TRAVELERS COMPANIES, INC. - (TRV)

10-K Filing Date: February 15, 2024
Item 1C. CYBERSECURITY
Risk management and strategy
The Company has implemented technologies and tools to evaluate its cybersecurity protections and maintain a cyber risk management strategy related to its technology infrastructure that includes monitoring emerging cybersecurity threats and assessing appropriate responsive measures.
Risk Identification
The Company’s Chief Information Security Officer (“CISO”) and Cybersecurity team are actively engaged within the cybersecurity community in order to monitor emerging trends and developments and share best practices for identifying and mitigating cyber threats. For example, the Company participates in threat intelligence information-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). The Company also tracks industry and government intelligence sources for information about evolving cyber threats and deploys updates to its systems, as appropriate. The Company’s Cybersecurity team monitors and investigates suspicious events.
Risk Assessment
The Company performs an annual cybersecurity risk and control assessment as part of the Enterprise Risk Management team’s risk assessment processes. The CISO and the Company’s Chief Technology and Operations Officer review and approve the cybersecurity assessment. In addition, as part of their regular responsibilities, the Company’s Governance, Risk and Compliance officers within its Technology and Cybersecurity groups assess technology and cybersecurity risks by leveraging the Company’s risk framework related to technology and cybersecurity, which aligns with the Company’s enterprise risk management strategy.
On an annual basis, under the direction of the Company’s Chief Risk Officer, the Company’s Technology, Cybersecurity and Business Resiliency groups also participate in the enterprise-wide Own Risk and Solvency Assessment (“ORSA”), which outlines identified risks and describes the controls in place across the Company to address those risks. The ORSA is reviewed with the Company’s lead regulator, the State of Connecticut Department of Insurance, which in turn performs periodic financial examinations, including a technology control assessment.
In addition, the Company regularly self-assesses against its internal policies, using its internal risk assessment process and a variety of frameworks, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, the Insurance Data Security Model Law as adopted and modified by various states and the Payment Card Industry Data Security Standard.
56


As the workforce, the work environment and the threat landscape continue to evolve, the Company seeks to evaluate related risks and implement appropriate controls.
Risk Management
The Company maintains cybersecurity policies and standards which align with the International Organization for Standardization (ISO) 27001 standard and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The Company’s cybersecurity policies and standards have been developed in collaboration with groups across the enterprise, such as Legal, Compliance and each of its business segments. The Company’s policies include, for example, Information and System Use policies for employee and non-employee system users. These policies reinforce the data privacy and protection sections of the Company’s Code of Business Conduct and Ethics.
The Company uses technologies and tools, as appropriate, to enhance cybersecurity, such as multifactor authentication, encryption, firewalls, intrusion detection and prevention systems, endpoint detection and response, vulnerability scanning, penetration testing, patch management and identity and access management systems. These systems are designed, implemented and maintained with the goal of identifying, assessing and managing cybersecurity risks. In addition to its internal cybersecurity team, the Company uses internal and external auditors and, as appropriate, third-party consultants, service providers and assessors to review and test its processes.
To help manage risk from potential cybersecurity threats, as part of the annual Code of Business Conduct and Ethics training, all Company employees receive data protection and privacy training, which focuses on the need to appropriately protect and secure confidential Company information. Additionally, the Company provides annual security awareness training that covers a broad range of security topics. The Company also provides regular targeted training on topics such as phishing and secure application development, among others. In addition to online training, employees are provided with cybersecurity related information through a number of different methods, including event-triggered awareness campaigns, recognition programs, security presentations, intranet articles, videos, system-generated communications, email publications and various simulation exercises.
The Company has a Security Incident Response Framework in place. The framework is a set of coordinated procedures and tasks that the Company’s Incident Response team, under the direction of the CISO, executes with the goal of ensuring timely and effective resolution of cybersecurity incidents. To maintain the robustness of the framework, from time-to-time the Company conducts cybersecurity tabletop testing exercises.
As part of the Company’s supplier risk management program, using a risk-based approach, the Cybersecurity team conducts formal risk assessments with respect to certain of the Company’s third-party service providers. The assessment process addresses aspects of the service providers’ data security controls and policies. The team also conducts reassessments of its third-party risk assessments, the frequency of which is determined based on a risk assessment and rating process. Where appropriate, the Company seeks to incorporate contractual language with third-party service providers that includes clear terms involving the collection, use, sharing and retention of user data, as well as compliance with appropriate security terms.
To date, the Company does not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations, or financial condition. As discussed more fully under “Item 1A—Risk Factors”, the sophistication of cyber threats continues to increase, and the preventative actions the Company takes to reduce the risk of cyber incidents and protect its systems and information may be insufficient. No matter how well designed or implemented the Company’s cybersecurity controls are, it will not be able to anticipate all security breaches, and it may not be able to implement effective preventive measures against cybersecurity breaches in a timely manner. See “Item 1A—Risk Factors—If we experience difficulties with technology, data and network security (including as a result of cyber attacks), outsourcing relationships or cloud-based technology, our ability to conduct our business could be negatively impacted.”
Governance
The Risk Committee of the Board, consistent with its charter, reviews and discusses with management the strategies, processes and controls pertaining to the management of the Company’s information technology operations, including cyber risks and cybersecurity. The CISO typically provides quarterly updates regarding cybersecurity and cyber risk to executive management and the Risk Committee of the Company’s Board of Directors.
The CISO leads the Company’s cybersecurity department. The CISO reports to the Chief Technology and Operations Officer and is a member of the Enterprise Risk team and the Company’s Disclosure Committee. The CISO has over 20 years of cybersecurity and information security risk compliance and threat analysis experience. Prior to joining the Company in 2023,
57


the CISO served as Chief Security Officer for a national telecommunications service provider. Under the direction of the CISO, the Company’s Cybersecurity department analyzes cybersecurity and resiliency risks to the Company’s business, considers industry trends and implements controls, as appropriate, to mitigate these risks. This analysis drives the Company’s long- and short-term strategies, which are executed through a collaborative effort within Technology, Cybersecurity and Business Resiliency and are communicated to the Risk Committee of the Board of Directors on a regular basis.