At Travelers, we take a comprehensive and multifaceted approach to protect information in our care and assist our customers in safeguarding their digital assets. We use administrative, technical and physical safeguards to protect information in our care. We have established a wide range of comprehensive data security protections and maintain a data risk management strategy that includes monitoring emerging security threats and assessing appropriate responsive measures.
Policy & Governance
We embed data protection throughout our operations and technology programs with the goal of safeguarding our customer data and digital assets. As a foundation to this approach, Travelers maintains a comprehensive set of cybersecurity policies and standards, which align with the International Organization for Standardization (ISO) 27001 standard and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our cybersecurity policies and standards have been developed in collaboration with groups across the enterprise, such as Legal, Compliance and each of our business segments. Our policies include Information and System Use policies for employee and non-employee system users. These policies reinforce the data privacy and protection sections of our Code of Business Conduct and Ethics.
On an annual basis, Travelers undergoes an SSAE 18 SOC 2 (Statement on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination conducted by an independent external firm. In addition, we regularly self-assess against our internal policies, using our internal risk assessment process and a variety of other frameworks, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, the Insurance Data Security Model Law as adopted by various states and the Payment Card Industry Data Security Standard. We endeavor to comply with all applicable privacy regulations, including but not limited to the California Consumer Privacy Act. Our comprehensive and collaborative approach allows us to further the organizational culture of data security awareness, the effectiveness of data governance and the responsiveness to evolving data management protocols.
Travelers uses sophisticated technologies and tools to protect information, including but not limited to multifactor authentication, encryption, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, and identity management systems. Our identity and access management systems employ both commercial authentication products from leading companies and internally developed systems based on prevailing industry standards. We include periodic recertification access for key data, and we utilize multifactor authentication based on the level of risk. We monitor for anomalies on our network, and our Security Operations Center responds to those anomalies.
In addition, we participate in vulnerability information-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). We also track industry and government intelligence sources for impact in the marketplace and deploy updates as necessary.
Travelers has a robust software patch management process that includes risk assessment and risk-based update schedules. These systems are designed, implemented and maintained with the goal of providing a high level of security for sensitive data.
As the workforce and the work environment continue to evolve, Travelers also continues to evaluate related risks and implement appropriate controls.
Training & Awareness
All Travelers employees receive data privacy and cybersecurity training annually as part of our annual Code of Business Conduct and Ethics training. Additionally, our annual security awareness training covers a broad range of security topics, from password protection and social engineering to working remotely and privacy. We also provide regular targeted training on topics such as phishing and secure application development, among others. We educate our employees through a number of methods, including online training, event triggered awareness campaigns, security presentations, company intranet articles, videos, system-generated communications, email publications and various simulation exercises. In addition, based on role, certain Travelers contractors receive relevant cybersecurity training.
Travelers has a cybersecurity diligence and oversight process for its third-party vendors. This process is a component of our supplier management program. Prior to the commencement of services, our Cybersecurity team performs a risk/rating assessment of vendors that will have access to and process Travelers data and conducts formal risk assessments on certain service providers based on the risk/rating assessment. Reassessment occurs on a regular basis, the frequency of which is determined based on a risk assessment and rating process. The assessment process utilizes a comprehensive questionnaire, which addresses aspects of the vendors’ data security controls and policies, including business continuity, as well as on-site evaluations for higher-risk relationships.
Where appropriate, Travelers seeks to incorporate contractual language with third parties that includes clear terms involving the collection, use, sharing and retention of user data, including data transferred to third parties. These contracts also generally require parties with whom data is shared to comply with the company’s security policy or equivalent.
Travelers has a Security Incident Response Framework in place. The framework is a set of coordinated procedures and tasks that the Travelers Incident Response team executes with the goal of ensuring timely and accurate resolution of computer security incidents. In order to maintain the robustness of the framework, we conduct tabletop testing exercises several times a year, using risk analysis to select which components of the plan to test.
Our cybersecurity framework includes regular compliance assessments with Travelers policies and standards and applicable state and federal statutes and regulations. We validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits. In addition, we proactively perform self-assessments against regulatory frameworks such as the NIST Cybersecurity Framework.
Additional information regarding privacy and security at Travelers, including our Privacy Statements, is available on our website.