Skip to Content

The Travelers Risk Index

The Travelers Risk Index provides an annual snapshot of risk viewpoints from over 1,200 business decision makers across the country.

This 2022 survey looks at the top concerns of U.S. businesses and how companies are dealing with the risks they face every day. The survey participants represent small, mid-sized and large businesses from a variety of industries including construction, real estate, healthcare, technology, retail, transportation, wholesalers, professional services, manufacturing, banking/financial services, publicly traded, nonprofit and public sector.

Overall Business Risk Concerns

Worries about broad economic uncertainty, fluctuations in oil and energy costs, the ability to attract and retain talent and supply chain risks have all increased substantially compared to a year ago.

Despite the current environment and challenges businesses face …

  • image description

    Inflation at highest levels in 40 years

  • image description image description

    Millions of employees resigning

  • image description image description image description

    Unprecedented global supply chain challenges

  • image description image description image description image description

    Rapid changes in oil and energy costs

… the #1 overall business concern is

Cyber Risks

67%

In the ninth installment of the Travelers Risk Index, 67% of survey participants said they believe the business world is riskier than it was a year ago.

Participants considered the overall amount of risk faced every day, including risks to employees’ and customers’ safety, business property, financial well-being and general business risks.

Business leaders were asked what their biggest business concern was.

Choosing from a list of concerns including workforce changes, extreme weather, US trade policy, corporate reputation, intellectual property (IP) risks, benefit cost inflation, legal liability, environmental concerns, global economy, financial issues, regulatory concerns and supply chain risks. The top 5 concerns among businesses of all sizes and all industries are:

Company size

  1. Cyber risks (59%)

  2. Broad economic uncertainty (57%)

  3. Fluctuations in oil/energy costs (56%)

  4. Ability to attract/retain talent (56%)

  5. Medical cost inflation (55%)

  1. Cyber risks (62%)

  2. Increased employee benefit costs (61%)

  3. Ability to attract/retain talent (59%)

  4. Medical cost inflation (59%)

  5. Supply chain risks (58%)

  1. Cyber risks (62%)

  2. Ability to attract/retain talent (61%)

  3. Medical cost inflation (57%)

  4. Broad economic uncertainty (55%)

  5. Fluctuations in oil/energy costs (55%)

  1. Broad economic uncertainty (61%)

  2. Fluctuations in oil/energy costs (57%)

  3. Cyber risks (54%)

  4. Medical cost inflation (51%)

  5. Supply chain risks (51%)

57%

More than half (57%) of the participants
think it is inevitable that their business will be a victim of a cyber attack.

Cyber Concerns and Victimization

Cyber attacks are not random and a single attack can shut a company down for a long period of time or worse, put it out of business.

Cyber criminals target companies with certain vulnerabilities. We surveyed business leaders representing a variety of business sizes and industries to understand their viewpoints about cyber risks and threats that exist.

No matter the size of business or industry, business leaders share similar cyber concerns.

Some of their biggest concerns include

Company size
57%

Security breach/someone hacking

55%

System glitch causing organizations’ computers to go down

54%

Becoming an extortion/ransomware victim What is RANSOMWARE?

It’s a form of malicious software (“malware”) used by cyber criminals to obtain access to a victim’s network. They can use it to steal data, commit fraud or launch a ransomware attack. This type of attack encrypts a company’s computer system and data and allows the criminals to demand a ransom in return for a decryption key.

53%

Unauthorized access to financial accounts

53%

Security breach/system glitch at a vendor

53%

Having the resources and know-how to recover from cyber-related events

67%

Security breach/someone hacking

67%

System glitch

66%

Becoming an extortion/ransomware victim

64%

Employees putting information/systems at risk

63%

Security breach/system glitch at a vendor

61%

Theft/loss of customer/client records

59%

Security breach/system glitch at a vendor

59%

Having the resources and know-how to recover from cyber-related events

58%

Security breach/someone hacking

57%

System glitch

55%

Becoming an extortion/ransomware victim

55%

Unauthorized access to financial accounts

47%

Unauthorized access to financial accounts

46%

Security breach/someone hacking

43%

System glitch

43%

Becoming an extortion/ransomware victim

40%

Having the resources and know-how to recover from cyber-related events

40%

Failure of operate business/lost income

Given the increase in remote working there is a new set of cyber threats that business leaders are concerned about.

For instance, employees may inadvertently put systems at risk when accessing their email remotely and bad actors may exploit open ports to infiltrate a network, which can lead to ransomware attacks and other cybercrime schemes.

#8 3

Ransomware is a growing threat that is gaining the attention of more and more business leaders.

What was the 8th biggest concern in 2019 is the 3rd biggest concern today.

Recently, ransomware attackers have become more aggressive, asking businesses to pay six, seven and even eight-figure ransoms. These criminals are deleting backups, and in some cases, threatening to disclose sensitive or confidential data, making it harder for businesses to recover from such an attack.

Victimization by the Numbers

The 2022 Travelers Risk Index can confirm that business leaders have good reason to be worried. For the seventh consecutive year, the number of businesses reporting being victimized by a cyber event has increased.

A pie graph increases from 10% to 26% showing a 160% increase.
10%

Since 2015

There has been a 160% increase in the percentage of businesses stating they have experienced a cyber event.

In 2022

26% of those surveyed said their company had been a cyber victim, with nearly half reporting the event happened within the past 12 months.

26%

And businesses that are attacked once have a 71% chance of getting attacked again.

Headshot of Tim Francis, Travelers Enterprise Cyber Lead
Percentage of businesses reporting incidents Number of cyber incidents
10%20%30%40%
Four+
13%
Three
21%
Two
37%
One
29%
Headshot of Tim Francis, Travelers Enterprise Cyber Lead
These cyber events are not random – if a business was vulnerable before and didn’t take appropriate action as a result, they continue to be at risk. It’s important to take the prospect of a cyber attack seriously and to put the business in position to successfully manage a likely event.” Tim Francis
Travelers Enterprise Cyber Lead

The top 5 cyber events that businesses are experiencing.

A security breach continues to be the most frequently cited cyber event, followed by employees putting information/systems at risk, a company being the target of cyber extortion/ransomware, a system glitch causing organizations’ computers to go down and theft or loss of control of customer or client records.

  1. Image description

    Security Breach (38%)

  2. Image description

    Employees putting information/systems at risk (33%)

  3. Image description

    Extortion/ransomware (28%)

  4. Image description

    System glitch (27%)

  5. Image description

    Theft or loss of customer/client records (26%)

Cyber Preparedness

Effective measures that have proven to reduce the risk of becoming a cyber victim are available, but based on these survey results, not enough companies are taking action. In fact, businesses of all sizes seem to be overconfident in navigating the evolving cyber landscape, which may cause a false sense of security.

Many businesses are not prepared.

93% of business report that they are confident that they have implemented best practices to prevent or mitigate a cyber event.

Yet, most businesses have not implemented basic prevention measures.

More than 25% of business are not even implementing the most basic practices, such as firewall/virus protection, data backup and password updates.

A pie graph increases from 0 to 64%
64%

64% do not use endpoint detection and response (EDR)

What is Endpoint Detection and Response (EDR)?

EDR can help protect and monitor an enterprise network by identifying suspicious activity before the rest of the corporate network is exposed to unnecessary risk. An EDR solution can provide far greater capabilities than a traditional antivirus solution as it monitors for anomalous behavior on each system rather than simply searching for malware.

To help Travelers CyberRisk policyholders receive access to the SentinelOneTM EDR Platform for 60 days at no additional cost.

53% do not have an incident response (IR) plan

What is AN IR Plan?

An IR plan is a document that outlines an organization’s procedures, steps and responsibilities in the event of a cyber event. It prioritizes mission critical functions, identifies the IT systems that support them and documents recovery and response actions to help quickly restore operations. A well-designed IR is a living, breathing document that should be regularly reviewed and updated.

As part of the Travelers eRiskHub®, a web portal for CyberRisk policyholders, an incident response planning roadmap is available as well as other IR planning services and resources.

53%

63% do not have a post breach team on retainer as part of an incident response (IR) plan

How can a post-breach team help?

When a business suffers a cyber event, minutes matter. Experienced teams of specialized professionals such as data breach coaches, digital forensics experts and public relations professionals, can be engaged to help an organization manage the fallout of an attack. To expedite the process, consider identifying a post breach team prior to a cyber event, and even keeping the team on retainer as part of your organization’s IR plan.

Through our experience and knowledge, Travelers offers CyberRisk policyholders expert resources, including a data breach coach.

48% do not use Multifactor Authentication (MFA) for remote or admin access

What is Multifactor Authentication (MFA)?

MFA is a security method that requires the use of two or more authentication factors to verify a user’s identity prior to gaining access to an organization’s network, access to their email remotely or access to privileged or administrative accounts.

According to Microsoft, 99.9% of account compromise attacks can be blocked by MFA.1

The top reasons provided by respondents for not using MFA:

  • MFA is too inconvenient for users

    MFA is simple for businesses to implement and typically requires no external hardware. Once established, the use of a secondary identification method such as a token simplifies the authentication process for users while dramatically improving the security of your network.

  • There are other controls in place

    Traditional anti-virus software is no longer sufficient to protect a company’s network. A multi-faceted approach to cybersecurity – including MFA – is essential to protect against these ever-evolving cyber threats.

  • They don’t know what options exist

    MFA options can vary, so to help Travelers offers its CyberRisk policyholders access to a one-hour consultation with a HCL Technologies Security Coach who can provide much-needed expertise and help pave the way for a stronger cybersecurity program.

Image description

Listen to Tim Francis, Enterprise Cyber Lead, and Ken Morrison, Cyber Risk Management, discuss what MFA is, how it can help protect a business and what an organization should consider when implementing this added layer of protection in this edition of the Travelers Cyber Academy® Podcast

Learn from the experts

Small businesses are even less prepared.

The likelihood of a cyber event happening is not based on the size of a company. Many times, bad actors target existing vulnerabilities, meaning small businesses could be even more at risk.

84%do not use EDR
77%do not have a post breach team
74%do not have an IR plan
58%do not use MFA

STEPPING UP YOUR PROTECTION

Being prepared is still the best defense against cyber threats. And businesses that suffered a cyber event said their company took at least one of these five preventative steps to boost their cybersecurity.

  1. Image description

    Backed up data (68%)

  2. Image description

    Kept systems up to date (67%)

  3. Image description

    Implemented Multifactor Authentication (MFA) (53%)

  4. Image description

    Created an incident response (IR) plan (48%)

  5. Image description

    Used an Endpoint Detection & Response (EDR) tool (46%)

Want to help protect your business?

Watch this video with tips from Travelers Enterprise Cyber Lead, Tim Francis

Video thumbnail
Download Video Transcript

Cyber Insurance

Prepare your business with cyber insurance coverage and solutions.

72%

72% of business leaders think having cyber insurance is critical…

…yet not all businesses have purchased the protection.

No matter the size or industry of the business, many are left vulnerable without cyber insurance:

A pie graph increases from 0 to 62%
62%
Small businesses

without cyber insurance

A pie graph increases from 0 to 33%
33%
Mid-sized businesses

without cyber insurance

A pie graph increases from 0 to 28%
28%
Large businesses

without cyber insurance

Almost half of the businesses in these industries said they do not have cyber insurance to help protect their business assets.

Image description

Real Estate

Image description

Healthcare

Image description

Retail

Image description

Wholesale

Image description

Professional Services

Image description

Nonprofit

Image description

Public Sector

What Every Business Leader Should Know

  • What is Cyber Liability Insurance?

    Cyber liability insurance provides a combination of coverage options and services to help protect businesses against data breaches and other cyber events, as well as recover quickly if a cyber attack does take place.

  • What Does Cyber Insurance Cover?

    Cyber liability insurance can help cover costs associated with data breaches and cyber attacks. Those costs can include such things as lost income due to a cyber event, notifying customers affected by a breach, recovering compromised data, repairing damaged computer systems and more.

  • Who Needs Cyber Liability Insurance?

    Any type of business or organization that uses technology faces cyber risk. As technology becomes more complex and sophisticated, so do the cyber threats. This is why every business and organization needs to be prepared with both cyber liability insurance and an effective cyber security plan to help manage and mitigate cyber risk.

  • Why Travelers for Cyber Liability Insurance?

    Travelers cyber coverage can be a crucial safeguard against the potentially devastating financial consequences of a cyber attack. Travelers offers customized insurance solutions depending on your business’ level of risk, with coverage options available to address:

    • forensic investigations,
    • litigation expenses,
    • regulatory defense expenses/fines,
    • crisis management expenses,
    • business interruption,
    • cyber extortion, and
    • betterment

    Travelers also provides its cyber insurance policyholders with access to various tools and resources to help manage and mitigate their cyber risk — pre-breach and post-breach.

Travelers has long been committed to managing and mitigating cyber risk, with a dedicated team of underwriters, claim professionals and risk control specialists who work to help insure and protect customers’ assets.

Learn more about how Travelers can help businesses prepare for and prevent cyber threats.

Get Ahead of Cyber Risks