Addressing the human element in cyber risk
According to the latest research by Willis Towers Watson, cyber security continues to be widely viewed as a fundamental challenge (66%) and a top priority for organizations (85%). What’s more, the 2017 Willis Towers Watson Cyber Risk Employer Survey shows that while today only 8% of organizations have embedded cyber risk management within their company culture, organizations expect this percentage to increase to 85% in the next three years — evidence that organizations are beginning to realize the role that employees play overall in building a resilient cyber risk culture. Perhaps most important, however, only 37% of employers think risk managers and HR work closely together on cyber risk management. This needs to change.
Our recent Willis Towers Watson’s cyber insurance claims data show that two-thirds of incidents are the direct result of employee behavior — for example, negligence leading to lost devices and malicious insiders seeking to profit from corporate espionage. When analyzing the other 33% of incidents, a large portion can ultimately be traced back to additional human factors such as talent shortage, skill deficits and employee engagement. Given these results, in order to drive a culture that creates cyber smart employees, organizations’ human resources professionals must be brought more prominently into the conversation. HR is often the keeper of highly sensitive and confidential employee data and records often sought after by cyber criminals, but it also plays a crucial role in employee engagement and organization culture around cyber security strategy. What’s more, HR can help identify deficiencies in talent and skills within critical roles and flag IT departments that may be creating vulnerabilities.
Insurance risk managers have led and continue to lead the charge in managing cyber risk for their organizations. To their credit, they have made major strides in bringing their CISOs or CIOs along in understanding the critical role that cyber insurance plays in managing the risk. This explains the increasing involvement of CISOs/ CIOs in the insurance application and procurement process. One key role that is missing in this process, however, is the CHRO. Effective cyber risk management is a team sport, and, more importantly, because cyber risk begins with and ends with people, here are some ways that risk managers and CHROs can help their organizations thrive:
• Risk managers and CHROs can work together to evaluate organization culture ( e. g., training, leadership, rewards) and talent/skills deficiency issues that create cyber risk.
• HR can help risk managers better understand the employee- related governance and procedures ( e. g., employee training, social media policies) in place for managing risk.
• Managers can help HR understand insurance limits, retentions, and why insurance underwriters request certain employee- related information ( e. g., frequency of training, BYOD policies) in the insurance application process.
• Risk managers and CHROs can attend cyber risk conferences together. In addition to presenting a united front, this strategy gives the two executives an opportunity to develop an integrated approach from each function’s perspective.
Willis Towers Watson is a leading global advisory, broking and solutions company that helps clients around the world turn risk into a path for growth. With roots dating to 1828, Willis Towers Watson has 40,000 employees in more than 140 countries. For more information, please write to Leah Denoga at leah.denoga@willistowerswatson.com, call 9020731 or visit www.willistowerswatson.com