“The real issue isn’t just whether people understand cyber risk, it’s how things play out when something goes wrong,” Ed Ventham told Infosecurity — a blunt summation that sits at the center of Marsh’s new 2026 People Risks report and the conversation it has provoked among insurers, benefits specialists and security practitioners.
Marsh survey: cyber ranks first among people risks
Marsh compiled its 2026 People Risks report from interviews with more than 4,500 HR and risk professionals across 26 global markets. The headline finding: cyber-related challenges dominate the top 10 people risks. “Cyber-threat literacy” placed first on the list. Technological change and disruption was cited most frequently across the top 10, and tech skills shortages — including cyber and AI talent gaps — were ranked third.
Specific risks in the top 10: where people and technology collide
The report details several human-shaped exposures that can elevate organisational cyber risk. Mindset barriers to AI adoption placed sixth; Marsh defined this to include limited knowledge of AI risks and mitigations, and workforce non-compliance with AI regulations and policy. Mishandling of data and intellectual property sat at seventh. Marsh concluded that these factors can together increase the likelihood of cyber-attacks and breaches, blunt competitiveness, erode the ability to keep pace with threat evolution, and damage reputation and trust.
From awareness to the business impact — Assured’s warning
Ed Ventham, director of broking at UK cyber-insurance specialist Assured, argued that the emphasis on literacy understates the commercial consequences of failures in technology and people. “Increasingly, the material impact isn’t necessarily a traditional cyber-attack; it can be a failure in technology performance, systems not behaving as expected or platforms going down,” he told Infosecurity. Those incidents bring business interruption, operational disruption and “real economic loss,” he said, and boards must focus not just on incidents themselves but on preparedness — how quickly incidents translate into lost revenue, contractual exposure and balance sheet impact.
Marsh’s prescriptions: reshape cyber risk around people and systems
Marsh set out concrete recommendations for reducing people-shaped cyber risk. Key steps include reframing cyber risk to encompass broader domains such as operational technology (OT), HR and benefits systems, and third‑party services; conducting cyber-risk planning to identify exposures; recruiting talent with strong cybersecurity skills; and creating a cyber-centric culture in which security concerns are heard and all staff understand responsibilities.
- Address workforce causes of fatigue and stress that can lead employees to drop their guard.
- Maintain human oversight of critical systems, supported by robust governance and insurance cover.
The report also referenced recent practical guidance: the US Cybersecurity and Infrastructure Security Agency (CISA) released new guidance in January aimed at helping security teams mitigate insider risk, underscoring that low security awareness among employees remains a persistent global problem.
Hervé Balzano and the competitive case for investing in people
Marsh argued that effective management of people-shaped risk can be a competitive advantage. Some 40% of respondents who managed these risks said they increased workforce productivity and efficiency, while 36% said they achieved faster progress on strategic initiatives such as AI adoption. Hervé Balzano, president of health and benefits at Mercer, summarised the link between resilience and workforce investment: “In 2026, resilience depends on how well organisations invest in their people: building the right skills, supporting health and financial security, and redesigning work so humans and technology can perform at their best together.”
What this means for technologists, policymakers, and enterprise leaders
- Technologists and security teams: watch broader attack and failure surfaces — OT, HR, benefits platforms and third parties — and prioritise human oversight plus rehearsed business‑impact responses rather than only awareness campaigns.
- Policymakers and regulators: note workforce non‑compliance with AI regulations and the CISA January guidance on insider risk as signals to pair technical standards with workforce guidance and oversight mechanisms.
- Enterprise leaders and boards: shift emphasis from awareness metrics to preparedness for operational failures and the financial consequences Ventham highlighted — lost revenue, contractual exposure and balance sheet impact — and invest in hiring, governance and insurance to close the gap.
Marsh’s findings refract a simple, consequential truth: understanding cyber risk is necessary but not sufficient. Organisations that pair literacy with systems‑level planning, human oversight and attention to workforce wellbeing are the ones Marsh’s data suggests will be better positioned to convert risk management into productivity and strategic progress. The remaining question — implicit in the report’s statistics and the practitioners’ comments — is whether boards will move resources from awareness programs to the operational and financial preparedness Ventham and Marsh say matters most.
