Skip to Content

The Travelers Risk Index

The Travelers Risk Index provides an annual snapshot of risk viewpoints from over 1,200 business decision makers across the country.

This 2023 survey looks at the top concerns of U.S. businesses and how companies are dealing with the risks they face every day. The survey participants represent small, mid-sized and large businesses from a variety of industries including construction, real estate, healthcare, technology, retail, transportation, wholesalers, professional services, manufacturing, banking/financial services, publicly traded, nonprofit and public sector.

Overall Business Risk Concerns

Despite the current environment and challenges businesses face …

  • Workforce shortages

  • High interest rates

  • Medical cost increases

  • Global uncertainty

Cyber Risks

remain a top business concern
65%

In the 10th installment of the Travelers Risk Index, 65% of survey participants said they believe the business world is risky.

Participants considered the overall amount of risk faced every day, including risks to employees’ and customers’ safety, business property, financial well-being and general business risks.

Business leaders were asked what their biggest business concern was.

Choosing from a list of concerns including workforce changes, extreme weather, US trade policy, corporate reputation, intellectual property (IP) risks, benefit cost inflation, legal liability, environmental concerns, global economy, financial issues, regulatory concerns and supply chain risks. The top 5 concerns among businesses of all sizes and all industries are:

Company size

  1. Medical cost inflation (60%)

  2. Broad economic uncertainty (59%)

  3. Cyber risks (58%)

  4. Increased employee benefit costs (55%)

  5. Access to capital and cash flow (54%)

  1. Medical cost inflation (70%)

  2. Cyber risks (68%)

  3. Access to capital and cash flow (67%)

  4. Impact of global economy (66%)

  5. Broad economic uncertainty (65%)

  1. Cyber risks (65%)

  2. Medical cost inflation (64%)

  3. Ability to attract/retain talent (58%)

  4. Broad economic uncertainty (57%)

  5. Increased employee benefit costs (57%)

  1. Broad economic uncertainty (56%)

  2. Medical cost inflation (47%)

  3. Increased employee benefit costs (45%)

  4. Impact of global economy (43%)

  5. Cyber risks (42%)

54%

More than half (54%) of the participants
think it is inevitable that their business will be a victim of a cyberattack.

Cyber Concerns and Victimization

Cyberattacks are not random, and a single attack can shut a company down for a long period of time, or worse, put it out of business.

Cyber criminals target companies with certain vulnerabilities. We surveyed business leaders representing a variety of business sizes and industries to understand their viewpoints about cyber risks and threats that exist.

No matter the size of business or industry, business leaders share similar cyber concerns.

Some of their biggest concerns include

Company size
57%

Unauthorized access to financial accounts

56%

Security breach/someone hacking

52%

Security breach/system glitch at a vendor

52%

Employees putting information/systems at risk

52%

Theft/loss of customer/client records

52%

System glitch causing organizations’ computers to go down

68%

Unauthorized access to financial accounts

68%

Security breach/someone hacking

68%

Employees putting information/systems at risk

65%

Security breach/system glitch at a vendor

65%

Theft/loss of customer/client records

64%

Security breach/system glitch from remote work

62%

Unauthorized access to financial accounts

61%

Security breach/someone hacking

59%

Employees putting information/systems at risk

59%

Security breach/system glitch from remote work

58%

Security breach/system glitch at a vendor

58%

Failure to operate business/lost income

42%

Unauthorized access to financial accounts

40%

Security breach/someone hacking

40%

System glitch causing organization's computers to go down

38%

Theft/loss of customer/client records

37%

Having the resources and know-how to recover from cyber related events

36%

Failure to operate business/lost income

Given the continuation of remote working, there is a set of cyber threats that business leaders are concerned about.

For instance, employees may inadvertently put systems at risk when accessing their email remotely and bad actors may exploit open ports to infiltrate a network, which can lead to ransomware attacks and other cybercrime schemes.

50%

Ransomware is a threat that still has the attention of business leaders, with half (50%) of the participants concerned about becoming an extortion/ransomware victim.

What is RANSOMWARE?

It’s a form of malicious software (“malware”) used by cyber criminals to obtain access to a victim’s network. They can use it to steal data, commit fraud or launch a ransomware attack. This type of attack encrypts a company’s computer system and data and allows the criminals to demand a ransom in return for a decryption key.

Recently, ransomware attackers have become more aggressive, asking businesses to pay six, seven and even eight-figure ransoms. These criminals are deleting backups, and in some cases, threatening to disclose sensitive or confidential data, making it harder for businesses to recover from such an attack.

Victimization by the Numbers

The 2023 Travelers Risk Index confirms that business leaders have good reason to be worried, as nearly one quarter of businesses reported being victimized by a cyber event.

A pie graph increases from 10% to 26% showing a 160% increase.
10%

Since 2015

The percentage of businesses that have been a victim of a cyber event has more than doubled. Over that time, it has seen a 130% increase.

In 2023

23% of those surveyed said their company had been a cyber victim, with nearly half reporting the event happened within the past 12 months.

23%

And 60% of businesses that reported an attack were victimized multiple times

34% of businesses had one cyber attack, 26% had two cyber attacks, 22% had three cyber attacks, 12% had four or more cyber attacks
Percentage of businesses reporting incidents Number of cyber incidents
10%20%30%40%
Four+
12%
Three
22%
Two
26%
One
34%
Headshot of Tim Francis, Travelers Enterprise Cyber Lead
These cyber events are not random – if a business was vulnerable before and didn’t take appropriate action as a result, they continue to be at risk. It’s important to take the prospect of a cyberattack seriously and to put the business in position to successfully manage a likely event.” Tim Francis
Travelers Enterprise Cyber Lead

The top 5 cyber events that businesses are experiencing

A security breach continues to be the most frequently cited cyber event, followed by a system glitch causing an organizations’ computers to go down, employees putting information/systems at risk, theft or loss of control of customer or client records and a company being the target of cyber extortion/ransomware.

  1. Security Breach (32%)

  2. System glitch (31%)

  3. Employees putting information/systems at risk (29%)

  4. Theft or loss of customer/client records (27%)

  5. Extortion/ransomware (24%)

Cyber Preparedness

Effective measures that have proven to reduce the risk of becoming a cyber victim are available, but based on these survey results, not enough companies are taking action. In fact, businesses of all sizes seem to be overconfident in navigating the evolving cyber landscape, which may cause a false sense of security.

Many businesses are not prepared.

90% of business report that they are confident that they have implemented best practices to prevent or mitigate a cyber event.

Yet, most businesses have not implemented basic prevention measures.

At least 25% of business are not even implementing the most basic practices, such as firewall/virus protection, data backup and password updates.

A pie graph increases from 0 to 64%
64%

64% do not use endpoint detection and response (EDR)

What is Endpoint Detection and Response (EDR)?

EDR can help protect and monitor an enterprise network by identifying suspicious activity before the rest of the corporate network is exposed to unnecessary risk. An EDR solution can provide far greater capabilities than a traditional antivirus solution, as it monitors for anomalous behavior on each system rather than simply searching for malware.

To help, Travelers CyberRisk policyholders receive access to the SentinelOneTM EDR Platform for 60 days at no additional cost.

50% do not have an incident response (IR) plan

What is AN IR Plan?

An IR plan is a document that outlines an organization’s procedures, steps and responsibilities in the event of a cyber event. It prioritizes mission critical functions, identifies the IT systems that support them and documents recovery and response actions to help quickly restore operations. A well-designed IR is a living, breathing document that should be regularly reviewed and updated.

As part of the Travelers eRiskHub®, a web portal for CyberRisk policyholders, an incident response planning roadmap is available as well as other IR planning services and resources.

50%

65% do not have a post-breach team on retainer as part of an incident response (IR) plan

How can a post-breach team help?

When a business suffers a cyber event, minutes matter. Experienced teams of specialized professionals such as data breach coaches, digital forensics experts and public relations professionals, can be engaged to help an organization manage the fallout of an attack. To expedite the process, consider identifying a post-breach team prior to a cyber event, and even keeping the team on retainer as part of your organization’s IR plan.

Through our experience and knowledge, Travelers offers CyberRisk policyholders expert resources, including a data breach coach.

44% do not use Multifactor Authentication (MFA) for remote or admin access

What is Multifactor Authentication (MFA)?

MFA is a security method that requires the use of two or more authentication factors to verify a user’s identity prior to gaining access to an organization’s network, access to their email remotely or access to privileged or administrative accounts.

According to Microsoft, 99.9% of account compromise attacks can be blocked by MFA.1

top reasons provided by respondents for not using MFA:

  • MFA is too inconvenient for users

    MFA is simple for businesses to implement and typically requires no external hardware. Once established, the use of a secondary identification method such as a token simplifies the authentication process for users while dramatically improving the security of your network.

  • There are other controls in place

    Traditional anti-virus software is no longer sufficient to protect a company’s network. A multi-faceted approach to cybersecurity – including MFA – is essential to protect against these ever-evolving cyber threats.

  • They don’t know what options exist

    MFA options can vary, so to help, Travelers offers its CyberRisk policyholders access to a one-hour consultation with a HCL Technologies Cyber Security Coach who can provide much-needed expertise and help pave the way for a stronger cybersecurity program.

Travelers Cyber Academy® Podcast

Listen to Tim Francis, Enterprise Cyber Lead, and Ken Morrison, Cyber Risk Management, discuss what MFA is, how it can help protect a business and what an organization should consider when implementing this added layer of protection in this edition of the Travelers Cyber Academy® Podcast.

Learn From The Experts

Small businesses are even less prepared.

The likelihood of a cyber event happening is not based on the size of a company. Many times, bad actors target existing vulnerabilities, meaning small businesses could be even more at risk.

85%do not use EDR
83%do not have a post-breach team
73%do not have an IR plan
61%DO NOT USE MFA FOR REMOTE OR ADMIN ACCESS

STEPPING UP YOUR PROTECTION

Being prepared is still the best defense against cyber threats. And businesses that suffered a cyber event said their company took at least one of these five preventative steps to boost their cybersecurity.

  1. Backed up data (61%)

  2. Kept systems up to date (61%)

  3. Implemented Multifactor Authentication (MFA) (56%)

  4. Created an incident response (IR) plan (48%)

  5. Used an Endpoint Detection & Response (EDR) tool (42%)

Want to help protect your business?

Why Implement Multifactor Authentication? Video
Download Video Transcript

Cyber Insurance

Prepare your business with cyber insurance coverage and solutions.

74%

74% of business leaders think having cyber insurance is critical…

…yet not all businesses have purchased the protection.

No matter the size or industry of the business, many are left vulnerable without cyber insurance:

A pie graph increases from 0 to 66%
66%
Small businesses

without cyber insurance

A pie graph increases from 0 to 26%
26%
Mid-sized businesses

without cyber insurance

A pie graph increases from 0 to 28%
28%
Large businesses

without cyber insurance

Industries

Many of the businesses in these industries said they do not have cyber insurance to help protect their business assets.

  1. Banking 26% without cyber insurance

  2. Construction 52% without cyber insurance

  3. Healthcare 41% without cyber insurance

  4. Manufacturing 31% without cyber insurance

  5. Nonprofit 38% without cyber insurance

  6. Professional Services 38% without cyber insurance

  7. Real Estate 53% without cyber insurance

  8. Retail 35% without cyber insurance

  9. Technology 30% without cyber insurance

  10. Transportation 52% without cyber insurance

  11. Wholesale 38% without cyber insurance

What Every Business Leader Should Know

  • What is Cyber Liability Insurance?

    Cyber liability insurance provides a combination of coverage options and services to help protect businesses against data breaches and other cyber events, as well as recover quickly if cyberattack does take place.

  • What Does Cyber Insurance Cover?

    Cyber liability insurance can help cover costs associated with data breaches and cyberattacks. Those costs can include such things as lost income due to a cyber event, notifying customers affected by a breach, recovering compromised data, repairing damaged computer systems and more.

  • Who Needs Cyber Liability Insurance?

    Any type of business or organization that uses technology faces cyber risk. As technology becomes more complex and sophisticated, so do the cyber threats. This is why every business and organization needs to be prepared with both cyber liability insurance and an effective cybersecurity plan to help manage and mitigate cyber risk.

  • Why Travelers for Cyber Liability Insurance?

    Travelers cyber coverage can be a crucial safeguard against the potentially devastating financial consequences of a cyberattack. Travelers offers customized solutions depending on your business’ level of risk, with coverage options to address:

    • forensic investigations,
    • litigation expenses,
    • regulatory defense expenses/fines,
    • crisis management expenses,
    • business interruption,
    • cyber extortion, and
    • betterment

    Travelers also provides its cyber insurance policyholders with access to various tools and resources to help manage and mitigate their cyber risk – pre-breach and post-breach.

Travelers has long been committed to managing and mitigating cyber risk, with a dedicated team of underwriters, claim professionals and risk control specialists who work to help insure and protect customers’ assets.

Learn more about how Travelers can help businesses prepare for and prevent cyber threats.

Get Ahead of Cyber Risks