Privacy & Security

Organizational Structure

The Travelers Cybersecurity department is led by the Chief Information Security Officer (CISO), who has responsibility for cybersecurity, risk and business continuity programs. The CISO reports to the Chief Information Officer and is a member of the enterprise risk team. The CISO provides quarterly updates on the cybersecurity, risk and business continuity programs to the Board of Directors and executive management. Our security team is comprised of over 100 trained individuals, many of whom hold advanced industry certifications.

Policy and Governance

At Travelers, data protection is embedded throughout our business operations and information technology program. Our goal is to provide a disciplined approach to safeguarding our customer data and company information assets. As a foundation to this approach, Travelers maintains a comprehensive set of cybersecurity policies and standards which have been developed in collaboration with a wide range of disciplines, such as information technology, cybersecurity, legal, compliance and business. Annually, Travelers undergoes an SSAE 18 SOC 2 examination by an independent external audit firm. In addition, we continuously self-assess against our internal policies, which are in alignment with and based upon ISO 27001, using our internal risk assessment process and a wide variety of frameworks and regulations available, such as the NIST Cybersecurity Framework, New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, and the Payment Card Industry Data Security Standard. Our comprehensive and collaborative approach allows us to further the organizational culture of data security awareness, the effectiveness of data governance and the responsiveness to evolving data management protocols.

Technology

Travelers utilizes sophisticated tools designed to protect information through the use of technology including: multifactor authentication, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, and identity management systems. We implement encryption using a risk-based approach. Our identity and access management systems employ both commercial authentication products from leading companies as well as internally developed systems based on prevailing industry standards. We include periodic recertification access for key data, and we utilize multifactor authentication based on the level of risk. We monitor events to understand exceptions to normal processing and then act on those anomalies. We participate in vulnerability information sharing networks and track industry and government intelligence sources for impact in the marketplace and deploy necessary updates as appropriate. Travelers has a robust software patch management process that includes risk assessment and risk-based update schedules. These systems are designed, implemented and maintained to provide a high level of security to safeguard sensitive data.

Training

Travelers provides its employees with data security awareness, education and training. Travelers has a team of cybersecurity personnel engaged in data risk management education and ongoing training to employees with access to Travelers information assets. Our annual security awareness training covers a broad range of security topics from password protection and social engineering to privacy and compliance. We provide ongoing training via computer-based training, targeted training, security materials and presentations, company intranet articles, email publications and various simulation exercises.

Third Party Relationships

Travelers utilizes a comprehensive cybersecurity diligence and oversight process for its third party vendors. This process is a component of Travelers' supplier management program. Prior to the commencement of services, Cybersecurity performs a risk/rating assessment of all vendors that will have access to and process Travelers data and conducts formal, comprehensive risk assessments on certain service providers based on the risk/rating assessment. Re-assessment occurs on an ongoing basis, the frequency of which is determined based on a risk assessment and rating process. The assessment process utilizes a comprehensive questionnaire which addresses aspects of the vendors' data security controls and policies, including business continuity, as well as onsite assessments for higher risk relationships.

Incident Response

Travelers has implemented a Security Incident Response Framework. The framework is a set of coordinated procedures and tasks that will be executed by the Travelers incident response team to ensure timely and accurate resolution of computer security incidents. Travelers uses risk analysis to select components of the plan to test. We conduct tabletop exercises, testing components of the plan several times annually.

Compliance

Travelers expects all employees to act in accordance with the highest standards of personal and professional integrity in all aspects of their employment and to comply with all applicable laws and Travelers policies.

Our cybersecurity framework includes regular compliance assessments with Travelers policies and standards and applicable state and federal statutes and regulations. Compliance with our internal data security controls is validated through the use of security monitoring utilities and through rigorous internal and external audits. In addition, we proactively perform self-assessments against regulatory frameworks such as the NIST Cybersecurity Framework.