Privacy & Security

Sections:

Travelers cybersecurity practices

Travelers cybersecurity practices

As technology becomes more complex and sophisticated, so do the cyber risks that businesses and organizations face. At Travelers, we strive to protect the information about the people and property we insure.

We have implemented technologies and tools to evaluate our cybersecurity protections and maintain a cyber risk management strategy related to our technology infrastructure that includes monitoring emerging security threats and assessing appropriate responsive measures.

Approach

Our Chief Information Security Officer (CISO) leads the Travelers Cybersecurity department. The CISO reports to the Chief Technology and Operations Officer and is a member of the company’s Enterprise Risk team and the Disclosure Committee. Under the direction of the CISO, the Travelers Cybersecurity department analyzes cybersecurity and resiliency risks to our business, considers industry trends and implements controls, as appropriate, to mitigate these risks. This analysis drives our long- and short-term strategies, which are executed through a collaborative effort within Technology, Cybersecurity and Business Resiliency and are communicated to the Risk Committee of the Board of Directors on a regular basis.

Board oversight

Our CISO typically provides quarterly updates regarding cybersecurity and cyber risk to Travelers executive management and the Risk Committee of the Board. The Risk Committee of the Board, consistent with its charter, reviews and discusses with management the strategies, processes and controls pertaining to the management of our information technology operations, including cyber risks and cybersecurity.

Policy & governance

Travelers maintains a comprehensive set of cybersecurity policies and standards, which are modeled to align with the International Organization for Standardization (ISO) 27001 standard and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our cybersecurity policies and standards have been developed in collaboration with groups across the enterprise, such as Legal, Compliance and each of our business segments. Our policies include, for example, Information and System Use policies for employee and non-employee system users. These policies reinforce the data privacy and protection sections of our Code of Business Conduct and Ethics.

We perform an annual cybersecurity risk and control assessment as part of the Enterprise Risk Management team’s risk assessment processes. Our CISO and Chief Technology and Operations Officer review and approve the cybersecurity assessment. In addition, as part of their regular responsibilities, our Risk and Security Officers within the Technology and Cybersecurity groups assess technology and cybersecurity risks by leveraging our risk framework related to technology and cybersecurity, which aligns with our enterprise risk management strategy.

On an annual basis, at the direction of our Chief Risk Officer, the company’s Technology, Cybersecurity and Business Resiliency groups also participate in the enterprise-wide Own Risk and Solvency Assessment (“ORSA”), which outlines identified risks and describes the controls in place across the company to address those risks. The ORSA is reviewed with our lead regulator, the State of Connecticut Department of Insurance, which in turn performs periodic financial examinations, including a technology control assessment.

Technology

Travelers uses various technologies and tools, as appropriate, to enhance cybersecurity, such as multifactor authentication, encryption, firewalls, intrusion detection and prevention systems, endpoint detection and response, vulnerability scanning, penetration testing, patch management, and identity and access management systems. These systems are designed, implemented and maintained with the goal of identifying, assessing and managing cybersecurity risks.

In addition, our CISO and Cybersecurity teams are actively engaged within the cybersecurity community in order to monitor emerging trends and developments and share best practices for identifying and mitigating cyber threats. For example, we participate in threat intelligence information-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). We also track industry and government intelligence sources for impact in the marketplace and deploy updates to our systems as appropriate. Additionally, the company's Cybersecurity team monitors and investigates suspicious events.

As the workforce, the work environment and the threat landscape continue to evolve, Travelers seeks to evaluate related risks and implement appropriate controls.

Training & awareness

To help manage risks from potential cybersecurity threats, as part of our annual Code of Business Conduct and Ethics training, all Travelers employees receive data protection and privacy training, which focuses on the need to appropriately protect and secure confidential company information. Additionally, we provide annual security awareness training that covers a broad range of security topics. We also provide regular targeted training on topics such as phishing and secure application development, among others. In addition to online training, employees are provided with cybersecurity related information through a number of different methods, including event-triggered awareness campaigns, recognition programs, security presentations, intranet articles, videos, system-generated communications, email publications and various simulation exercises.

Third-party relationships

As part of our supplier risk management program, using a risk-based approach, the Cybersecurity team conducts formal risk assessments with respect to certain of our third-party service providers. The assessment process addresses aspects of the service providers’ data security controls and policies.

Where appropriate, Travelers seeks to incorporate contractual language with third party service providers that includes clear terms involving the collection, use, sharing and retention of user data, as well as compliance with appropriate security terms.

Incident response

Travelers has a Security Incident Response Framework in place. The framework is a set of coordinated procedures and tasks that the Travelers Incident Response team, under the direction of the CISO, executes with the goal of ensuring timely and accurate resolution of computer security incidents. To maintain the robustness of the framework, we conduct cybersecurity tabletop testing exercises from time to time.

Compliance

We regularly self-assess against our internal policies, using our internal risk assessment process and a variety of frameworks, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, the Insurance Data Security Model Law as adopted and modified by various states and the Payment Card Industry Data Security Standard. In addition to our internal cybersecurity team, we use internal and external auditors and, as appropriate, third-party consultants, service providers, and assessors to review and test the company’s processes. For example, on an annual basis, Travelers undergoes an SSAE 18 SOC 2 (Statement on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination conducted by an independent external firm.

Additional information regarding privacy and security at Travelers, including our Privacy Statements, is available on our website.