The cyber space saw numerous developments during 2019, including new privacy regulations, systemic ransomware claims and increasing concern surrounding non-affirmative cyber in the underwriting community. Looking toward the remainder of 2020, Guy Carpenter sees a number of emerging trends that present both potential challenges and opportunities for our clients, particularly as they relate to COVID-19.
The human resources (HR) function has become integral to organizational cyber risk management in recent years. Along with information security/information technology (InfoSec/IT), HR is increasingly called upon to help determine and enforce employee data permissions, train and enforce cybersecurity policies and procedures and help respond to cyber events involving employees, according to a recent report from Guy Carpenter-affiliate Marsh JLT Specialty.
HR’s increased involvement is due to a convergence of factors, including: a more active regulatory environment, the pervasive use of technology and devices in employees’ work, and recognition of the importance of a strong organizational cybersecurity culture.
Employees’ data and security practices are critical determinants of an organization’s overall cybersecurity. Almost two-thirds (62 percent) of executives say the greatest threat to their organization’s cybersecurity is employees’ failure to comply with data security rules, not hackers or vendors, according to Mercer’s 2020 Global Talent Trends Study.
Yet HR is not typically a primary owner or driver of cyber risk management, as found in Marsh and Microsoft’s 2019 Global Cyber Risk Perception Survey. The great majority (88 percent) of companies continue to delegate cyber risk first and foremost to InfoSec/IT, followed by the C-suite, risk management, legal, and finance.
This needs to change. A strong partnership between InfoSec/IT and HR is essential for managing data and technology risk, particularly in a remote-working environment.
Guy Carpenter’s Cyber Global Center of Excellence is actively following and responding to significant developments in the cyber risk sphere and helping clients adapt to evolving technologies.