Privacy & Security

Sections:

Travelers Cybersecurity Practices

Travelers Cybersecurity Practices

At Travelers, we take a comprehensive and multifaceted approach to protect information in our care and assist our customers in safeguarding their digital assets. We use administrative, technical and physical safeguards to protect information in our care. We have established a wide range of comprehensive data security protections and maintain a data risk management strategy that includes monitoring emerging security threats and assessing appropriate responsive measures.

Organizational Structure

The Travelers Cybersecurity department is led by the Chief Information Security Officer (CISO), who has responsibility for cybersecurity, risk and business continuity programs. The CISO reports to the Chief Information Officer and is a member of the enterprise risk team. The CISO provides quarterly updates on the cybersecurity, risk and business continuity programs to the Board of Directors and executive management. Our security team is comprised of over 100 trained individuals, many of whom hold advanced industry certifications.

Policy and Governance

We embed data protection throughout our operations and technology programs with the goal of safeguarding our customer data and digital assets. As a foundation to this approach, Travelers maintains a comprehensive set of cybersecurity policies and standards, which align with the International Organization for Standardization (ISO) 27001 standard and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our cybersecurity policies and standards have been developed in collaboration with groups across the enterprise, such as Legal, Compliance and each of our business segments. Our policies include Information and System Use policies for employee and non-employee system users. These policies reinforce the data privacy and protection sections of our Code of Business Conduct and Ethics.

On an annual basis, Travelers undergoes an SSAE 18 SOC 2 (Statement on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination conducted by an independent external firm. In addition, we regularly self-assess against our internal policies, using our internal risk assessment process and a variety of other frameworks, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, the Insurance Data Security Model Law as adopted by various states and the Payment Card Industry Data Security Standard. We endeavor to comply with all applicable privacy regulations, including but not limited to the California Consumer Privacy Act. Our comprehensive and collaborative approach allows us to further the organizational culture of data security awareness, the effectiveness of data governance and the responsiveness to evolving data management protocols.

Technology

Travelers uses sophisticated technologies and tools to protect information, including but not limited to multifactor authentication, encryption, firewalls, intrusion detection and prevention systems, endpoint detection and response, vulnerability and penetration testing and management, and identity and access management systems. Our identity and access management systems employ both commercial authentication products from leading companies and internally developed systems based on prevailing industry standards. We include periodic recertification access for individuals who access our key data, and we utilize multifactor authentication based on the level of risk. We monitor our network for anomalies, and our Security Operations Center responds to those anomalies.

In addition, we participate in vulnerability information-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). We also track industry and government intelligence sources for impact in the marketplace and deploy updates as necessary.

Travelers has a robust software patch management process that includes risk assessment and risk-based update schedules. These systems are designed, implemented and maintained with the goal of providing a high level of security for sensitive data.

As the workforce and the work environment continue to evolve, Travelers also continues to evaluate related risks and implement appropriate controls.

Training & Awareness

As part of our annual Code of Business Conduct and Ethics training, all Travelers employees receive data protection and privacy training, which focuses on the need to appropriately protect and secure confidential company information. Additionally, we provide annual security awareness training that covers a broad range of security topics, from secure access practices and social engineering to working remotely and reporting suspicious activities. We also provide regular targeted training on topics such as phishing and secure application development, among others. In addition to online training, we educate our employees through a number of methods, including event-triggered awareness campaigns, recognition programs, security presentations, company intranet articles, videos, system-generated communications, email publications and various simulation exercises. In addition, based on role, certain Travelers contractors receive additional relevant cybersecurity training.

Third Party Relationships

As part of our supplier risk management program, we conduct cybersecurity diligence and oversight of our third-party vendors. Prior to the commencement of services, our Cybersecurity team identifies vendors that will have access to and/or process Travelers data, and performs risk-based assessments that produce a risk rating. Using this risk-based approach, the Cybersecurity team conducts formal risk assessments on certain providers and partners. The team conducts reassessments on a regular basis, the frequency of which is determined based on a risk assessment and rating process. The assessment process utilizes a comprehensive questionnaire, which addresses aspects of the vendors’ data security controls and policies, including business continuity, as well as on-site evaluations for higher-risk relationships.

Where appropriate, Travelers seeks to incorporate contractual language with third parties that includes clear terms involving the collection, use, sharing and retention of user data, including data transferred to third parties. These contracts also generally require parties with whom data is shared to comply with the company’s security policy or equivalent.

Incident Response

Travelers has a Security Incident Response Framework in place. The framework is a set of coordinated procedures and tasks that the Travelers Incident Response team executes with the goal of ensuring timely and accurate resolution of computer security incidents. To maintain the robustness of the framework, we conduct tabletop testing exercises several times a year, using risk analysis to select which components of the plan to test.

Compliance

Our cybersecurity framework includes regular compliance assessments with Travelers policies and standards and applicable state and federal statutes and regulations. We validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits. In addition, we proactively perform self-assessments against regulatory frameworks such as the NIST Cybersecurity Framework.

Additional information regarding privacy and security at Travelers, including our Privacy Statements, is available on our website.