<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=8926796&amp;fmt=gif">
Skip to content
Let's Talk

Managing Cyber Risk Without Operational Overload: What Public Entities and Pools Need to Rethink

Cyber risk is not new to public entities. Cities, counties, schools, special districts, and public entity pools have been dealing with cyber as an insurance, operational, and governance concern for years.

But the nature of the challenge is changing.

At PRIMA 2026, one theme surfaced repeatedly in conversations with risk professionals across the public sector: organizations understand cyber matters, but many are struggling to determine where to focus limited time and resources.  

In conjunction with the conference, KYND's Vice President and Head of North America, Ben Duffy, joined PRIMA's podcast, Connected Risk: Exploring the New Realities of Public Sector Cyber Threats, to discuss these evolving challenges and what they mean for public entities and risk pools.

At the center of that conversation was a simple but important question: how can public entities make meaningful progress without creating operational overload?

The discussion highlighted several realities reshaping cyber risk management across the public sector.  


Cyber is not just technical. It is a moving exposure problem.

Public-sector risk managers are accustomed to managing complex risks. Property, workers’ compensation, liability, and fleet all require structure, data, judgment, and long-term discipline.

Cyber is different because the exposure can change almost overnight.

A newly exploited vulnerability, misconfigured system, vendor incident, or widespread technology issue can rapidly alter an organization’s risk profile. The challenge is not simply that cyber threats are increasing. It is that the underlying exposure is constantly changing—and is often difficult to fully see.

That matters because risk leaders are increasingly accountable for the consequences of cyber events, even when the root exposure sits outside their direct control.

Public entities now rely on a broad ecosystem of cloud providers, learning management systems, payroll platforms, payment systems, managed service providers, and other third-party technologies. These relationships are essential to delivering public services, but they also create dependencies that traditional risk management processes were not always designed to monitor continuously.

The risk manager may not own the system, manage the vendor, or control the exposure. But when something goes wrong, they are often involved in the operational, financial, insurance, legal, and communication consequences.

That is why cyber is becoming less of a purely technical issue and more of an enterprise risk governance issue. 

Vendor incidents are becoming shared exposure events.

Recent incidents involving widely used platforms such as Canvas are a reminder of how interconnected public-sector cyber risk has become.

When a platform like Canvas is impacted, the immediate questions are practical: Are we affected? What information may have been exposed? Do we need to communicate with students, parents, staff, boards, or members? What should we do now?

For an individual public entity, that creates pressure and uncertainty. Even if the vendor is leading the technical response, the organization still has to understand its exposure, communicate appropriately, and determine what follow-up action is required.

For a pool, the challenge is broader.

A pool may have dozens or hundreds of members relying on the same vendors, systems, or technology ecosystems. A single third-party incident can quickly become a portfolio question: Which members may be affected? Where is exposure concentrated? Are there common dependencies across the membership? Where should limited attention be focused first?

This is where public-sector cyber risk starts to look less like an isolated technology problem and more like an aggregation problem—one event, one vendor, one platform, or one widely exploited vulnerability creating concern across many organizations simultaneously.

The answer is not to panic every time a vendor has an incident. It’s to build enough visibility and preparedness to move quickly from uncertainty to prioritization. 

The best cyber programs are not doing everything. They are focusing better.

One of the biggest misconceptions in cyber risk management is assuming that progress means doing more.

Most public-sector teams are already stretched. Risk teams are lean. IT teams are lean. Budgets are constrained. Staff are already managing insurance renewals, claims, compliance, vendors, board reporting, and day-to-day operations.

So if the message is simply “do more cyber” it is unlikely to succeed.

The public entities and pools making the most progress are not necessarily doing everything. They are doing a better job of focusing.

They are taking a noisy environment—assessments, vulnerabilities, alerts, vendor issues, insurance requirements, audit findings, and board questions—and turning it into a manageable set of priorities. Questions such as:

  • What could create the greatest operational or financial impact?
  • What could affect insurability?
  • Which members or departments have the least capacity to respond?
  • What can realistically be acted on with the resources available? 

Those are governance questions, not purely technical questions.

For pools, this is especially important because not every member has the same cyber risk profile or the same capacity to improve. A large city or school district may have internal IT and security resources, while a smaller district or town may have very limited support.

Treating every member the same can create overload for the pool and frustration for members. A more effective approach is to identify where risk is highest, where support is most needed, and where intervention can have the greatest impact across the membership.

That is where visibility becomes valuable—not as another dashboard or report, but as a way to decide what to do next.

A practical example is SCSBIT, where visibility into a critical zero-day exposure helped identify a specific issue at a member district and support a quick response.

That kind of targeted action matters because it turns a fast-moving cyber issue into something specific and manageable: the affected member, the relevant exposure, and the practical action required. In that case, it helped avoid what could have become a significant loss event.

That is what good cyber governance should do. It should reduce noise, focus attention, and help teams act before a risk becomes a claim. 

Cyber governance cannot only happen at renewal.

For many public entities, cyber has historically come into focus during insurance renewal, after an incident, or when an application needs to be completed.

Those moments still matter. But they are no longer enough.

Cyber exposure changes too quickly for governance to remain a point-in-time exercise. If an organization only understands its cyber posture once a year, it may miss the issues that emerge in between: new vulnerabilities, exposed systems, vendor incidents, changes in controls, or shifts in insurer expectations.

The future of public-sector cyber risk management is more continuous.

That does not mean public entities need to build cyber operations teams. It means cyber needs to become part of the normal governance rhythm of the organization or pool.

For a single public entity, that may mean regularly asking: Where are we most exposed? What systems or vendors matter most to operations? What could affect our insurance position, and are we improving over time? For a pool, it may mean asking: Where is exposure concentrated across the membership? Which members need support? What patterns are emerging? How can we demonstrate progress to leadership, boards, members, and insurers?

This is the role risk leaders are increasingly being asked to play. They are not replacing IT or cybersecurity professionals. Rather, they are helping bring cyber into the same enterprise risk framework used for other major exposures: visibility, oversight, prioritization, action, and evidence of improvement. 

 

A practical path forward

Public entities and pools do not need to solve every cyber challenge at once, nor do they need to build cyber operations teams.  

What they do need is a practical framework for understanding exposure, prioritizing action, and demonstrating measurable progress over time.  

Cyber risk will continue to evolve, and expectations from leadership, members, and insurers will continue to rise. Organizations that succeed will be those that embed cyber into existing governance rhythms, focus resources where they matter most, and steadily strengthen resilience over time.  

The future of public-sector cyber risk management is not about perfect security. It is about making informed, sustainable progress.