Cary Evans, Director of Data Analytics and Risk Management
By Cary Evans, TPG’s Director of Data Analytics and Risk Management
Originally published by the Association of Oregon Counties, 10/29/25
As a commercial insurance broker specializing in public entities, we often hear a familiar refrain: “We don’t handle sensitive data directly, our vendors do.” Whether it’s a county outsourcing tax payment processing, a city using a cloud provider for record storage, or a school district contracting payroll to a third-party app, many organizations believe that shifting operations to vendors also shifts the cyber risk. Unfortunately, that assumption can be costly and dangerous.
Third-Party Reliance Doesn’t Eliminate Liability
When a public entity uses outside vendors for IT, billing, data management, or any other online activity, the exposure doesn’t disappear. Most contracts with third-party providers include liability limitations and hold-harmless clauses that protect the vendor, not the municipality or district. If a vendor’s system is breached and residents’ personal data is exposed, your entity will likely still bear the brunt of public scrutiny, notification obligations, regulatory fines, and legal costs. Even if the vendor bears the costs of repairing data, your organization may be unable to provide essential services for weeks or months. The time it takes to return to business in ransomware attacks ranges from three weeks to up to many months.
You can outsource operations, but you can’t outsource accountability. Cyber insurance ensures that when a vendor fails, your services remain financially protected, and most policies also provide forensic and IT experts and communications professionals to get services up and running as soon as possible with appropriate public and internal communications.
Real-World Example: Business Interruption From Vendor Outage
Consider a regional water district that relied on a third-party software vendor to manage billing and service requests. When the vendor’s servers were hit by ransomware, the district couldn’t issue bills for over six weeks. The disruption didn’t occur on their own network, but the result was the same: lost revenue, overtime for manual workarounds, and reputational damage.
Members of the TPG Public Entities team: TomBeLusko, Bre Wimber, and Matt McGowan
A well-structured cyber policy covers these business interruption losses, even when caused by a third-party service provider. Without that coverage, the district must absorb the financial hit while still fielding angry calls from residents.
Phishing: The Human Element
Cyber incidents are often sophisticated but bad actors’ access is often very basic and relies on human error or psychology. One small Oregon city fell victim to a phishing attack in which an employee received an email appearing to be from a vendor requesting updated banking information. Payments were redirected to a fraudulent account for nearly a month before detection. The funds were unrecoverable.
This is a classic case of social engineering, a coverage extension under most cyber policies. Even well-trained staff can make mistakes under pressure. Cyber insurance helps recover the financial losses from these scams and can also cover forensic investigation, notification, and legal response.
Public Entities Are Prime Targets
Public institutions maintain large databases of personal information, often with lean IT resources and outdated infrastructure. Hackers know that municipalities and school districts can’t afford extended downtime, making public entities prime targets for ransomware and extortion.
Even if your entity uses a vendor for email, payroll, and data storage, you’re still responsible for ensuring the continuity of essential services and protecting constituent data. Cyber insurance fills the gaps that neither general liability nor vendor agreements address.
The Bottom Line
Third-party vendors play a vital role in modern government operations, but they are not your safety net. A single breach, outage, or phishing attack can ripple across essential services, disrupt budgets, and erode public trust. Cyber insurance is a fundamental layer of protection for every public entity, regardless of size or sophistication. The Partners Group specializes in providing this coverage to match and protect your needs.
