Data Privacy & Cybersecurity
Approach
Our Chief Information Security Officer (CISO) leads the Travelers Cybersecurity department. The CISO reports to the Chief Technology and Operations Officer and is a member of the Enterprise Risk team. Under the direction of the CISO, the Travelers Cybersecurity department continuously analyzes cybersecurity and resiliency risks to our business, considers industry trends and implements controls, as appropriate, to mitigate these risks. This analysis drives our long- and short-term strategies, which are executed through a collaborative effort within Technology and Operations and are communicated to the Board of Directors regularly.
In addition to managing our own cyber exposure, we recognize the valuable services we can provide to our customers in light of the mounting cyber risks they are facing. We offer cyber liability insurance, which provides a combination of coverage options to help protect our customers’ businesses.
Board Oversight
Our CISO provides quarterly updates regarding cybersecurity, cyber risk and related policies to Travelers executive management and the Risk Committee of the Board. The Risk Committee of the Board regularly reviews and discusses with management the strategies, processes and controls pertaining to the management of our information technology operations, including cyber risks and cybersecurity.
Cybersecurity
At Travelers, we take a comprehensive and multifaceted approach to protect information in our care and assist our customers in safeguarding their digital assets. We use administrative, technical and physical safeguards to protect information in our care. We have established a wide range of comprehensive data security protections and maintain a data risk management strategy that includes monitoring emerging security threats and assessing appropriate responsive measures.
Policy & Governance
We embed data protection throughout our operations and technology programs with the goal of safeguarding our customer data and digital assets. As a foundation to this approach, Travelers maintains a comprehensive set of cybersecurity policies and standards, which align with the International Organization for Standardization (ISO) 27001 standard and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our cybersecurity policies and standards have been developed in collaboration with groups across the enterprise, such as Legal, Compliance and each of our business segments. Our policies include Information and System Use policies for employee and non-employee system users. These policies reinforce the data privacy and protection sections of our Code of Business Conduct and Ethics.
On an annual basis, Travelers undergoes an SSAE 18 SOC 2 (Statement on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination conducted by an independent external firm. In addition, we regularly self-assess against our internal policies, using our internal risk assessment process and a variety of other frameworks, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, the Insurance Data Security Model Law as adopted by various states and the Payment Card Industry Data Security Standard. We endeavor to comply with all applicable privacy regulations, including but not limited to the California Consumer Privacy Act. Our comprehensive and collaborative approach allows us to further the organizational culture of data security awareness, the effectiveness of data governance and the responsiveness to evolving data management protocols.
Technology
Travelers uses sophisticated technologies and tools to protect information, including but not limited to multifactor authentication, encryption, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, and identity management systems. Our identity and access management systems employ both commercial authentication products from leading companies and internally developed systems based on prevailing industry standards. We include periodic recertification access for key data, and we utilize multifactor authentication based on the level of risk. We monitor for anomalies on our network, and our Security Operations Center responds to those anomalies.
In addition, we participate in vulnerability information-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). We also track industry and government intelligence sources for impact in the marketplace and deploy updates as necessary.
Travelers has a robust software patch management process that includes risk assessment and risk-based update schedules. These systems are designed, implemented and maintained with the goal of providing a high level of security for sensitive data.
As the workforce and the work environment continue to evolve, Travelers also continues to evaluate related risks and implement appropriate controls.
Training & Awareness
All Travelers employees receive data privacy and cybersecurity training annually as part of our annual Code of Business Conduct and Ethics training. Additionally, our annual security awareness training covers a broad range of security topics, from password protection and social engineering to working remotely and privacy. We also provide regular targeted training on topics such as phishing and secure application development, among others. We educate our employees through a number of methods, including online training, event triggered awareness campaigns, security presentations, company intranet articles, videos, system-generated communications, email publications and various simulation exercises. In addition, based on role, certain Travelers contractors receive relevant cybersecurity training.
Third-Party Relationships
Travelers has a cybersecurity diligence and oversight process for its third-party vendors. This process is a component of our supplier management program. Prior to the commencement of services, our Cybersecurity team performs a risk/rating assessment of vendors that will have access to and process Travelers data and conducts formal risk assessments on certain service providers based on the risk/rating assessment. Reassessment occurs on a regular basis, the frequency of which is determined based on a risk assessment and rating process. The assessment process utilizes a comprehensive questionnaire, which addresses aspects of the vendors’ data security controls and policies, including business continuity, as well as on-site evaluations for higher-risk relationships.
Where appropriate, Travelers seeks to incorporate contractual language with third parties that includes clear terms involving the collection, use, sharing and retention of user data, including data transferred to third parties. These contracts also generally require parties with whom data is shared to comply with the company’s security policy or equivalent.
Incident Response
Travelers has a Security Incident Response Framework in place. The framework is a set of coordinated procedures and tasks that the Travelers Incident Response team executes with the goal of ensuring timely and accurate resolution of computer security incidents. In order to maintain the robustness of the framework, we conduct tabletop testing exercises several times a year, using risk analysis to select which components of the plan to test.
Compliance
Our cybersecurity framework includes regular compliance assessments with Travelers policies and standards and applicable state and federal statutes and regulations. We validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits. In addition, we proactively perform self-assessments against regulatory frameworks such as the NIST Cybersecurity Framework.
Additional information regarding privacy and security at Travelers, including our Privacy Statements, is available on our website.
Data Privacy
Protecting our customers’ data and safeguarding customer privacy are essential parts of the Travelers Promise. We evaluate data from many sources, including from our individual or business customers themselves, third-party service providers and public sources. In addition to guiding our risk selection and pricing, this data is leveraged to run sophisticated predictive claim models, which improve claim outcomes for our customers and efficiency for our business.
Key aspects of our data privacy program include the following:
- Travelers will not give or sell personal information to nonaffiliated third parties for their marketing purposes without permission.
- Travelers maintains safeguards designed to help prevent unauthorized use, access and disclosure of personal information. For example, we limit access to personal information and require those who have access to use it only for legitimate business purposes.
Core privacy principles guide the actions we take when collecting and using personal information, including the following:
- Notice. We give notice to individuals about the purposes for which Travelers collects, processes, stores and discloses personal information.
- Collection and Use. Travelers thoughtfully considers information collection practices and strives to limit collection to only information that is relevant and reasonably necessary to accomplish Travelers’ intended purposes. Travelers uses the personal information collected directly from insureds only for purposes consistent with the context of the transaction and/or with consent.
- Access and Correction. Personal insurance customers may request access to, and correction of, personal information about them held by Travelers, and Travelers will honor those requests consistent with applicable law.
- Disclosure. Travelers takes steps designed to ensure that personal information is only disclosed to third parties for legitimate business reasons.
- Cross-Border Transfers of Data. Travelers takes steps designed to ensure that any transfer of personal information across country borders is made in accordance with the local laws of the country from which the personal information is being transferred and the country to which the personal information is being transferred.
- Retention and Destruction. Travelers maintains policies relating to record management, including record retention schedules and purge and deletion procedures. When personal information is disposed, we employ secure methods, which are designed to make the personal information unreadable and unreconstructable (such as shredding or degaussing).
- Information Quality and Integrity. Travelers takes reasonable steps designed to ensure that the personal information it uses is accurate, relevant, complete and up to date for the purposes for which it is intended to be used.
- Security. Travelers understands that cybersecurity is essential for protecting personal information and employs appropriate physical, technical and administrative measures to safeguard and secure personal information. In the event the security of certain personal information has been compromised, Travelers has a formal process to manage and mitigate any associated risks and notify individuals when required or appropriate.
- Training and Awareness. Travelers provides appropriate training to all individuals with access to personal information.
For additional information regarding how we collect, use, share and protect personal information, see the Privacy & Security section of our corporate website.
Cyber Product Offerings
Our 2021 Travelers Risk Index report found that cyber threats are the No. 1 concern across all businesses. Despite heightened cyber concerns, only 61% of participants reported feeling extremely or very confident in their companies’ cyber practices. In addition, less than half of survey respondents have adopted basic preventive measures available to companies, such as multifactor authentication, and cyber attacks continue to increase in both frequency and severity. According to the survey, one-fourth of participants said their company has been a cyber victim – a 150% increase from 2015 – with nearly half reporting that the event happened within the past 12 months.
Now more than ever, businesses and organizations of all sizes need to prepare with both cyber insurance and an effective cybersecurity plan to manage and mitigate cyber risk. Travelers understands the complexity of cyber threats and continues to proactively address cyber concerns. We provide policyholders with cyber protection – before, during and after a cyber breach or incident.
The cost of dealing with a cyber event goes beyond repairing databases, strengthening security procedures or replacing lost laptops. Companies may face liability if their customers’ personally identifiable information or protected health information are compromised. Regulations requiring notification of affected customers also drive costs for companies that have experienced a data breach compromising personal or confidential data. There is also a cost involved with the efforts needed to defend the company’s reputation, as well as with the retention of skilled computer forensics teams to determine the extent of the breach. We have a number of different coverages available and work with our customers and our agent and broker partners to tailor the coverages to the specific risks our customers face.
Our cyber offerings go beyond just insurance coverage. By partnering with leading global providers, Travelers is able to offer both agents and policyholders educational tools, risk management resources and pre- and post-breach services. Our cyber risk professionals can help identify the best cyber liability insurance solution to provide business customers with access to endpoint detection and response monitoring services, pre-breach services from SymantecTM and a robust collection of specialized risk management resources. These tools help our agents and policyholders become more knowledgeable and informed about cyber threats and how to prepare for and respond to them.
Differentiators of our cyber insurance program include the following:
- Travelers has provided cyber-related insurance coverage with robust risk management services for more than 30 years.
- Travelers understands the importance of helping organizations work through an incident, from recovering after a breach to managing expenses associated with a cyber event.
- Our Chief Information Security Officer meets regularly with the Cyber Insurance team to promote sharing and collaboration within our business.
- From 2012 to 2021, our gross written premium from cyber coverage has seen an over 25% compound annual growth rate.
- In the most recent National Association of Insurance Commissioners Report on the Cybersecurity Insurance Market, Travelers was listed as a top cybersecurity insurance carrier based on direct premiums written.1
Visit the Cyber Insurance page on our corporate website for more information on our cyber products and services.
1Report on the Cybersecurity Insurance Market, October 2021.