Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because Instructure has confirmed a breach occurred, Canvas serves thousands of institutions creating a high-value target with broad blast radius, and the scope of data accessed remains undisclosed — leaving affected institutions unable to determine their own exposure. Impact is high because Canvas is a mission-critical platform for course delivery, grading, and student records; any confirmed access to student PII or academic records triggers FERPA-related obligations, reputational exposure, and potential regulatory scrutiny across multiple affected institutions simultaneously.
Treatment rationale: Institutions cannot avoid or transfer their way out of an already-occurred third-party breach — the primary action is active mitigation: demanding disclosure from Instructure, activating internal incident response, and implementing compensating controls while the scope is unquantified.
Third-Party / Supply-Chain Risk
This is a textbook NIST SP 800-161 third-party concentration risk event. Instructure is a single cloud-hosted vendor providing a shared-platform SaaS service to thousands of institutions. Affected organizations have no direct visibility into Instructure's security controls, breach scope, or forensic findings, and are entirely dependent on Instructure's disclosure timeline and remediation actions. The shared-platform model means a single compromise event creates simultaneous exposure across the entire institutional customer base — a supply-chain risk multiplier that individual institutions cannot unilaterally control or bound.
Loss Exposure (illustrative)
Magnitude: Moderate to high — illustrative range $250K–$2M per affected institution, varying by enrollment size, depth of data exposure, and regulatory posture
Frequency: This is a realized single-occurrence event for affected institutions; recurrence risk is conditional on Instructure's remediation completeness and future vendor security posture
Annualized: Insufficient basis for a defensible ALE figure given that breach scope, number of records involved, and regulatory outcome are all unconfirmed at time of this assessment
Basis: Range is illustrative and derived from first-principles cost components specific to this scenario: incident response and forensic engagement to assess institutional-side exposure (moderate cost, constrained by the fact that root cause is vendor-side), FERPA-related notification and legal review costs if student records are confirmed compromised, reputational and enrollment risk at tuition-dependent institutions, and potential regulatory response costs. No third-party benchmark reports were used. Upper end of range reflects larger institutions with higher enrollment and greater regulatory surface; lower end reflects smaller institutions with limited direct data exposure. All figures are illustrative.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Student PII exposure (grades, communications, records) may trigger FERPA-related institutional obligations and state student data privacy law breach-notification requirements — verify with counsel.
• A confirmed breach by a critical SaaS vendor may constitute a reportable event under institutional cyber-insurance policies — verify notice obligations and timelines with broker.
• Institutional data-processing agreements or vendor contracts with Instructure may contain breach-notification, SLA breach, or indemnification clauses relevant to this incident — verify with counsel.
• If federal funding is associated with affected institutions, data stewardship obligations under relevant federal program requirements may be implicated — verify with counsel.
