We're sorry but your browser is not supported by Marsh.com.au

For the best experience, please upgrade to a supported browser:


Research and Briefings

Human Resources’ Increasing Role in Cyber Risk Management


The Human Resources function has become integral to organisational cyber risk management in recent years due to a convergence of factors: an increasingly active regulatory environment, the pervasive use of technology and devices in employees’ work, and recognition of the importance of a strong organisational cybersecurity culture. HR increasingly is called upon to take a lead role, along with IT/InfoSec, in determining and enforcing employee data permissions, and training and enforcement of the organization’s cybersecurity policies and procedures – as well as helping respond to cyber events that involve employees.

Employees’ data and security practices are critical determinants in an organisation’s cybersecurity posture: two in three executives in a Mercer survey say the greatest threat to their organisation’s cybersecurity is employees’ failure to comply with data security rules.

Given that HR is in the people business, it should logically be a consistent key stakeholder in managing organisational cyber risk.  However, the majority of companies say HR is not a primary owner or driver of cyber risk management; 88% of companies continue to delegate cyber risk first and foremost to IT/InfoSec, followed by C-suite, Risk Management, Legal, and Finance.

That needs to change; HR should play a central role in organisational cyber risk management.  HR also needs a strong partnership with IT/InfoSec to effectively managing data and technology risk, particularly in the remote working environment.  Their roles should be closely aligned with active involvement in managing their organisation’s evolving technology and data infrastructure.

In this article, we explore three key areas where the evolving regulatory and cyber risk landscapes are changing the role of HR in cyber risk management:

  • Privacy regulation compliance
  • Employee data controls and access
  • Cybersecurity culture 

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.