Our Chief Information Security Officer (CISO) leads the Travelers Information Security department and has responsibility for information security, risk and business continuity programs. The CISO reports to the Chief Information Officer and is a member of the Enterprise Risk team. The CISO provides quarterly updates on the information security, risk and business continuity programs and policies to executive management and the Risk Committee of the Board. Our Information Security team is composed of more than 100 trained individuals, many of whom hold advanced industry certifications. The Risk Committee of the Board regularly reviews and discusses with management the strategies, processes and controls pertaining to the management of our information technology operations, including cyber risks and information security.
In addition to managing our own cyber exposure, we recognize the opportunity afforded by the mounting cyber risks facing our customers. We offer cyber liability insurance, which provides a combination of coverage options to help protect our customers’ businesses.
At Travelers, we take a multifaceted approach to protect information in our care and assist our customers in safeguarding their digital assets. We embed data protection throughout our operations and information technology programs with the goal of safeguarding our customer data and digital assets. As a foundation to this approach, Travelers maintains a comprehensive set of information security policies and standards, which align with ISO 27001. Our policies include codes of conduct for employee and non-employee system users, which reinforce the data privacy and protection sections of our Code of Business Conduct and Ethics.
Additional highlights of our information security program include:
- Annually, Travelers undergoes a SOC 2 examination by an independent external audit firm, which reviews the company’s security, processing integrity, confidentiality and privacy controls, among other things.
- We continuously self-assess against our internal policies, using our internal risk assessment process and a wide variety of frameworks and regulations available, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, and the Payment Card Industry Data Security Standard.
- We use sophisticated technology tools, including multifactor authentication, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, encryption and identity management systems.
- We participate in vulnerability information sharing networks, such as the Financial Servics Information Sharing and Analysis Center (FS-ISAC). We also track industry and government intelligence sources for impact in the marketplace and deploy necessary updates as appropriate.
- All Travelers employees receive data privacy and information security training annually as part of our annual Code of Business Conduct and Ethics training. Additionally, our annual security awareness training covers a broad range of security topics from password protection and social engineering to privacy and compliance.
- We also provide regular targeted training on topics such as, but not limited to, phishing, secure application development, use of social media and fraud. We educate our employees through a number of methods, including computer-based training, security materials and presentations, company intranet articles, email publications and various simulation exercises. In addition, certain Travelers contractors receive data privacy and information security training.
- We utilize a comprehensive information security diligence and oversight process for our third-party vendors, which includes risk/rating assessments of all vendors and robust security assessments based on risk.
- We implemented a robust Security Incident Response Framework, which is a set of coordinated procedures and tasks to ensure timely and accurate resolution of computer security incidents.
- Our information security framework includes regular compliance assessments with Travelers policies and standards and applicable state and federal statutes and regulations.
For additional information regarding our management, governance, training and compliance with respect to our information security program, see the Travelers Information Security Practices website.
Protecting our customers’ data and safeguarding customer privacy are essential parts of the Travelers Promise. We evaluate data from many sources, including from our individual or business customers themselves, third-party service providers and public sources. In addition to guiding our risk selection and pricing, we leverage this data to run 34 predictive claim models, which improve claim outcomes for our customers and efficiency for our business.
Key aspects of our data privacy program include the following:
- Travelers will not give or sell personal information to nonaffiliated third-parties for their marketing purposes without permission.
- Travelers maintains safeguards designed to help prevent unauthorized use, access and disclosure of personal information. For example, we limit access to personal information and require those who have access to use it only for legitimate business purposes.
As technology becomes more complex and sophisticated, organizations need to prepare with both cyber insurance and an effective cybersecurity plan to manage and mitigate cyber risk. Travelers understands the complexity of cyber threats and has solutions to insure and protect our business customers’ assets. In addition, the Travelers Institute®, our public policy division, helps further education on cybersecurity through programming across the United States and Canada.
The cost of dealing with a data breach goes beyond repairing databases, strengthening security procedures or replacing lost laptops. Companies may face liability if their customers’ personally identifiable information (PII) or protected health information (PHI) are exposed in a data breach. Regulations requiring notifying affected customers also drive costs for companies that experienced a data breach compromising personal or confidential data. We have a number of different coverages available and work with our customers and our agent and broker partners to tailor the coverages to the specific risks our customers face.
Our cyber offerings go beyond just insurance coverage. By partnering with leading global providers, Travelers is able to offer both agents and policyholders educational tools, risk management resources and pre- and post-breach services. These tools help our agents and policyholders become more knowledgeable and informed about cyber threats, and how to prepare for and overcome them.
Differentiators of our cyber insurance program include the following:
- Travelers has provided cyber-related insurance coverage with robust risk management services for more than 30 years.
- Travelers understands the importance of helping organizations work through an incident, from recovering after a breach to managing expenses associated with a cyber event.
- Our CISO meets regularly with the Cyber Insurance team to promote sharing and collaboration within our business.
- From 2011 through 2018, our gross written premium from cyber coverage has seen an over 30% compounded annual growth rate.
- Travelers was listed as a top-five cybersecurity insurance carrier by direct premiums written in 2016 and 2017.1
- Travelers was ranked as the No. 1 cyber insurance carrier by agents in 2018.2
Visit the Cyber Insurance page on our corporate website for more information on our cyber products and services.