Key Takeaways
- Cyber‑threat literacy is the top‑ranked people risk, followed closely by technology‑skill shortages (especially in cyber and AI).
- Mindset barriers to AI adoption and mishandling of data/intellectual property also feature in the top‑10 risks identified by Marsh.
- Effective management of people‑shaped risk can boost workforce productivity, accelerate strategic initiatives (e.g., AI), and become a source of competitive advantage.
- Marsh recommends a broader, cyber‑centric approach that includes OT, HR, benefits systems, third‑party services, talent acquisition, culture building, fatigue reduction, and strong governance.
Cyber Threats Lead People Risks
The Marsh 2026 People Risks report, built on interviews with more than 4,500 HR and risk professionals across 26 global markets, ranks cyber‑related challenges at the very top of the list of people risks. “Cyber‑threat literacy” emerged as the number‑one concern, highlighting the widespread worry that employees lack sufficient understanding of cyber dangers. This finding reflects a growing recognition that human factors, rather than technology alone, are often the weakest link in an organization’s security posture.
Technology Skill Shortages Amplify Vulnerability
Closely following cyber‑threat literacy, technology‑skill shortages—particularly in cybersecurity and artificial intelligence—were cited as the third‑most frequent risk. Organizations report difficulty recruiting and retaining talent equipped to defend against sophisticated threats and to harness emerging AI tools safely. The gap between required expertise and available workforce capacity not only heightens exposure to attacks but also hampers innovation and the ability to keep pace with a rapidly evolving threat landscape.
Mindset Barriers Slow AI Adoption
Ranked sixth, “mindset barriers to AI adoption” captures a combination of limited knowledge about AI risks, insufficient awareness of mitigations, and workforce non‑compliance with emerging AI regulations and internal policies. These barriers create reluctance or misuse of AI systems, which can lead to unintended data exposures, biased outcomes, or operational disruptions. Addressing these cultural and educational hurdles is essential for organizations seeking to reap the productivity gains promised by AI while maintaining compliance and trust.
Data and IP Mishandling Persists as a Core Risk
Mishandling of data and intellectual property placed seventh in the top‑10 risks, underscoring that even with technical safeguards, human error remains a significant conduit for loss. Whether through accidental sharing, poor classification, or inadequate storage practices, such mishandling can erode competitive advantage, trigger regulatory penalties, and damage brand reputation. The persistence of this risk highlights the need for continuous training, clear data‑governance policies, and robust monitoring mechanisms.
Low Security Awareness Calls for Fresh Guidance
Despite widespread awareness of low security awareness among employees, the issue continues to affect organizations worldwide. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued new guidance in January aimed at helping security teams mitigate insider risk. The guidance emphasizes proactive detection, user‑behavior analytics, and fostering a security‑conscious culture where employees feel empowered to report suspicious activity without fear of reprisal.
Business Impact Over Incident Frequency
Ed Ventham, director of broking at UK cyber‑insurance specialist Assured, cautioned that focusing solely on whether staff understand cyber risk misses the larger picture. He argued that the material impact of cyber‑related events increasingly stems from technology performance failures, system misbehaviour, or platform outages rather than traditional attacks. Such events drive business interruption, operational disruption, and tangible economic loss. Ventham urged boards to prioritize preparedness—understanding how swiftly incidents translate into lost revenue, contractual exposure, and balance‑sheet impact—rather than merely counting incidents.
People‑Shaped Risk Management as a Competitive Advantage
The Marsh report contends that effective management of people‑shaped risk can become a source of competitive advantage. Survey results showed that 40 % of respondents who successfully mitigated these risks reported increased workforce productivity and efficiency, while 36 % noted faster progress on strategic initiatives such as AI adoption. Hervé Balzano, president of health and benefits at Mercer, reinforced this view, stating that in 2026 organizational resilience will depend on investing in people: building the right skills, supporting health and financial security, and redesigning work so humans and technology can perform optimally together.
Marsh’s Recommendations for a Holistic Cyber‑Centric Approach
To better manage the risks associated with human error, Marsh offered a set of actionable recommendations. Organizations should reframe cyber risk to encompass broader domains, including operational technology (OT), HR and benefits systems, and third‑party services. Conducting thorough cyber‑risk planning helps identify potential exposures before they materialize. Recruiting talent with strong cybersecurity competencies is essential, as is cultivating a cyber‑centric culture where security concerns are openly heard and every employee understands their responsibilities. Reducing fatigue and stress—factors that can cause staff to lower their guard—is another key lever. Finally, ensuring robust human oversight of critical systems, backed by strong governance and appropriate insurance coverage, completes a resilient risk‑management framework.