The human element of cyber risk: Why it pays to sweat the small stuff

Cyber Claims Brief Winter 2016

December 21, 2016

By Brian Weiss

This summer, Willis Towers Watson commissioned a survey of 306 risk, finance, human resources, information technology and operations decision makers to gain insight into their organizations’ cyber risk priorities. Of those surveyed, 64% indicated that human capital and employee solutions are a very important focus for cyber loss control, and 36% indicated they are a somewhat important focus. Looking at a longer horizon, 68% viewed human capital and employee solutions (which includes cyber security awareness training) as a very important future focus for their organizations.

Interestingly, those we surveyed with roles in information technology and operations were more focused on employee solutions than the other interview groups. Both groups had over 70% of participants viewing employee-related cyber risk as very important. Conversely, of those surveyed in risk and finance, only 55% deemed human capital and employee solutions as a current very important focus. The results highlight the need for organizations to focus more attention and resources to cyber risk created by employees and their role in overall cyber risk mitigation.

In the Summer 2016 edition of the Cyber Claims Brief we noted that employees are the first line of defense for companies. We described the risk created by employees and how IOT (the internet of things), BYOD (bring your own device) policies, and the changing face of the workforce combined to accelerate that risk. The Willis Towers Watson Reported Claims Index provides additional support for this reality — the number of cyber incidents involving lost data by the negligence of employees far exceeds the number of incidents caused by bad actors.

Percentage of Claims By Breach Type

Accidental Disclosure 32.72%
Lost/Stolen Devices 21.43%
Hack 17.28%
Rogue Employee 11.52%
Third-party Breach 7.6%
Social Engineering 3%
Network Business Interruption 2.07%
Other 7.13%

Claims included within the employee error or negligence category are those involving lost laptops or mobile devices, negligent disposal of paper records with PII in an unsecured manner, or personal files accidentally sent by email to an unintended recipient. Accordingly, it’s important that organizations, especially those in the health care and education sectors, take special note of the risk caused by employee accidents and implement training and loss control measures focused on employee behavior.

Education industry - Percentage of claims by breach type

Education industry - Percentage of claims by breach type

Healthcare industry - Percentage of claims by breach type

Healthcare industry - Percentage of claims by breach type

While accidental disclosures and lost devices together combine for the highest percentage of cyber incidents, the silver lining to this data is that the records lost in these claims represent less than 1% of the total records lost. To compare, hacks and third-party breaches account for approximately 90% of the total number of records lost. But that does not allay the concerns regarding employee conduct, as employees are most likely to be the source of the next cyber incident, and each incident can be costly.

Even though accidental disclosures and lost device cyber incidents generally do not result in high record loss cyber claims, the large quantity of claims may nevertheless prove costly — whether for a breach coach, legal costs, forensics or public relations — which may be less than the applicable self-insured retention (SIR) on a cyber insurance policy. Depending on the insurer, the retention may apply to the number of individuals notified, the cost of the overall incident response, or both. This means an organization will have out-of- pocket costs for each of these events. That is not to mention the lost productivity cost associated with mitigating or remedying the breach.

For companies at a higher risk of multiple, low severity employee-based incidents, it may be advantageous to procure a cyberinsurance policy that provides consultative assistance from a breach coach (usually the most costly component of a low severity breach response) with no SIR.

In conclusion, the most common cyber incident that a company faces will be rooted in employee conduct, as borne out by the Willis Towers Watson Reported Claims Index. It is therefore crucial that organizations focus on cyber risk posed by its employees, and develop appropriate risk mitigation strategies, including encouraging regular security-conscious behavior and implementing continuing and regular awareness training.