At Travelers, we take a comprehensive and multifaceted approach to protect information in our care and assist our customers in safeguarding their digital assets. We embed data protection throughout our operations and technology programs with the goal of safeguarding our customer data and digital assets. As a foundation to this approach, Travelers maintains a comprehensive set of cybersecurity policies and standards, which align with the International Standards Organization (ISO) 27001 standard. Our policies include Information and System Use policies for employee and non-employee system users. These policies reinforce the data privacy and protection sections of our Code of Business Conduct and Ethics.
Policy & Governance
We embed data protection throughout our business operations and technology program. Our goal is to provide a disciplined approach to safeguarding our information assets and our customers’ data. As a foundation to this approach, Travelers maintains a comprehensive set of cybersecurity policies and standards, which we have developed in collaboration with a wide range of disciplines, such as technology, cybersecurity, legal, compliance and business, among others. On an annual basis, Travelers undergoes an SSAE 18 SOC 2 (Statements on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination conducted by an independent external firm. In addition, we regularly self-assess against our internal policies, which are in alignment with ISO 27001, using our internal risk assessment process and a variety of other frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies and the Payment Card Industry Data Security Standard. Our comprehensive and collaborative approach allows us to further the organizational culture of data security awareness, the effectiveness of data governance and the responsiveness to evolving data management protocols.
Travelers uses sophisticated technologies and tools to protect information, including but not limited to multifactor authentication, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, and identity management systems. Our identity and access management systems employ both commercial authentication products from leading companies and internally developed systems based on prevailing industry standards. We include periodic recertification access for key data, and we utilize multifactor authentication based on the level of risk. We monitor for anomalies on our network, and our Security Operations Center responds to those anomalies.
In addition, we participate in vulnerability information sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). We also track industry and government intelligence sources for impact in the marketplace and deploy necessary updates as appropriate.
Finally, Travelers has a robust approach to software patch management, and we have designed and implemented comprehensive systems to provide a high level of security to safeguard sensitive data.
In 2020, as part of our transition to a remote work environment and in recognition of the cyber risks associated with such an environment, we assessed and further strengthened our technology infrastructure and cybersecurity.
Training & Awareness
All Travelers employees receive data privacy and cybersecurity training annually as part of our annual Code of Business Conduct and Ethics training. Additionally, our annual security awareness training covers a broad range of security topics, from password protection and social engineering to privacy and compliance. We also provide regular targeted training on topics such as phishing, secure application development, use of social media and fraud, among others. We educate our employees through a number of methods, including online training, event trigger awareness campaigns, security presentations, company intranet articles, videos, system-generated communications, email publications and various simulation exercises. In addition, certain Travelers contractors receive data privacy and cybersecurity training.
Travelers has a cybersecurity diligence and oversight process for its third-party vendors. This process is a component of our supplier management program. Prior to the commencement of services, our Cybersecurity team performs a risk/rating assessment of vendors that will have access to and process Travelers data and conducts formal risk assessments on certain service providers based on the risk/rating assessment. Reassessment occurs on a regular basis, the frequency of which is determined based on a risk assessment and rating process. The assessment process utilizes a comprehensive questionnaire, which addresses aspects of the vendors’ data security controls and policies, including business continuity, as well as on-site assessments for higher-risk relationships.
Travelers has a Security Incident Response Framework in place. The framework is a set of coordinated procedures and tasks that the Travelers incident response team executes to ensure timely and accurate resolution of computer security incidents. In order to maintain the robustness of the framework, we conduct tabletop testing exercises several times a year, using risk analysis to select which components of the plan to test.
Our cybersecurity framework includes regular compliance assessments with Travelers policies and standards and applicable state and federal statutes and regulations. We validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits. In addition, we proactively perform self-assessments against regulatory frameworks such as the NIST Cybersecurity Framework.
Additional information regarding privacy and security at Travelers, including our Privacy Statements, is available on our website.