Why HR is a Key Stakeholder in Cyber Risk Management

The human resources (HR) function has become integral to organisational cyber risk management in recent years.

Along with information security/information technology (InfoSec/IT), HR is increasingly called upon to help determine and enforce employee data permissions, train and enforce cybersecurity policies and procedures, and help respond to cyber events involving employees.

HR's increased involvement is due to a convergence of factors, including: a more active regulatory environment, the pervasive use of technology and devices in employees’ work, and recognition of the importance of a strong organisational cybersecurity culture.

Employees' data and security practices are critical determinants of an organisation's overall cybersecurity. Almost two-thirds (62%) of executives say the greatest threat to their organisation's cybersecurity is employees' failure to comply with data security rules, not hackers or vendors, according to Mercer's 2020 Global Talent Trends Study.

Yet HR is not typically a primary owner or driver of cyber risk management, as found in Marsh and Microsoft's 2019 Global Cyber Risk Perception Survey. The great majority (88%) of companies continue to delegate cyber risk first and foremost to InfoSec/IT, followed by the C-suite, risk management, legal, and finance.

This needs to change. A strong partnership between InfoSec/IT and HR is essential for managing data and technology risk, particularly in a remote-working environment.

Please download the latest insight to read more details about the four key areas where the evolving regulatory and cyber risk landscapes are changing HR's role.