Skip to main content Skip to main navigation

Data Privacy & Cybersecurity: Cybersecurity

We have implemented technologies and tools to evaluate our cybersecurity protections and maintain a cyber risk management strategy related to our technology infrastructure that includes monitoring emerging cybersecurity threats and assessing appropriate responsive measures.

Policy & governance

Travelers maintains cybersecurity policies and standards that align with the International Organization for Standardization (ISO) 27001 standard and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our cybersecurity policies and standards have been developed in collaboration with groups across the enterprise, such as Legal, Compliance, Technology and each of our business segments. Our policies include, for example, Information and System Use policies for employee and non-employee system users. These policies reinforce the data privacy and protection sections of our Code of Business Conduct and Ethics.

We perform an annual cybersecurity risk and control assessment as part of the Enterprise Risk Management team’s risk assessment processes. Our CISO and the Chief Financial Officer of the company’s Technology group review and approve the cybersecurity assessment. Our Chief Technology & Operations Officer reviews and approves the list of emerging, strategic and transformative risks upon which the Enterprise Risk Management team’s cybersecurity risk and control assessment processes are based. In addition, as part of their regular responsibilities, our Governance, Risk and Compliance officers within the Technology and Cybersecurity groups assess technology and cybersecurity risks by leveraging our risk framework related to technology and cybersecurity, which aligns with our enterprise risk management strategy.

On an annual basis, the direction of our Chief Risk Officer, the company’s Technology, Cybersecurity and Business Resiliency groups also participate in the enterprisewide Own Risk and Solvency Assessment (“ORSA”), which outlines identified risks and describes the controls in place across the company to address those risks. The ORSA is reviewed with our lead regulator, the State of Connecticut Department of Insurance, which in turn performs periodic financial examinations, including a technology control assessment.

Technology

Travelers uses certain technologies and tools, as appropriate, to enhance cybersecurity, such as multifactor authentication, encryption, firewalls, intrusion detection and prevention systems, endpoint detection and response, vulnerability scanning, penetration testing, patch management, and identity and access management systems. These systems are designed, implemented and maintained with the goal of identifying, assessing and managing cybersecurity risks.

In addition, our CISO and Cybersecurity team are actively engaged within the cybersecurity community in order to monitor emerging trends and developments and share best practices for identifying and mitigating cyber threats. For example, we participate in threat intelligence information-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). We also track industry and government intelligence sources for information about evolving cyber threats and deploy updates to our systems as appropriate. Additionally, the company’s Cybersecurity team monitors and investigates suspicious events.

As the workforce, the work environment and the threat landscape continue to evolve, Travelers seeks to evaluate related risks and implement appropriate controls.

Training & awareness

To help manage risk related to potential cybersecurity threats, as part of our annual Code of Business Conduct and Ethics training, all Travelers employees receive data protection and privacy training, which focuses on the need to appropriately protect and secure confidential company information. Additionally, we provide annual security awareness training that covers a broad range of security topics. We also provide regular targeted training on topics such as AI-related risks, phishing and secure application development, among others. In addition to online training, we provide employees with cybersecurity information through a number of different methods, including awareness campaigns, gamified activities, recognition programs, security presentations, intranet articles, videos, system-generated communications, email publications and various simulation exercises.

Third-party relationships

As part of our supplier risk management program, using a risk-based approach, the Cybersecurity team conducts formal risk assessments with respect to certain of our third-party service providers. The assessment process addresses aspects of the service providers’ data security controls and policies. The team also conducts reassessments of its third-party services providers, the frequency of which is determined based on a risk assessment and rating process.

Where appropriate, Travelers seeks to incorporate contractual language with third-party service providers that includes clear terms involving the collection, use, sharing and retention of user data, as well as compliance with appropriate security terms.

Additionally, our Procurement group has a framework to help identify and mitigate supplier risks, as well as enable management to make risk informed decisions.

Incident response

Travelers has a Security Incident Response Framework (Framework) in place. The Framework comprises a set of coordinated procedures and tasks that the Travelers Incident Response team, under the direction of the CISO, executes with the goal of ensuring timely and effective resolution of cybersecurity incidents. To maintain the robustness of the Framework, Travelers conducts cybersecurity tabletop testing exercises from time to time.

Compliance

Travelers performs regular self-assessments against our internal policies, using our internal risk assessment process and a variety of frameworks, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, the Insurance Data Security Model Law as adopted and modified by various states and the Payment Card Industry Data Security Standard. In addition to our internal cybersecurity team, we use internal and external auditors and, as appropriate, third-party consultants, service providers and assessors to review and test the company’s processes. For example, on an annual basis, Travelers undergoes an SSAE 18 SOC 2 (Statement on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination conducted by an independent external firm.

Additional information regarding privacy and security at Travelers, including our Privacy Statements, is available on the Privacy & Security section of our corporate website.

More about data privacy & cybersecurity

Approach

In addition to managing our own cyber exposure, we recognize the valuable services we can provide to our customers in light of the mounting cyber risks they are facing.

Data privacy

Protecting our customers’ data and safeguarding customer privacy are essential parts of the Travelers Promise.

Cyber product offerings

Travelers understands the complexity of cyber threats and continues to proactively address cyber concerns. We provide policyholders with cyber protection – before, during and after a cyber breach or incident.

Illustrative initiatives

2024 Travelers Risk Index

Understanding the Growing Concern over Cyber Risks

Cybersecurity

Cybersecurity Awareness Month

Travelers Institute®

Cyber: Prepare, Prevent, Mitigate, Restore®

See all initiatives  

Our drivers of sustained value

 

Business Strategy & Competitive Advantages

  

Capital & Risk Management

    

Climate Strategy

    

Community

   

Customer Experience

  

Data Privacy & Cybersecurity

   

Disaster Preparedness & Response

   

Diversity & Inclusion

  

Eco-Efficient Operations

  

Ethics & Responsible Business Practices

  

Governance Practices

  

Human Capital Management

 

Innovation

   

Investment Management

 

Public Policy

  

Safety & Health