Addressing the human element in cyber risk: The HR/risk management partnership

According to the latest research by Willis Towers Watson, cyber security continues to be widely viewed as a fundamental challenge (66%) and a top priority for organizations (85%). What’s more, the 2017 Willis Towers Watson Cyber Risk Employer Survey shows that while today only 8% of organizations have embedded cyber risk management within their company culture, organizations expect this percentage to increase to 85% in the next three years — evidence that organizations are beginning to realize the role that employees play in overall in building a resilient cyber risk culture. Perhaps most important, however, only 37% of employers think risk managers and HR work closely together on cyber risk management.  This needs to change.

Effective cyber risk management: it starts with your people

HR is often the keeper of highly sensitive and confidential employee data and records often sought after by cyber criminals

Our recent Willis Towers Watson’s cyber insurance claims data shows that two-thirds of incidents are the direct result of employee behavior – for example, negligence leading to lost devices and malicious insiders seeking to profit from corporate espionage. When analyzing the other 33% of incidents, a large portion can ultimately be traced back to additional human factors such as talent shortage, skill deficits and employee engagement. Given these results, in order to drive a culture that creates cyber smart employees, organizations’ human resources professionals must be brought more prominently into the conversation. HR is often the keeper of highly sensitive and confidential employee data and records often sought after by cyber criminals, but it also plays a crucial role in employee engagement and organization culture around cyber security strategy. What’s more, HR can help identify deficiencies in talent and skills within critical roles and flag IT departments that may be creating vulnerabilities.

The CHRO: Missing in the cyber risk management process

Insurance risk managers have led and continue to lead the charge in managing cyber risk for their organizations. To their credit, they have made major strides in bringing their CISOs or CIOs along in understanding the critical role that cyber insurance plays in managing the risk. This explains the increasing involvement of CISOs/CIOs in the insurance application and procurement process. One key role that is missing in this process, however, is the CHRO.  Effective cyber risk management is a team sport, and, more importantly, because cyber risk begins with and ends with people, here are some ways that risk managers and CHROs can help their organizations thrive:

  • Risk managers and CHROs can work together to evaluate organization culture (e.g., training, leadership, rewards) and talent/skills deficiency issues that create cyber risk
  • HR can help risk managers better understand the employee-related governance and procedures (e.g., employee training, social media policies) in place for managing risk
  • Risk managers can help HR understand insurance limits, retentions, and why insurance underwriters request certain employee-related information (e.g., frequency of training, BYOD policies) in the insurance application process
  • Risk managers and CHROs can attend cyber risk conferences together. In addition to presenting a united front, this strategy gives the two executives an opportunity to develop an integrated approach from each function’s perspective.

We’ve been nominated

Advisen Cyber Risk Awards 2017 recently acknowledged our cyber expertise by nominating Willis Towers Watson as the “Cyber Risk Broking Team of the Year” and paying tribute to our cyber expert by nominating Peter Foster, as “Cyber Risk Industry Person of the Year.” Please take 15 seconds to vote for us today! Voting closes by May 19, 2017:

  • Cyber Risk Industry Person of the Year- USA – Peter Foster
  • Cyber Risk Broking Team of the Year


Joe DePaul is Cyber/E&O Practice Leader for FINEX North America.  He has focused on the cyber area for the last 15 years. Joe is responsible for the vision and establishing the business goals for the Cyber practice.  He leads the cyber business’ growth objectives and serves as a thought leader in the space.

Learn more about comprehensive cybersecurity from Willis Towers Watson.

Categories: Cyber Risk, Health and Group Benefits, Tech Media Telecom | Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *