Top culture and lifestyle news from Iowa
Provided by AGP
ProCircular Opens Canvas After-Action Assessment for Higher Ed and Public Research Institutions Post-Incident
ProCircular Logo
Standardized engagement helps institutions validate their response against FERPA, GLBA Safeguards Rule, state student-privacy statutes, and HIPAA as applicable
NORTH LIBERTY, IA, UNITED STATES, May 20, 2026 /EINPresswire.com/ -- Cybersecurity services firm ProCircular today opened its Canvas After-Action Assessment to higher education and public research institutions affected by, or concerned about, the recent Canvas cyber incident, regardless of whether or not they are current ProCircular clients.
ProCircular built the assessment alongside the cybersecurity program at a Big Ten university responding in real time. It was shaped by the compliance and continuity questions the institution was facing in the days after the disclosure. The engagement is now a standardized, fixed-scope offering for institutions on the ShinyHunters list of 8,809 affected schools and for any institution seeking an independent assessment of potential Canvas exposure.
Instructure, the company behind Canvas LMS, detected a service disruption on April 30 and confirmed it as a cybersecurity incident on May 1. ShinyHunters claimed responsibility on May 3 and published a leak deadline of May 12. Confirmed exposed data includes names, institutional email addresses, student ID numbers, and messages exchanged between users inside Canvas. The threat actor’s broader claims of 275 million records and 3.65 terabytes of data have not been corroborated by Instructure. Major universities including the University of Pennsylvania, Duke, and the University of Michigan have publicly confirmed inclusion on the actor’s list. For affected institutions, the issue is no longer just what happened at the vendor, but what must now be validated, documented, and prioritized inside the institution’s own environment.
“The institution’s response is not the vendor’s response,” said Aaron R. Warner, CEO of ProCircular. “Instructure rotated its platform credentials. What that work doesn’t reach is the inside of your tenant—the developer keys, LTI integrations, webhook subscriptions, and federated SSO grants your institution authorized over the past several years. Our assessment is built around the questions Higher Education leaders are actually working through right now: what data flowed through Canvas at this institution, which notification obligations apply, and what a clear 90-day plan looks like. The PowerSchool sequence from late 2024 is the closest analog and a useful study, including the part where districts received direct emails five months after the vendor’s payment.”
Built for the Next 90 Days
The Canvas After-Action Assessment draws on ProCircular’s Business Continuity Planning and Business Impact Analysis methodology, refined through active breach-response work. The engagement covers six work streams: incident timeline reconstruction and threat actor analysis, response and escalation effectiveness assessment, communications and duty-of-care review, recovery and resilience validation, a tenant-level technical audit, and a prioritized remediation roadmap.
Each work stream is designed to produce usable compliance evidence. The assessment validates institutional response against FERPA and the limits of FERPA, the GLBA Safeguards Rule (revised June 2023, applicable to all Title IV institutions), and the applicable state student-privacy statute—California SOPIPA, New York Education Law §2-d, Colorado HB 16-1423—and the patchwork in between. HIPAA is covered where covered components exist: academic medical centers, student health services, and research involving protected health information. PCI DSS is covered where payment data flowed through Canvas integrations. Technical findings are organized against NIST Cybersecurity Framework 2.0 and HECVAT 4.0 so they move directly into vendor-risk and insurance-carrier conversations without translation.
The assessment is built for institutions deciding what the right plan is now. It is appropriate for institutions on the ShinyHunters list, institutions that suspect Canvas exposure, institutions preparing for an inquiry from a state attorney general or insurance carrier, and institutions seeking an independent validation of their internal response. The engagement is fixed-scope and time-bound, and current ProCircular client status is not required. ProCircular supports clients throughout an incident, including decisions around active extortion or ransom situations, and coordinates with legal counsel, cyber insurance carriers, and dedicated ransom-negotiation specialists when appropriate.
Deliverables include an Incident Response and Extortion Risk Assessment Report, a Secondary Victim Impact Analysis covering students and faculty, and a phased implementation roadmap.
“We’ve been monitoring this incident since the May 1 disclosure,” said Jim Sherlock, VP of AI and Cybersecurity R&D at ProCircular, who co-developed the assessment with Michael Johnson, a Senior GRC Analyst at the firm. “Institutions that complete this work in the next 60 days will have a written answer when their auditor, their state AG, or their insurance carrier asks, and an executive team that has already worked through the decisions that come up in extended incidents like this one.”
About ProCircular
ProCircular is a cybersecurity consulting firm founded in 2016 and headquartered in North Liberty, Iowa, providing offensive cyber operations, defensive cyber operations, and governance, risk, and compliance services to mid-market organizations across the United States. The firm has been named to the Inc. 5000 multiple times, and CEO Aaron Warner was recognized as the SBA’s 2023 Iowa Small Business Person of the Year. Learn more at procircular.com.
Hasmik Piliposyan
RedIron PR
hasmik@redironpr.com
Visit us on social media:
LinkedIn
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
