<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=8926796&amp;fmt=gif">
Skip to content
Let's Talk

The Hidden Cyber Exposure Sitting Across Your Members’ Websites

Some of the fastest growing cyber claims aren’t caused by attacks at all. They’re driven by something far more routine: how organizations’ websites collect and share data.  

In our recent white paper, Privacy Risk in 2026: An Old Problem, A Different Kind of Cyber Exposure, we explore how website tracking practices are driving a new category of claims. What’s emerging in insurance is clear: these claims are increasing in frequency, scaling across portfolios, and in some cases rivaling more common cyber losses like ransomware and data breaches.  

For risk pools, this quickly becomes a portfolio issue, as the same underlying behaviors driving claims are likely happening across your members’ environments today. 

This isn’t a breach problem. It’s a behavior problem.

A growing share of privacy-related claims stem from everyday website activity. Not malicious intrusion, but routine operations—the use of tracking pixels, analytics tools, and third-party services that collect and share user data.  

These cases don’t depend on ransomware or system compromise. In many instances, there is no breach at all. Instead, they focus on whether organizations are collecting or transmitting data without proper user consent.  

The shift matters because it changes the nature of cyber risk itself.  

It’s not about a single incident, but rather how websites operate every day. A tracking pixel is added, an analytics tool is installed, a cookie banner is put in place but not fully configured. These tools often load by default, before a user has given consent, and continue operating without anyone realizing it. Because many organizations rely on the same tools, vendors, and templates, these setups tend to look very similar from one entity to the next. 

Why this matters for risk pools

To understand how this risk manifests in practice, KYND analyzed 10,000 organizations across North America, examining how websites deploy tracking technologies and whether appropriate consent mechanisms are in place.  

A staggering 20.2% of organizations under $1 billion in revenue exhibited zero-consent tracking. Exposure is materially higher in critical, data-intensive sectors such as Healthcare, Education, and Administrative Services, where rates exceed 30%, pointing to systemic, repeatable technical patterns.  

These are the organizations that make up your membership—school districts, cities, counties, and special districts. And if these patterns hold across even a portion of your membership, the exposure is unlikely to be isolated and potentially systemic across your portfolio.    

What this risk actually looks like in practice

This type of exposure doesn’t originate from sophisticated attacks or highly technical exploits. It arises from common, everyday website behavior, often implemented with good intent.  

Tracking technologies may load before a user has provided consent. Cookie banners may appear compliant but fail to block underlying scripts. Consent preferences may not be properly enforced. Third-party tools—such as analytics platforms, chat widgets, or marketing integrations—may collect and transmit data in ways that extend beyond what the organization expects.  

These issues are frequently introduced through default configurations or managed outside of formal IT oversight. As a result, they can persist unnoticed, even in otherwise well-managed environments.  

What makes them particularly important is that they are externally observable. It can be identified by looking at how a website behaves from the outside—the same way these issues are discovered in the first place. 

Why this turns into insurance claims

Privacy-related claims tied to website tracking follow a different pattern than traditional cyber events.  

They are often based on statutory frameworks that do not require proof of financial harm, allowing claims to scale across large user populations. This creates a model that is inherently repeatable: similar behaviors can lead to similar claims across many organizations.  

In practice, most of these cases are resolved through settlement rather than litigation, meaning they may not generate the same visibility as a major breach or ransomware event. But that does not reduce their impact.  

For risk pools, the effect is cumulative. This is not a single, high-severity event. It is a repeatable source of loss, emerging across multiple members, often from the same underlying issue. 

Turning hidden exposure into action

This type of exposure often sits outside traditional risk management approaches. It is not consistently captured through questionnaires, not always validated in practice, and not typically monitored over time.  

As a result, it can remain embedded across the portfolio without clear visibility. Until it becomes a claim.  

A more proactive approach starts with understanding where exposure exists across the membership. From there, risk pools can begin to prioritize the most affected entities, address specific issues, and track progress over time.  

This represents a shift from reacting to claims toward managing the conditions that create them. Not just gaining visibility, but using that visibility to drive measurable improvement across the portfolio. 

A different way to think about cyber risk 

Some of the most material cyber risks today are not driven by attackers. They are driven by how organizations operate—and how those operations scale across a portfolio.  

They don’t trigger alerts. They don’t always surface internally. And they often remain invisible until they result in loss. But they are there.  

The question for risk pools is no longer whether this risk exists. It’s: Where does it exist across your members and what are you doing about it?  

If you’re interested in understanding how this exposure is reshaping cyber risk and how insurers are beginning to measure and manage it, you can explore the full analysis in our white paper, Privacy Risk in 2026: An Old Problem, A Different Kind of Cyber Exposure.  

Or connect with our team directly to better understand how this type of exposure may exist across your portfolio—and what you can do about it.