From Cyber Incident to Operational Crisis: What the Winona County Attack Reveals

A recent cyberattack on Winona County, Minnesota didn’t just impact IT systems. It disrupted critical services and required emergency support from the state’s National Guard to respond.  

And it’s far from an isolated case.  

Ransomware attacks alone against government entities more than tripled year-over-year (up 235%) between 2024 and 2025—underscoring how persistent and widespread cyber attacks have become across the public sector.  

But for risk pools, the bigger issue isn’t the incident itself. It’s what it reveals.  

If it can happen to one member, how many others are exposed in the same way?  

This Isn’t an IT Problem. It’s an Operational Failure. 

What stands out in this case isn’t just that an attack occurred, it’s how quickly it escalated.  

Systems were taken offline. Services were disrupted. External intervention was required. This is where cyber risk stops being a technical issue and becomes an operational one.  

For public entity risk pools, that distinction matters. A cyber event doesn’t just impact a single member’s systems, it can interrupt essential services, strain resources, and introduce broader concerns across the portfolio.  

And when similar exposures exist across multiple members, the risk isn’t isolated.  

Beyond Point-in-Time Assessments

Most pools today aren’t starting from zero. They have applications, assessments,  external data alongside some level of visibility into cyber risk across their membership.  

But incidents like this highlight a critical gap: Knowing where risk exists is not the same as acting on the risks that actually drive loss.  

The challenge isn't collecting more information—it’s understanding:  

• Which exposures are most likely to lead to disruption  
• Where those exposures exist across the membership  
• And what needs to be addressed first   

Without that level of prioritization, high-risk issues can persist until they become incidents.  

In a Pooled Model, Risk Doesn’t Stay Contained 

A cyberattack like this may originate within a single entity. But in a pooled environment, the implications extend much further. The same vulnerability—whether it’s an exposed service, an unpatched system, or a misconfiguration—can exist across multiple members. That’s what makes these incidents so important. They’re not just isolated events. They’re signals. Signals that similar exposures may already exist elsewhere in the portfolio. 

The Difference Happens Before the Incident 

By the time systems are offline and external support is required, the window to prevent the issue has already closed. The reality is that many of the exposures that lead to incidents are visible in advance, but only if they’re identified, prioritized, and acted on in time.  

We’ve seen this play out differently. In one case, a school risk pool supporting 50+ districts identified a high-risk vulnerability within a member that could have resulted in a material claim. Instead, by focusing on the right issue at the right time, they avoided what could have been a $300K loss.  

The difference wasn’t more data. It was knowing where to focus and acting before it escalated.  

The Question Pools Should Be Asking Now 

Incidents like the one in Winona County reinforce a broader shift already underway. It’s no longer enough to assess cyber risk at a single point in time. 

The question is:

• Do we know where the most material risks exist across our membership today?  
  
• Are we focusing effort on the exposures most likely to drive loss? 
• Can we demonstrate that risk is improving over time—not just at renewal, but continuously? 

Because in a pooled environment, cyber risk isn’t isolated. And by the time it becomes operational disruption, it’s already too late to change the outcome.    

If you’re looking to move beyond point-in-time assessments and take a more proactive, portfolio-driven approach to managing cyber risk, connect with our team.