Five Questions About Cybersecurity for Joan K. Woodward of Travelers

Just like with hurricanes or tornadoes, even if your business isn't directly affected, you want to be prepared.
By: | November 26, 2024
Topics: Cyber | Cyber Risks | Q&As

In early November, Dan Reynolds, the editor-in-chief of Risk & Insurance, spoke with Joan K. Woodward, executive vice president for Public Policy and president of the Travelers Institute. At the end of October, the Travelers Institute hosted a live cybersecurity symposium in King of Prussia, Pennsylvania in an effort to further educate agents, brokers, and the broader business community about how to anticipate and respond to evolving cyber threats. Woodward was also a keynote speaker at the recent PLUS Conference in Chicago.

Risk & Insurance: Very nice to meet you Joan. What can you tell us about your recent efforts around cybersecurity?

Joan K. Woodward: About 10 years ago, cyber insurance emerged as a new product in the insurance industry. At the time, we felt that many agents, brokers, and customers were unaware of the cyber risks and threats to their businesses.

Given my background working on Capitol Hill for 12 years, I proposed partnering with the Department of Homeland Security to assess the cyber threats faced by private sector businesses, particularly those contracting with government agencies. Our goal was to provide educational resources through the Travelers Institute, a think tank I run at Travelers.

We take on significant public policy questions and problems, aiming to help consumers, with our agent and broker population being our primary target for education and awareness. We decided to launch the “Cyber: Prepare, Prevent, Mitigate, Restore” initiative to address this need.

The Travelers Institute is not just a think tank; we’re a “do tank.” We actively engage with the community through live in-person symposiums, educational events, and webinars. Over the past four years, we’ve conducted about 130 webinars, with 20 to 30 focusing specifically on cybersecurity.

These webinars often feature officials from the Department of Homeland Security, CISA (Cybersecurity and Infrastructure Security Agency), the FBI, and small business experts. Small businesses are a significant target for cyberattacks, despite often believing they are unlikely to be hacked.

R&I: What key insights did you glean from your recent survey of the cyber risk landscape and business preparedness in the Philadelphia area?

JW: The survey revealed some interesting findings about the cyber risk landscape in Philadelphia. Sixty percent of respondents believe it’s inevitable that their business will fall victim to a cyberattack, likely influenced by the fact that 32% have already experienced a data breach or cyberattack.

Optimistically, 78% of businesses surveyed are extremely confident in their ability to handle a cyber breach. However, it’s unclear whether this confidence stems from having cyber insurance or a misplaced sense of resilience.

The survey also examined businesses’ cyber hygiene practices. 83% require regular computer password updates, 82% use firewall or virus protection, and 78% regularly train and test their employees. Impressively, 73% reported having cyber insurance.

However, only 76% use multifactor authentication (MFA), which should be closer to 100% as it’s a fundamental security measure. 84% expressed a desire for more information about cyber security, and 64% have participated in a cyber risk assessment for their business, such as those offered free by the Department of Homeland Security and CISA.

R&I: There is coverage available to pay a ransom in a cyberattack, isn’t there?

JW: Yes, if there’s an insurable risk, we will provide coverage for it. Cyber risk is a constantly evolving business risk that has grown and changed, with tactics shifting from phishing during the pandemic to more ransomware attacks now.

Cyber criminals are becoming increasingly creative in their methods. For example, there was an incident where the CEO of a midsize business was sent a picture of his daughter’s location, which is a shocking and eye-opening new tactic. While the government’s position is not to pay ransoms, which is understandable as it rewards bad actors and encourages them to continue, if it’s a risk a business faces and it’s legal, we can insure it.

However, it’s important to note that you cannot pay a ransom to a country that’s on the OFAC (Office of Foreign Assets Control) list, which includes terrorist countries.

R&I: Based on the data, has there been a significant increase in awareness and progress in risk mitigation?

JW: Yes, absolutely. The use of multi-factor authentication (MFA) has increased dramatically. While we’d like to see it at 100%, the data shows it’s currently at 72%. Businesses are becoming more curious because they see their neighbors and fellow business owners falling victim to hacks and breaches, and they want to know how to protect themselves.

Just like with hurricanes or tornadoes, even if your business isn’t directly affected, you want to be prepared. Being prepared and resilient means having a plan of action to get back up and running, with insurance being the last line of defense. Before we insure a business with a cyber policy, the most important process is ensuring their cyber hygiene is clean, with protective practices and procedures in place.

This process has evolved significantly over the last 10 years, becoming very sophisticated. In 2021, President Biden held a summit at the White House with technology CEOs, and our CEO at Travelers, Alan Schnitzer, attended. This is because we have been outspoken about the need for cyber insurance and awareness, partnering with the Department of Homeland Security, the FBI, and the Small Business Administration.

Hosting these panels for the past 8 years has established us as a thought leader in this space, and it’s a lot of work. It’s not easy, but it’s crucial for the protection of businesses in the face of growing cyber threats.

R&I: What resources and advice would you offer to risk managers or insureds to help them continuously improve their cybersecurity posture?

JW: We have a cyber hub that provides information and education, including five cyber practices to help businesses reach their cybersecurity goals. By comprehensively following our advice on each of the five steps, businesses can significantly improve their cyber hygiene.

Additionally, I refer every business to CISA, (The Cybersecurity Infrastructure and Security Agency). They offer invaluable services such as conducting tabletop exercises, scanning systems, and monitoring the dark web for any business-related information. It’s crucial to understand that cyber actors are highly sophisticated and can remain undetected in systems for 3 to 6 months before sending a ransomware demand.

These actors are well-informed about the businesses they target, including the amount of cyber insurance purchased. They strategically tailor their ransomware demands based on the insurance policy limits. A key piece of advice we give people is to avoid putting their insurance declaration page on the web, as it can be used against them.

At Travelers, we have taken on the responsibility of educating and raising cyber awareness, which has greatly benefited business owners and the industry as a whole. Our partnerships with governments at the federal, state, and local levels have been instrumental in this educational effort, as they have a significant stake in protecting critical infrastructure.

It’s important to recognize that critical infrastructure, such as the electrical grid, is owned by numerous private companies across different states. Ensuring that each of these companies maintains a high level of cyber hygiene is essential for the overall security of the infrastructure. Through our surveys, polls, and press coverage, we aim to raise awareness and contribute to the ongoing educational campaign. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected].

More from Risk & Insurance