• Home Insights Risk protection arrangement (RPA) for academy trusts – what does the cybersecurity section mean for me?
21 Oct 2022

Risk protection arrangement (RPA) for academy trusts – what does the cybersecurity section mean for me?

Failure to comply with the terms of the cybersecurity section (14) of the RPA could mean that your RPA cyber insurance cover is invalid. This blog aims to describe the key elements required to help ensure that you stay compliant. These changes include the use of offline backups, undertaking National Cyber Security Centre (NCSC) training, registering with the Police CyberAlarm, as well as having a cyber response plan in place.

Offline Backups

Education providers must take the necessary steps to back up any relevant data offline. When we refer to the term ‘offline’, this is an area that is not accessible to your internal network. For example, a storage drive (or Network Attached Storage drive) that is disconnected from the internal network or using cloud storage. Cloud storage is segregated from the internal network and provides physical separation from the live environment in the event of a physical disaster (i.e. a fire). Offline backups ensure that in the event of a cyber-attack, you still have an unaffected copy of your data. This makes your recovery process easier. It is vital to confirm the backups taken are useable and allow for a full-scale system restore in the event of a disaster.

Organisations should take the following actions:

  • Backups are held offline and are separated from the network or in cold storage. The NCSC recommends following the 3-2-1 rule, with at least 3 copies of the data, on 2 devices with 1 being offsite.
  • Backing up the correct data is vital. This includes, but not limited to, data relating to exams/coursework, student/staff data and other key elements.
  • Backups must be tested. Not only does this include checking that they are being taken regularly but that they are useable in a full-scale system restore.

National Cyber Security Centre (NCSC) training

With over 85% of successful cyber-attacks initiating from human error, it is no surprise that one condition of section 14 is that all employees or governors who have access to the member’s information technology system must now undertake NCSC training (or equivalent cyber awareness training).

A 36-minute training video can be distributed to all staff to watch individually or, more commonly, played in INSET days to groups of staff. A register should be kept to easily evidence which members of staff have undertaken the training in the event of a claim. With 83% of cyber-attacks being due to phishing emails, it is important users are kept up to date

Police CyberAlarm

Police CyberAlarm is both a connection to your local police Cyber Protect team and an award-winning tool used to detect and report suspicious activities within your network. All members must now register with Police CyberAlarm. The Police CyberAlarm tool can be used to provide members with frequent reports detailing vulnerabilities on the network, information regarding latest threats and security best practices as well as detecting any suspicious activities. Whilst the CyberAlarm tool monitors and records network traffic, it has been confirmed that the tool does not capture any data that would put personal data at risk.

Cyber Response Plan

The final condition set out in section 14 states you must now have a cyber response plan in place. A cyber response plan details the process that should be invoked in the event of a cyber-attack or data breach. It ultimately supports an organisation so you know what to do when it happens. A cyber response plan should include, but is not limited to, the individuals responsible for the data management, IT restore / recovery process, physical site security and public relations including key contact details for individuals such as IT managers, headteachers, backup providers and legal representatives. Note, these categories are recommended, but not definitive – each cyber response plan should be tailored to the specific organisation. A school-specific template can be found within the RPA Risk Management portal.

Overall, section 14 of the RPA encourages organisations to take a proactive stance against cyber security. With the introduction of offline backups, NCSC training, the Police CyberAlarm and a cyber response plan, organisations stand a much higher chance of mitigating or recovering in the event of a cyber threat.

For more information regarding section 14 of the RPA or to discuss how the cyber services team at PKF Francis Clark can assist your organisation, feel free to reach out for a free of charge initial call/meeting with our cyber security Director, Phil Osgathorpe.

Written by

Phil Osgathorpe

Director and head of IT audit and cyber security
View profile

Get in touch

Related insights

Three people in business attire are seated at a desk in an office, reviewing a document together. The person on the left is pointing at the document while the other two look on attentively.

How a members voluntary liquidation fits into succession and exit planning

14 October 2025

Read
Rob Gear, corporate finance partner at PKF Francis Clark

Rob Gear promoted to partner in our corporate finance team

1 October 2025

Read

A summary guide to agricultural property relief (APR)

29 September 2025

Read
path leading to farm

Landwise: farming and estates magazine

24 September 2025

Read
A man is looking at his accounts on a computer screen.

Making Tax Digital for Income Tax: All you need to know

24 September 2025

Read
A group of six people in a modern office setting having a meeting around a glass conference table. One person is standing and speaking, while the others are seated and listening attentively.

When and how to prepare for a business exit

23 September 2025

Read
A family business owner with his two adult sons. The man has his arms around his two adult sons who are holding a pint of cider each. They are all smiling and chatting. The setting is in a brewery.

Succession planning tips for family businesses

17 September 2025

Read
A female construction worker if safety gear stands on scaffolding, smiling as she holds on to to a metal bar.

Construction industry scheme and IR35: are you compliant or at risk?

17 September 2025

Read
business people sit around a table and one, a man stands talking, they are in a modern office and all wearing smart suits

Corporate criminal offence (CCO): As enforcement activity ramps up, is your business ready?

16 September 2025

Read

Will planning ahead of APR / BPR changes: Understanding the tax implications

15 September 2025

Read
The full PKF Francis Clark accounting and tax trainee intake

Welcome to our latest accountancy and tax trainees

10 September 2025

Read
Two colleagues deep in thought discussing what they see on a laptop

Understanding PAYE settlement agreements

10 September 2025

Read