A growing number of public entities and educational institutions across the United States have fallen victim to cyberattacks in the last 18 months. According to Microsoft, government systems now rank as the third most targeted by nation-state attackers.
Check Point, a cybersecurity firm, has also reported that educational institutions face more than 3,000 cyber threats each week - a figure that highlights the scale and persistence of the problem.
Tom Finan, senior vice president in WTW’s FINEX cyber/E&O practice, said that public entities are highly exposed due to the types of data they store and the services they provide. He pointed out that these organisations are responsible for maintaining large volumes of personally identifiable information and often rely on outdated systems that are vulnerable to exploitation.
For public sector risk managers, this adds to an already complex and resource-constrained risk management landscape.
“Public entities, including education organisations, are treasure troves of sensitive data,” Finan said. “They often store personal information (e.g., linked to voter registration), tax records and other sensitive information (e.g., handicap stickers in cars with linked health information).”
The operational urgency of these institutions also contributes to their risk profile. Finan explained that attackers understand how crucial it is for public services to continue uninterrupted. The potential for disruption – as whether it involves tax collection, court operations, or public safety – gives cybercriminals significant leverage in ransom negotiations.
“Threat actors know that these public entities must continue to operate and serve the public and maintain public confidence,” he said. “They consequently believe that public entities are more likely to pay ransoms to avoid costly/lengthy disruptions (e.g., uncollected taxes, unscheduled court cases, unpaid salaries), dangerous interruptions (e.g., undispatched police and fire protection services) and reputational damage.”
Ransomware continues to represent one of the most pressing risks. Finan noted that nearly one-third of cyber claims in the public sector involve ransomware incidents. These attacks are particularly damaging given the limited technical resources available to many institutions, further complicating risk management efforts.
“Given the lack of robust defences and the general stakes for these entities, ransom demands tend to be exorbitant,” he said. “Public entities have no guarantee that their data will be released uncorrupted. In the wake of an event, they instead must spend time ensuring attackers didn’t hide backdoors that would let them re-launch an attack.”
Disruptive cyber activity extends beyond ransomware. Finan pointed to the role of hacktivism in targeting public entities, often for political or ideological reasons. These attacks can result in prolonged downtime and exposure of sensitive data, regardless of financial motive.
“Hacktivists may try to take online systems down for extended periods, expose private data, or cause other inconveniences to the entity to express their displeasure with government leaders and the actions they take (e.g., passage of a law they don’t like),” he said.
Many of these vulnerabilities stem from longstanding structural constraints. According to Finan, public sector organisations typically operate with outdated infrastructure, limited cybersecurity staffing, and constrained budgets. These conditions slow response and recovery efforts, often forcing agencies to prioritise critical systems and delay full restoration.
“Public entities typically have smaller cybersecurity staffs and smaller cybersecurity budgets, along with aging cyber infrastructure. This makes their networks easier to attack,” he said. “Response and recovery times are slow for under-staffed and underfunded public entities, whether a cyberattack involves ransomware or some other exploit.”
Higher education institutions face additional complications due to the open, collaborative nature of their digital environments. Finan said that while these environments support academic goals, they also create friction with the tight controls needed for cybersecurity. Many institutions have responded by seeking cyber liability insurance tailored to catastrophic events, though coverage limits remain modest.
“The nature of higher education demands a collaborative, teaching, learning and research environment routinely based on open, shared technology,” he said. “This demand is often at odds with tight security controls.”
As public sector exposure has increased, insurers have responded by tightening underwriting and increasing premiums. Finan observed that even entities with mature controls are seeing costs rise. The economic burden has become particularly acute for jurisdictions with limited funding.
“Premiums for states and localities have ballooned in recent years, even if they have all the required controls in place,” he said. “Cyber insurance instead has become increasingly impractical and/or unaffordable for clients with smaller budgets.”
For public sector risk managers, this means grappling with escalating insurance costs while attempting to maintain baseline security controls. The lack of viable insurance options poses a broader risk to the sector. Finan warned that without the ability to transfer risk, public entities could face lasting operational and reputational damage. He noted that many officials see insurance as essential, even if they struggle to maintain coverage.
“Many states and localities believe the cost of not having cybersecurity insurance is incalculable,” he said. “Without the ability to adequately transfer risk, public entities could face greater financial and reputational risks from cyberattacks, which could have negative credit implications.”
In response to the coverage gap, Finan outlined a proposal that would involve collaboration between brokers, carriers and cybersecurity assessment providers. The model is based on improving the cyber resilience of public entities while creating more favourable conditions for underwriting.
For Finan, assessments are also central to enabling this model. He said that giving carriers a role in shaping assessments and access to results can improve underwriting outcomes and risk management across the board.
“If carriers have a say in how they’re conducted, have access to results and obtain commitments from insureds to target gap areas for improvement, a multi-prong collaboration can form,” he said.
The initiative, he added, could lead to benefits for all involved. Clients can document cybersecurity improvements, carriers gain visibility into risk posture, providers expand their service reach, and brokers can better advocate for clients seeking coverage.
“The need is clear,” Finan said. “The time for this win-win-win-win is now. Our public entity and education clients await.”
What are your thoughts on this story? Please feel free to share your comments below.
