“The past 10 years have seen dramatic changes in HR and benefits technology (HRBT) caused by a shift in the needs of the workforce and their rising expectations.” The authors share advice on aligning HRBT with the organization’s human capital management strategy by efficiently navigating the rise of options, and effectively protecting employee data from cybersecurity risks.

This article is an excerpt from the 2018 Human Capital Insights Report. Download the report for more insights on building and sustaining a healthy workplace culture that drives individual and organizational performance.

Many human resource leaders have a conflicted relationship with HR and benefits technology (HRBT) that can prove to be either a boon or bust. The past 10 years have seen dramatic changes in HRBT caused by a shift in the needs of the workforce and their rising expectations, which are creating new challenges for employers.

Key trends include employees’ demands for easy-to-use technology and a personalized experience, the growth of telecommuting, and the emerging gig economy characterized by temporary, flexible jobs. Related to this trend is the serious and constant threat of employee data cyber theft. And surrounding all of these developments is a surge in the number of available vendors and products that can touch every facet of employers’ interactions with employees “from hire to retire.”

Each development marks a fundamental shift in the HRBT management paradigm. Taken together, they indicate a new reality: the strategic management of the HRBT stack has become essential to successful HR leadership.

Navigating the proliferation of HRBT
Over the last decade, there has been a rapid proliferation of new HRBT service providers and offerings. Among these advanced options are many useful tools for streamlining and enhancing processes that help employers engage, support and manage their employees. However, amidst all the excitement, they’re also dealing with some negative consequences of the HRBT boom. Staying current on new capabilities and their potential value for HR operations is difficult. And updates for installed systems — which are often automatic — may deliver new functionality that the HR team may be unaware of, leading to underutilization and potential duplication. Caught in the crush of salespeople pushing a slew of innovative products, it can also be easy to lose sight of underlying business objectives.

On the IT side of the equation, integration has become an increasingly complex challenge with no right answers — just a set of trade-offs that the HR team needs to understand. Selecting best-inclass solutions will usually deliver better stand-alone functionality but may come with major integration complications. With so many new HRBT vendors, employers should remember they’re purchasing an ongoing relationship. They need to know a company before committing, including the vendor’s support philosophy

Supporting a flexible workforce
As the nature of work changes along with workforce needs, employees will increasingly insist on having the flexibility to work from home — and elsewhere. There’s already an expectation among workers that HR systems and processes should accommodate their demands. Also, for employers starting to participate in the gig economy, there’s another layer of challenges to resolve. Because this labor market relies more heavily on temporary or part-time employees, even for core enterprise functions, employers are required to track contractors’ availability, schedule their work and support time-keeping. As an example, these capabilities can be critical for ensuring that employees with variable hours per week don’t cross thresholds for mandated benefits.

Meeting employees’ changing expectations for HRBT functionality 
Employees have come to expect that any application they use will provide ease of use and personalization at a level that’s similar to smart phones. As digital natives, millennials tend to expect a more advanced experience — including a recruiting app that measures up to their standards.

Protecting employee data from heightened
cybersecurity threats
When asked why he robbed banks, Willy Sutton reportedly said, “That’s where the money is.” Today, when sensitive personal information can easily be sold on the dark web, HR information systems are vulnerable to becoming “banks” for cyber thieves. Possible data loss can range from a misaddressed email that exposes one employee’s or applicant’s information to massive data breaches affecting thousands. Unfortunately, no employer with HRBT is free of this risk.

A serious breach, if it happens, is more than an inconvenience. Employees’ lives will almost certainly be disrupted and the bonds of trust with their employer may be eroded. This predicament can also subject the organization to legal and regulatory risk, and possibly create a crisis situation that needs to be adeptly and efficiently managed.

For HR leaders, making prevention the first imperative requires working with corporate IT to put safeguards in place. They should have clear sight into how data is collected, held and classified, who has access and which laws apply. Investing in enterprise-wide technology is critical to recognizing cyber attacks and stopping them when they occur. And implementing and periodically testing a disaster recovery plan that includes employee benefits leaves the response team well prepared.

However, in many cases the greatest vulnerability to cyber theft is the HR team itself. “Phishing” and other social engineering techniques have become very sophisticated, and can easily fool unwary team members into divulging information that give thieves access to sensitive data. One of the best protections is thorough training for both HR staff and employees.

Employers should be prepared to respond immediately in the event of a breach, and first steps often include determining its nature and extent by conducting a forensic analysis. For good reason, there’s a reluctance to inform employees about an incident until questions can be clearly answered, but an investigation may take weeks to complete. Rumors circulating among employees during that timeare likely to raise concerns — and an apparent lack of transparency can be damaging. To minimize fallout, the top priority for employers should be engaging a lawyer who is an expert on cybersecurity breaches ofpersonnel data. That individual can guide appropriate decisions about other steps in the process, including who to inform about the data breach and when.

Finally, it’s important to comply with regulations and privacy laws that apply to employee data. U.S. employers are familiar with the Health Insurance Portability and Accountability Act, but unless they’re global they may not be as familiar with the General Data Protection Regulation (GDPR) of the European Union. This law affects U.K. and E.U. residents even when they’re employed in the U.S. Looking ahead, some cutting-edge features of GDPR — such as the “right to be forgotten” — are likely to become more common worldwide.

Ultimately, the goal is to align HRBT with the organization’s human capital management (HCM) strategy. First, decision makers should clearly define their HCM strategy. Then they should window-shop before they purchase by attending an event that provides exposure to the range of technology options available today. The next step is to create an HR technology governance committee to maintain the HRBT strategy, including staying on top of current releases

Alongside the committee, employers should put both a cybersecurity plan and incident response plan in place. An effective cybersecurity plan includes training for HR staff on phishing tactics and other risks, and an incident response plan lays out the required internal responsibilities and sequence of actions necessary. The response plan also needs to identify external management experts and their indispensable roles. They include legal, forensic, notification, public relations and communications, and credit monitoring resources.

About the authors

Adam Cottini
Managing Director, Cyber Liability Practice
Adam is responsible for the overall direction of the Cyber Liability Practice, including development of advanced solutions, insurance gap analysis, risk exposure analysis, risk modeling, benchmarking and best practices implementation. He has provided cyber risk management brokerage and consulting services for over 10 years.

Rhonda P. Marcucci
Vice President, HR & Benefits Technology Consulting
Rhonda co-leads a team of consultants who provide unbiased, wellresearched and client-tailored HR and benefit administration technology sourcing advice and service provider capability audits. Their knowledge and expertise ensures a best-fit match between employer needs and available solutions across eight market sectors.

Petula Workman
Division Vice President, Compliance Counsel,
Legislative Compliance Consulting
Petula is responsible for developing compliance resources and tools, and educating clients on how to interpret and address complex legislative requirements affecting employee benefits. Her broad legislative and regulatory expertise encompasses PPACA; HIPAA, including Privacy and Security; and day-to-day compliance issues.

Consulting and insurance brokerage services to be provided by Gallagher Benefit Services, Inc. and/or its aliate Gallagher Benefit Services (Canada) Group Inc. Gallagher Benefit Services, Inc. is a licensed insurance agency that does business in California as “Gallagher Benefit Services of California Insurance Services” and in Massachusetts as “Gallagher Benefit Insurance Services.” Neither Arthur J. Gallagher & Co., nor its aliates provide accounting, legal or tax advice.