can bring financial and reputational damage. Governors should check whether the school’s insurance policy covers:

  • Cyber incidents such as hacking or ransomware.
  • Costs of forensic investigation and legal advice.
  • Business interruption if IT systems are unavailable.
  • Reputational support and regulatory fines.

Some schools use the DfE’s Risk Protection Arrangement (RPA) instead of commercial insurance. If so, it is important to check whether cyber incidents are included, and what conditions apply (for example, having secure backups in place).

Questions every board should be asking

Governors don’t need to be IT experts, but they do need to be curious and persistent. Useful questions include:

  • Filtering and Monitoring: Have we reviewed our systems this year? Can they block illegal and harmful content? What happens when a monitoring alert is raised?
  • Cyber Security: When was our last risk assessment? Who is our SLT digital lead? Are staff accounts secure, and do we use multi-factor authentication? Are backups tested?
  • Insurance: What exactly does our policy or RPA cover? Are there exclusions? Have premiums changed?
  • Governance: How often do governors see reports on filtering, monitoring, and cybersecurity? Are governors given training to understand the basics of cyber risk?

Practical steps for boards

  • Arrange an independent review – commission an audit of filtering, monitoring, and cybersecurity.
  • Put cyber risk on your risk register – ensure it is considered alongside other safeguarding risks.
  • Ask for regular reports – dashboards showing incidents, system health, and recovery tests.
  • Clarify roles – identify which leaders are responsible for each aspect of digital safety.
  • Train governors – a short briefing on cyber risks will build confidence and improve oversight.
  • Update policies – make sure online safety, data protection, and disaster recovery policies are up to date.
  • Test your response – run a tabletop exercise to see how the school would handle a real cyber incident.

Digital safety is no longer just an IT issue. It is part of a school’s safeguarding responsibility, and governors play a vital role in ensuring systems are robust, risks are managed, and insurance cover is sufficient.

By moving from passive assurance, such as ‘we have an IT provider’, to active oversight, boards can help protect pupils, staff, and the reputation of the school. In an age where technology underpins every aspect of education, this level of governance is essential.

SSS Learning

1 October 2025