The FBI’s 2026 Internet Crime Report reveals that reported cyber losses hit nearly $21bn in 2025, and when a cyberattack hits a public entity - a school, a hospital, a governing body - the repercussions can go far beyond financial loss. Unlike private companies, these public services are integral to the day-to-day operations of society, as well as being home to incredibly sensitive and inherently private personal data, making an incident all the more destructive.
According to research from Microsoft, governing bodies are among the top three most targeted sectors worldwide for cybercrime, with Microsoft Entra data finding that they receive more than 600 million identity attacks per day.
“Public entities have very different risk profiles from private companies, and they have higher cyber risks, too,” added Hannah Hays, Senior Underwriter at Munich Re Specialty – North America. “The main vulnerability is relying on legacy systems, which can be hard to replace. Strict procurement rules make replacement of these systems difficult, and this creates easy entry points for attack. We also see a lot of decentralized IT departments that create blind spots for monitoring.”
The second vulnerability is limited cybersecurity budgets and staffing. As Hays told IB, there are competing priorities for funding within organizations right now, meaning cyber insurance can often be overlooked or under-resourced.
“There are visible public services, such as roads, schools, and emergency services, that take priority when allocating funds, and can create understaffed IT teams, limited response capabilities, and increased frequency and severity when there is a loss.”
Finally, there is the management of sensitive citizen and student data. Often, public entities store large volumes of Personally Identifiable Information (PII). These include tax records, health data, and student records. Public entities are also required to provide broad access and transparency to those records. That combination creates a larger attack surface and a higher breach impact.”
As for the types of cyberattacks that hit these public entities, one is more common and more costly than the rest - ransomware. According to Munich Re’s report, the four main drivers of insured losses are ransomware, followed by data breach, business email compromise (BEC), and distributed denial of service (DDoS). As a primary driver of cyber loss, ransomware attacks are frequently used on public entities because of the essential services these institutions deliver and the impact any delays or disruptions would have on society.
“Public entities often rely on third-party providers,” added Hays. “Take law enforcement, for example, they depend on real-time data for public safety, which makes their operations a particularly high-impact target for supply chain disruption attacks. They also face pressure to restore services quickly, meaning threat actors can leverage that urgency to demand higher ransoms.”
Then there is the issue of agentic AI - systems designed to operate autonomously, making decisions and taking actions to achieve specific goals with minimal human intervention. As Hays told IB, the integration of agentic AI into cyberattack chains is a growing threat. According to Hays, the first quarter of this year was the most hostile threat environment to date, with ransomware gangs launching AI-enhanced campaigns, making them increasingly dangerous, automated, and targeted.
“Malicious cases have clearly remained dominant with the overall picture heavily influenced by the increasing ransomware attacks,” added Hays. “However, non-malicious claims are also gaining significance. Those incidents are attributed to human error, flawed software, and misconfigurations, which affect public entities because of all those legacy systems.”
With all these threats on the horizon, and showing no signs of slowing down, public entities could be overlooking their overall exposure. As Hays told IB, she believes these bodies may be underestimating systemic risk and overestimating their ability to contain incidents.
“No system is completely secure, events do not often stay localized, recovery is not linear, and controls do not always work as designed. They are often focused on breach response because that has been the majority of where the claims and the losses are coming from.”
“Historically, they have underestimated the supply chain risk, including outages from trusted third parties. Visibility into vendor security controls can have an impact downstream in ways that are not anticipated - interruption-related expenses are often the largest financial impact. [Essentially], backups do not equal resilience. They often need to be tested, which could take weeks, and key systems may depend on each other in undocumented ways.”
With the projected global cost of $14 trillion in 2028, cybercrime is big business. In order to really meet and defeat these threat actors where they are, organizations need to start looking more closely at their internal budgets.
“AI models are accelerating rapidly and are influencing behavior, defense, and offensive cybersecurity,” added Hays. “We're in a world where AI can probe, find, and exploit weaknesses much faster than before, meaning real-time security monitoring, detection, and response capabilities are critical.”
Following that, there is also the option of outsourcing your security operations center (SOC) where possible, as well as deploying Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) solutions to catch ransomware and suspicious behaviour early.
“Then, there are continuous vulnerability assessments,” added Hays. “In underwriting, we regularly see that government entities have unpatched, immediate, and verified risks. The continued exploitation of these vulnerabilities remains a stark indicator of public sector patching cadence. As such, having better insight into vulnerabilities will allow the limited resources that public entities may have to focus on strengthening defenses and patching those vulnerabilities.”
This really is where Munich Re Specialty – North America is perfectly placed to help with its innovative Reflex Cyber Risk Management™ program.
“Private-public aligned coordination is a core defense pillar for cybersecurity, particularly for public entities,” added Hays. “Reflex, our complimentary and confidential risk management services program, is included with our policies at Munich Re Specialty.”
Reflex offers complimentary, confidential, highly facilitated risk management services to address the prominent cyber risk mitigation needs of organizations, including vulnerability management, incident response training, advisory services, and education. For Hays, one of the core strengths of Reflex is its guidance on cybersecurity funding.
“This is a very exciting initiative that we have for 2026,” added Hays. “We're investing in funding advisory support for insureds to help them get direct access to an expert in cybersecurity grant programs, focusing on the application evaluation criteria, competitiveness, and the current policy priorities to apply for those funds. We also have vulnerability management, which means understanding where vulnerabilities are, patching cadence, and incident response exercises.”
The incident response training includes tabletop advisory services to pressure test response plans for organizations as well as phishing simulations to test employee awareness, both of which help public entities identify and address vulnerabilities before an incident unfolds.
“The tabletop incident response exercise can also help to reduce the likelihood and severity of the loss,” said Hays. “As well as improve their decision making during an incident and then shorten their recovery time.”
Looking ahead to what the future holds for cybersecurity in public entities, it is clear that the only real way of ensuring cyber confidence is by positioning insurance as part of a broader resilience strategy.
“Our team at Munich Re Specialty is [currently] thinking about how we can help position public entities to be prepared for the worst. That means investing in a robust cyber insurance solution, which can help solve a lot of challenges for public entities. It is about having visibility into those blind spots. At Munich Re Specialty, we offer complimentary risk management services such as scanning, insights, and human factor vulnerabilities risk management, including training and phishing.”
Aside from all of the technological advancements Munich Re Specialty offers, there is another element of its cyber offering that goes beyond tools - the human touch. Because, after all, cyber insurance has to help beyond just paying out the claim.
“With Munich Re Specialty, clients immediately have access to a response team, forensic experts, and breach coaches, which reduces downtime, shortens service disruption, and reduces the overall impact of the claim,” said Hays. “There is a whole team available that can help you respond to those incidents very quickly.”
Learn more about Munich Re Specialty – North America’s REFLEX Cyber Risk Management solution.
Legal Disclaimer: This content is purely informational. The materials are not intended as official advice, binding insurance offers, or solicitations for any jurisdiction. Munich Re Specialty provides no warranties regarding the absolute completeness, correctness, or accuracy of this content.
This article was created in partnership with Munich Re Specialty
