Travelers finds cyber threat concerns, but less proactive action

di-travelers-031317
The Travelers Insurance Co. office building in Hartford, Connecticut in 2015.
Ron Antonelli/Bloomberg

Cyber threats are the top concern for business leaders – for the fourth time in six years, according to the latest annual Travelers Risk Index. Travelers has a specific interest in cyber breaches, having acquired Corvus, a cyber insurance company, last year. This gave Travelers the capability to catch and respond faster to cyber threats against its cyber insurance policyholders. Travelers can also summon third parties for these policyholders to respond to breaches or problems. Digital Insurance spoke with Tim Francis, enterprise cyber lead at Travelers, about the increasing concerns with cybersecurity, what issues are causing these concerns, and how insurers and the businesses they cover are reacting to these developments.

This interview has been edited for length and clarity.

How is the Risk Index compiled?

Tim Francis, enterprise cyber lead, Travelers
Tim Francis, enterprise cyber lead, Travelers
We surveyed several thousand entities. They're not Travelers customers. They represent a diverse section of industries and size of potential customers, size of organizations. We're asking the survey respondents a whole range of things -- what's on their mind as business owners, topics such as the cost of health care, employee retention and the like. They have a range of things to pick from, and cyber is still number one, or often number one. That speaks to the magnitude of events taking place, and the severity of events when they occur. We asked specifically, what are you concerned about? What types of cyber events are you concerned about? We give them a range of choices, and ransomware is always in the top 10. The fact that everybody's concerned isn't surprising, and to some extent, that's healthy.

What stood out to you in the findings?

People should be concerned. More people should be concerned than actually say they are. Those that aren't concerned probably ought to be at least a little concerned. That doesn't mean that they should be panicked about it, because you can take appropriate steps to reduce the chances of being a cyber victim. As much as people are concerned, there's still too many of those that respond that really haven't done enough of the basic blocking and tackling in terms of security controls.

Roughly half have multi-factor authentication (MFA). Lack of MFA is probably the single biggest indicator of whether somebody's going to have an event or not. Endpoint detection and response EDR software – 50% don't use it. About 50% don't have an incident response plan. There are basic and even minimal kinds of things that any organization should have. We still have an education gap.

How many said their company has experienced a cyber event?

We've seen an increase in numbers that have had more than one cyber event. About 25% of the responders had a cyber event, and for more than half, that event took place in the last year. So we are definitely seeing that this is an increasing trend, and really it's across a diverse section of responders. Whether you're small, medium or large, regardless of the industry you're in -- certain industries maybe have a little bit more frequency than others, but virtually every industry's got organizations in it that have had cyber events.

Is ransomware still the biggest threat, or have other cyber threats increased?

We see a lot of social engineering claims. We see a lot of business email compromise. We see a lot of ransomware. In those three buckets are the major sources of claims that we see. Ransomware tends to be the most financially impactful, and most chaotic in needing the resources that an insurance company provides. 

That's not just paying the ransom. We can do that if necessary, and probably we only pay a ransom about 15 to 20% of the time that a ransom is commanded. Most of the time we don't. Most of the time we can help an organization either negotiate their way out of it or help them remediate through their backup system without paying. That's in everybody's best interest, but that's a complicated process. Or even when you pay the ransom and you have a decryption key, being able to bring somebody back online is complicated. It's not just flipping a switch, so having that access to networks is important.

The Risk Index shows a slight uptick in those buying cyber policies. What does that mean for insurers?

The larger organizations will have a higher percentage that do purchase cyber insurance. The smaller down revenue you go, the less likely. But 65% buying policies [according to the index] is exceptionally high. It should be 100%. I'm pleasantly surprised at 65. I can recall when it was 40% or less. [in 2018, it was 39%].

That speaks to awareness of the issues, which makes sense, given how top of mind the threat is. We're making inroads on people appreciating the value of an insurance product, not just the financial backstop and not just the services. We've made a lot of investments in the ability to help our customers identify vulnerabilities before they become events. 
Correction
This story has been updated to correctly cite figures that are in the Risk Index.
November 20, 2024 11:46 AM EST