21 Oct 2022

Risk protection arrangement (RPA) for academy trusts – what does the cybersecurity section mean for me?

Failure to comply with the terms of the cybersecurity section (14) of the RPA could mean that your RPA cyber insurance cover is invalid. This blog aims to describe the key elements required to help ensure that you stay compliant. These changes include the use of offline backups, undertaking National Cyber Security Centre (NCSC) training, registering with the Police CyberAlarm, as well as having a cyber response plan in place.

Offline Backups

Education providers must take the necessary steps to back up any relevant data offline. When we refer to the term ‘offline’, this is an area that is not accessible to your internal network. For example, a storage drive (or Network Attached Storage drive) that is disconnected from the internal network or using cloud storage. Cloud storage is segregated from the internal network and provides physical separation from the live environment in the event of a physical disaster (i.e. a fire). Offline backups ensure that in the event of a cyber-attack, you still have an unaffected copy of your data. This makes your recovery process easier. It is vital to confirm the backups taken are useable and allow for a full-scale system restore in the event of a disaster.

Organisations should take the following actions:

  • Backups are held offline and are separated from the network or in cold storage. The NCSC recommends following the 3-2-1 rule, with at least 3 copies of the data, on 2 devices with 1 being offsite.
  • Backing up the correct data is vital. This includes, but not limited to, data relating to exams/coursework, student/staff data and other key elements.
  • Backups must be tested. Not only does this include checking that they are being taken regularly but that they are useable in a full-scale system restore.

National Cyber Security Centre (NCSC) training

With over 85% of successful cyber-attacks initiating from human error, it is no surprise that one condition of section 14 is that all employees or governors who have access to the member’s information technology system must now undertake NCSC training (or equivalent cyber awareness training).

A 36-minute training video can be distributed to all staff to watch individually or, more commonly, played in INSET days to groups of staff. A register should be kept to easily evidence which members of staff have undertaken the training in the event of a claim. With 83% of cyber-attacks being due to phishing emails, it is important users are kept up to date

Police CyberAlarm

Police CyberAlarm is both a connection to your local police Cyber Protect team and an award-winning tool used to detect and report suspicious activities within your network. All members must now register with Police CyberAlarm. The Police CyberAlarm tool can be used to provide members with frequent reports detailing vulnerabilities on the network, information regarding latest threats and security best practices as well as detecting any suspicious activities. Whilst the CyberAlarm tool monitors and records network traffic, it has been confirmed that the tool does not capture any data that would put personal data at risk.

Cyber Response Plan

The final condition set out in section 14 states you must now have a cyber response plan in place. A cyber response plan details the process that should be invoked in the event of a cyber-attack or data breach. It ultimately supports an organisation so you know what to do when it happens. A cyber response plan should include, but is not limited to, the individuals responsible for the data management, IT restore / recovery process, physical site security and public relations including key contact details for individuals such as IT managers, headteachers, backup providers and legal representatives. Note, these categories are recommended, but not definitive – each cyber response plan should be tailored to the specific organisation. A school-specific template can be found within the RPA Risk Management portal.

Overall, section 14 of the RPA encourages organisations to take a proactive stance against cyber security. With the introduction of offline backups, NCSC training, the Police CyberAlarm and a cyber response plan, organisations stand a much higher chance of mitigating or recovering in the event of a cyber threat.

For more information regarding section 14 of the RPA or to discuss how the cyber services team at PKF Francis Clark can assist your organisation, feel free to reach out for a free of charge initial call/meeting with our cyber security Director, Phil Osgathorpe.

Get in touch

Related insights

Charles Bell at Bristol harbourside

Bristol-based Charles Bell becomes our newest licenced insolvency practitioner

15 July 2026

Read
New cars in a showroom

Employee Car Ownership Scheme changes delayed until 2030

15 July 2026

Read
Houses of Parliament in London

What businesses need to know about the Finance Bill 2026-27

14 July 2026

Read

Ecosystem services: some tax clarity

13 July 2026

Read

VAT Capital Goods Scheme (CGS) changes from 29 July 2026

10 July 2026

Read
Nick Farrant, of PKF Francis Clark

Poll: finance leaders resilient despite rising costs and economic uncertainty

9 July 2026

Read
A group of people sitting around a conference table engaged in a discussion. One person is standing, while three others are seated with laptops, notebooks, and coffee cups in front of them.

Why CSOPs are worth revisiting

2 July 2026

Read
Angus Hunter, Nick Crandon, James Thomas and Richard Drewitt outside PKF Francis Clark's Exeter office

Congratulations to our newly promoted directors

1 July 2026

Read
Two men in suits discussing a business transaction.

Why preparation is more vital than ever in today’s market

29 June 2026

Read

PKF Francis Clark celebrates multiple wins at South West Insider Dealmakers Awards

29 June 2026

Read
A vessel laden with shipping containers at port as the sun begins to rise.

New transfer pricing reporting requirements expected from 2027 

26 June 2026

Read
A father strolls down the beach holding his son on one hip.

Temporary 5% VAT cut for children’s meals and family attractions explained

26 June 2026

Read