Most organizations still talk about cyber risk as if it were primarily a technology problem. Firewalls, endpoint protection, and incident response playbooks dominate the conversation. Yet in HUB International’s 2026 outlook webinar, one data point cut through the noise:
“If you look at the data, 67% of successful cyberattacks actually involve employee action,” said Faizal Mitha (pictured), the company’s chief innovation officer.
In other words, the workforce itself has become a critical driver of complex risk – an interconnected set of exposures that span cyber, operational, regulatory, and reputational domains.
When cyber incidents, regulatory breaches, or operational failures hit the headlines, the narrative usually centers on systems and controls. But in practice, it is human behaviour that sometimes determines whether a threat becomes an event.
“You have these stressed, exhausted employees that have a higher likelihood to make mistakes, which then leads to a higher likelihood they click a phishing email or reuse passwords or ignore security warnings or don’t give full attention to their cyber risk training, if that exists,” Mitha explained.
That reality turns “people risk” from a soft HR talking point into a hard driver of complex risk across the enterprise. The same human factors that enable a cyber intrusion also sit behind safety shortcuts, fraud, wrongful termination claims, conduct failures, and reputational damage.
Yet very little of this shows up cleanly in the risk reports going to boards, leaving organizations with a blind spot in their understanding of complex exposures.
HUB’s research highlights just how far this human vulnerability extends.
“When you have a workforce productivity drop because 49% of your employees are financially stressed and losing 15 hours a month to financial worry, that will cost your organization $2 million to $3 million annually for a midsize organization, but it’s invisible,” Mitha said.
“Invisible” is the operative word. These losses rarely appear as line items under risk. Instead, they show up as assumptions - that people are less engaged, that targets aren’t being met - rather than quantified exposures that can be tracked, discussed, and managed.
Mental health trends tell a similar story.
“Almost 40% of long-term disability claims are now driven by mental health as the primary driver,” Mitha noted. This is not just a benefits cost issue; it is a signal of operational fragility, succession risk, and potential EPLI exposure if struggling employees are poorly managed out of the business.
Despite this, “only 15% of organizations recognize that risk management is a shared responsibility across all employees. So that creates not just a missed opportunity, but also a lot of exposure.”
Mitha explained that the main structural problem is organizational: HR manages benefits and retirement, risk handles cyber liability and property, finance tracks costs, but no one really owns the integration - the area where much of the human capital risk actually exists.
He gave a concrete example of a 2,000-employee manufacturing firm that asked HUB for help with rising costs. When HUB ran a workforce persona analysis on their HR data, they found nearly 900 employees in a segment the firm calls “founders.” These were long-tenured, generally older employees, and their age distribution corresponded closely with higher-than-benchmark drug costs.
The incoming generation looked very different, he said. The persona segment intended to replace the aging workforce consisted mostly of what HUB identifies as “new entrants,” who were generally in a financially fragile state.
Management initially considered trimming basic dental coverage to cut costs, but Mitha cautioned that for new recruits living paycheck to paycheck, reducing benefits would create problems. Viewed through a traditional HR or finance lens, the change seemed like a simple plan adjustment, but from an integrated risk perspective, it could threaten recruitment, retention, productivity, and ultimately operational resilience.
Mitha’s core argument is that once human capital risk is properly quantified,
“Human capital risk can look like any other enterprise risk and really belongs in your ERM framework.”
He explained that achieving this requires treating benefits, retirement, and wellbeing programs as deliberate risk controls rather than discretionary perks. Organizations that have reached this level of risk maturity deploy their programs with KPIs and use them strategically to manage risk.
People risk is real, quantifiable, and a critical driver of complex risk across the enterprise, Mitha concluded.
Organizations that fail to measure, monitor, and manage these risks are leaving a blind spot in their ERM framework – one that is increasingly visible to regulators, boards, and insurers, and one that carries real financial, operational, and strategic consequences.
