Hannah Hays, Senior Underwriter, Public Entity & Cyber at Munich Re Specialty, emphasizes that with higher attack frequency and rising recovery costs, public entities should seriously consider comprehensive cyber coverage.

Government entities have become prime targets for cybercriminals due to their management of critical infrastructure and vast repositories of personal and financial data. Munich Re’s 2025 cyber report, Cyber Insurance Risks and Trends 2025 revealed that government, manufacturing, and technology sectors are particularly susceptible to cyberattacks, with public entities facing ransomware attacks, phishing scams, and data breaches involving sensitive citizen information.

The threat landscape for public entities extends beyond direct attacks to include supply chain vulnerabilities that can trigger massive disruptions. The 2024 CrowdStrike outage, caused by a faulty security update, created one of the largest IT outages in history and highlighted how third-party incidents can cripple public operations. These supply chain risks can be covered by cyber insurance but present unique underwriting challenges.

Educational institutions within the public sector face particularly severe exposures, as demonstrated by the PowerSchools data breach in December 2024. This incident compromised approximately 62 million students’ personal information, leading to an ongoing extortion attempt with a $2.85 million ransom paid to a 19-year-old attacker, with no guarantee that the compromised data would be deleted.

“We’re observing new ways these organizations are being attacked, even through their suppliers,” Hays explains. “With increasing digitalization, public entities face more frequent and severe cyber events, which is why they should seriously consider purchasing cyber insurance.”

The sophistication of attacks continues to evolve, with cybercriminals employing double encryption tactics where they encrypt data and then release it publicly. Organizations must then address recovery costs to restore data and networks while mitigating business interruption, expenses typically covered under cyber policies.

Public entities operate under distinct disadvantages compared to private sector organizations, primarily stemming from budget constraints and staffing limitations. These factors make cyber risk management particularly challenging when developing comprehensive risk management programs.

“Public entities have limited budgets, of course, and less flexibility to absorb unexpected costs,” Hays notes. Unlike private companies that can quickly pivot resources or secure emergency funding, public entities must navigate bureaucratic budget approval processes that can delay critical security investments.

Legacy systems compound these challenges, as many public entities struggle with outdated infrastructure while simultaneously managing multiple IT projects. IT personnel must balance their operational responsibilities with determining how to use limited funds effectively, constantly weighing whether to purchase additional insurance coverage or invest in system improvements.

The decision-making process becomes particularly complex when prioritizing cybersecurity investments. Public entities often struggle to identify where to focus their limited resources among various technical controls and system upgrades. This challenge spans across industries but presents unique complications for government entities operating under public scrutiny and regulatory requirements.

The current cyber insurance market presents favorable conditions for public entities that makes coverage more accessible and affordable. Cyber insurance premiums represent a relatively small line item in public entities’ risk management budgets, particularly when compared to rising property and casualty premiums.

Beyond traditional risk transfer, modern cyber insurance policies provide valuable resources that extend far beyond coverage limits. Munich Re Specialty offers partnerships with preferred vendors, providing insureds access to pre-breach risk management services and preferred rates for implementing endpoint detection response (EDR) or managed detection response (MDR) systems.

Complimentary services included with policies deliver significant value without additional costs. These services include tabletop exercises that help organizations practice incident response capabilities, phishing training, and social engineering education for employees. Many insurance carriers now implement similar approaches, recognizing the importance of prevention alongside traditional risk transfer.

The underwriting process incorporates both technical assessments and external scanning capabilities, with carriers partnering with third parties to evaluate networks from an external perspective and identify open vulnerabilities. However, Hays emphasizes that technical controls represent just one data point in the evaluation process.

“My favorite cybersecurity control is not actually a technical one. It’s more about awareness of where they are with their risk, which trickles down into everything they are doing,” Hays explains.

“Phishing is the leading cause that leads to ransomware and many other security incidents. Having that cybersecurity awareness across the organization and understanding for all employees is really what we look for when partnering with organizations.”

Despite the added value of these comprehensive offerings, some hesitancy exists among insureds regarding vendor services, often due to misconceptions about insurer oversight or control over systems. While these concerns may be valid in some scenarios, insurance carriers such as Munich Re Specialty, who have crafted their cyber risk management program with their insureds’ cyber maturity foremost in mind, guarantee complete confidentiality between the coverage holder and the providers who deliver the risk management services. In such cases, resources operate independently from underwriting evaluations and focus solely on helping organizations improve their security posture and bottom line.

The market outlook remains cautiously optimistic, with ransomware attack frequency declining year-over-year in the public entity sector, while recovery expenses continue rising. This creates uncertainty, making it an opportune time for public entities to evaluate coverage options and carrier partnerships.