Data Privacy & Cybersecurity

Our Chief Information Security Officer (CISO) leads the Travelers Cybersecurity department. The CISO reports to the Chief Technology and Operations Officer and is a member of the company’s Enterprise Risk team and the Disclosure Committee. Under the direction of the CISO, the Travelers Cybersecurity department analyzes cybersecurity and resiliency risks to our business, considers industry trends and implements controls, as appropriate, to mitigate these risks. This analysis drives our long- and short-term strategies, which are executed through a collaborative effort within Technology, Cybersecurity and Business Resiliency and are communicated to the Risk Committee of the Board of Directors on a regular basis.

In addition to managing our own cyber exposure, we recognize the valuable services we can provide to our customers in light of the mounting cyber risks they are facing. We offer cyber liability insurance, which provides a combination of coverage options to help protect our customers’ businesses.

Board Oversight

Our CISO typically provides quarterly updates regarding cybersecurity and cyber risk to Travelers executive management and the Risk Committee of the Board. The Risk Committee of the Board, consistent with its charter, reviews and discusses with management the strategies, processes and controls pertaining to the management of our information technology operations, including cyber risks and cybersecurity.

We have implemented technologies and tools to evaluate our cybersecurity protections and maintain a cyber risk management strategy related to our technology infrastructure that includes monitoring emerging security threats and assessing appropriate responsive measures.

Policy & Governance

Travelers maintains a comprehensive set of cybersecurity policies and standards, which align with the International Organization for Standardization (ISO) 27001 standard and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our cybersecurity policies and standards have been developed in collaboration with groups across the enterprise, such as Legal, Compliance and each of our business segments. Our policies include, for example, Information and System Use policies for employee and non-employee system users. These policies reinforce the data privacy and protection sections of our Code of Business Conduct and Ethics.

We perform an annual cybersecurity risk and control assessment as part of the Enterprise Risk Management team’s risk assessment processes. Our CISO and Chief Technology and Operations Officer review and approve the cybersecurity assessment. In addition, as part of their regular responsibilities, our Governance, Risk and Compliance officers within the Technology and Cybersecurity groups assess technology and cybersecurity risks by leveraging our risk framework related to technology and cybersecurity, which aligns with our enterprise risk management strategy.

On an annual basis, the direction of our Chief Risk Officer, the company’s Technology, Cybersecurity and Business Resiliency groups also participate in the enterprise-wide Own Risk and Solvency Assessment (“ORSA”), which outlines identified risks and describes the controls in place across the company to address those risks. The ORSA is reviewed with our lead regulator, the State of Connecticut Department of Insurance, which in turn performs periodic financial examinations, including a technology control assessment.

Technology

Travelers uses various technologies and tools, as appropriate, to enhance cybersecurity, such as multifactor authentication, encryption, firewalls, intrusion detection and prevention systems, endpoint detection and response, vulnerability scanning, penetration testing, patch management, and identity and access management systems. These systems are designed, implemented and maintained with the goal of identifying, assessing and managing cybersecurity risks.

In addition, our CISO and Cybersecurity teams are actively engaged within the cybersecurity community in order to monitor emerging trends and developments and share best practices for identifying and mitigating cyber threats. For example, we participate in threat intelligence information-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). We also track industry and government intelligence sources for impact in the marketplace and deploy updates to our systems as appropriate. Additionally, the company's Cybersecurity team monitors and investigates suspicious events.

As the workforce, the work environment and the threat landscape continue to evolve, Travelers seeks to evaluate related risks and implement appropriate controls.

Training & Awareness

To help manage risks from potential cybersecurity threats, as part of our annual Code of Business Conduct and Ethics training, all Travelers employees receive data protection and privacy training, which focuses on the need to appropriately protect and secure confidential company information. Additionally, we provide annual security awareness training that covers a broad range of security topics. We also provide regular targeted training on topics such as phishing and secure application development, among others. In addition to online training, employees are provided with cybersecurity related information through a number of different methods, including event-triggered awareness campaigns, recognition programs, security presentations, intranet articles, videos, system-generated communications, email publications and various simulation exercises. 

Third-Party Relationships

As part of our supplier risk management program, using a risk-based approach, the Cybersecurity team conducts formal risk assessments with respect to certain of our third-party service providers. The assessment process addresses aspects of the service providers’ data security controls and policies.

Where appropriate, Travelers seeks to incorporate contractual language with third party service providers that includes clear terms involving the collection, use, sharing and retention of user data, as well as compliance with appropriate security terms.

Incident Response

Travelers has a Security Incident Response Framework in place. The framework is a set of coordinated procedures and tasks that the Travelers Incident Response team, under the direction of the CISO, executes with the goal of ensuring timely and accurate resolution of computer security incidents. To maintain the robustness of the framework, we conduct cybersecurity tabletop testing exercises from time to time.

Compliance

We regularly self-assess against our internal policies, using our internal risk assessment process and a variety of frameworks, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, the Insurance Data Security Model Law as adopted and modified by various states and the Payment Card Industry Data Security Standard. In addition to our internal cybersecurity team, we use internal and external auditors and, as appropriate, third-party consultants, service providers and assessors to review and test the company’s processes. For example, on an annual basis, Travelers undergoes an SSAE 18 SOC 2 (Statement on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination conducted by an independent external firm. 

Additional information regarding privacy and security at Travelers, including our Privacy Statements, is available on our website.

Protecting our customers’ data and safeguarding customer privacy are essential parts of the Travelers Promise. We evaluate data from many sources, including from our individual or business customers themselves, third-party service providers and public sources. In addition to guiding our risk selection and pricing, this data is leveraged to run sophisticated predictive claim models, which improve claim outcomes for our customers and efficiency for our business.

Key aspects of our data privacy program include the following:

• We endeavor to comply with all applicable privacy regulations, including but not limited to the California Consumer Privacy Act.
• We will not give or sell personal information to non-affiliated third parties for their marketing purposes without permission.
• We maintain safeguards designed to help prevent unauthorized use, access and disclosure of personal information. For example, we limit access to personal information and require those who have access to use it only for legitimate business purposes.

Core privacy principles guide the actions we take when collecting and using personal information, including the following:

• Notice. We give notice to individuals about the purposes for which Travelers collects, processes, stores and discloses personal information.
• Collection and Use. Travelers thoughtfully considers information collection practices and strives to limit collection to only information that is relevant and reasonably necessary to accomplish Travelers’ intended purposes. Travelers uses the personal information collected directly from insureds only for purposes consistent with the context of the transaction and/or with consent.
• Access and Correction. Personal insurance customers may request access to, and correction of, personal information about them held by Travelers, and Travelers will honor those requests consistent with applicable law.
• Disclosure. Travelers takes steps designed to ensure that personal information is only disclosed to third parties for legitimate business reasons.
• Cross-Border Transfers of Data. Travelers takes steps designed to ensure that any transfer of personal information across country borders is made in accordance with the local laws of the country from which the personal information is being transferred and the country to which the personal information is being transferred.
• Retention and Destruction. Travelers maintains policies relating to record management, including record retention schedules and purge and deletion procedures. When personal information is disposed, we employ secure methods, which are designed to make the personal information unreadable and unreconstructable (such as shredding or degaussing).
• Information Quality and Integrity. Travelers takes reasonable steps designed to ensure that the personal information it uses is accurate, relevant, complete and up to date for the purposes for which it is intended to be used.
• Security. Travelers understands that cybersecurity is essential for protecting personal information and employs appropriate physical, technical and administrative measures to safeguard and secure personal information. In the event the security of certain personal information has been compromised, Travelers has a formal process to manage and mitigate any associated risks and notify individuals when required or appropriate.
• Training and Awareness. Travelers provides appropriate training to all individuals with access to personal information.

For additional information regarding how we collect, use, share and protect personal information, see the Privacy & Security section of our corporate website.

Our 2023 Travelers Risk Index report found that, for the ninth straight year, cyber threats were one of the top three concerns across all businesses. Despite heightened cyber concerns, and increased cyber threats, many businesses remain unprepared and have not implemented basic prevention measures, such as multifactor authentication or incident response planning. According to the survey, nearly one quarter of participants said that their company has been a cyber victim, with nearly half reporting that the event happened within the past 12 months.

Now more than ever, businesses and organizations of all sizes need to prepare with both cyber insurance and an effective cybersecurity plan to manage and mitigate cyber risk. Travelers understands the complexity of cyber threats and continues to proactively address cyber concerns. We provide policyholders with cyber protection – before, during and after a cyber breach or incident. 

The cost of dealing with a cyber event goes beyond repairing databases, strengthening security procedures or replacing lost laptops. Companies may face liability if their customers’ personally identifiable information or protected health information are compromised. Regulations requiring notification of affected customers also drive costs for companies that have experienced a data breach compromising personal or confidential data. There is also a cost involved with the efforts needed to defend the company’s reputation, as well as with the retention of skilled computer forensics teams to determine the extent of the breach. We have a number of different coverages available and work with our customers and our agent and broker partners to tailor the coverages to the specific risks our customers face.

Our cyber offerings go beyond just insurance coverage. By partnering with leading global providers, Travelers is able to offer both agents and policyholders educational tools, risk management resources and pre- and post-breach services. Our cyber risk professionals can help identify the best cyber liability insurance solution to provide business customers with access to endpoint detection and response monitoring services, pre-breach services from HCL Technologies and a robust collection of specialized risk management resources. These tools help our agents and policyholders become more knowledgeable and informed about cyber threats and how to prepare for and respond to them.

Differentiators of our cyber insurance program include the following:

• Travelers has provided cyber-related insurance coverage with robust risk management services for more than 30 years.
• Travelers understands the importance of helping organizations work through an incident, from recovering after a breach to managing expenses associated with a cyber event.
• Our Chief Information Security Officer meets regularly with the Cyber Insurance team to promote sharing and collaboration within our business.
• From 2014 to 2023, our gross written premium from cyber coverage has seen an over 25% compound annual growth rate.
• In the most recent National Association of Insurance Commissioners Report on the Cybersecurity Insurance Market, Travelers was listed as a top cybersecurity insurance carrier based on direct premiums written.¹

Visit the Cyber Insurance page on our corporate website for more information on our cyber products and services.

¹Report on the Cybersecurity Insurance Market, November 2023.