What is the RPA, and how can a school use it to protect against cyber threats?

Schools need to protect many different stakeholders and assets from unexpected events. Schools also have statutory duties, like any employer, to hold appropriate liability cover. Since September 2014 there has been an alternative to traditional commercial types of insurance cover, uniquely for schools.

Called the risk protection arrangement (RPA), it was introduced following the publication of independent analysis which showed that it would be cheaper for academy trusts if the UK government covered risks instead of commercial insurers. From 1 April 2020, the scheme expanded so local authority maintained schools were able to join.

RPA aims to protect schools against losses due to any unforeseen and unexpected event. Under RPA, where losses occur, they are covered by the UK government.

Schools classified as public sector schools can join the RPA. By September 2021 over 8,500 schools were members of the scheme. The cost of joining is based on the number of pupils in a member school, it is currently £21 per pupil per year.

Cover is comparable to that offered by a commercial insurance policy. Categories of cover include:

  • Employers’ liability
  • Third part liability
  • Governor liability
  • Professional indemnity
  • Damage to school property
  • Travel in the UK and overseas
  • Legal expenses
  • Business interruption

Cover for cyber threats

Following a 500-school pilot scheme, cover for cyber security incidents has been added to the threats covered.

To allow more schools to be eligible, and able to take advantage of the cover on offer from the RPA, at the end of the pilot the DfE changed the criteria. Cyber cover is now included if a school meets the following four conditions:

  1. Have offline backups.
  2. All employees or governors who have access to the RPA Member’s information technology system must undertake National Cyber Security Centre (NCSC) Cyber Security Training.
  3. Register with Police CyberAlarm.
  4. Have a Cyber Response Plan in place.

We have written blogs on backups, training, response plans and Police CyberAlarm to give you more information on how to meet the individual criteria.

Full details of the RPA are on the DfE website.

We have published blog pieces on the other elements of the RPA cyber protection. They cover:




back to top button
back to top button